Verifisha
Guide

The Data Protection Act in Kenya: a business guide

Last updated 18 July 2026

Kenya's Data Protection Act governs how organisations collect, use and store people's personal data. If you verify customers, screen candidates or hold any personal information, it applies to you. This guide explains the essentials in plain English and how to keep verification consent-led and compliant. It is general information, not legal advice.

What the Data Protection Act is

The Data Protection Act is Kenya's main law on personal data. It sets out how personal data must be handled, gives individuals rights over their data, and is overseen by the Office of the Data Protection Commissioner (ODPC). It applies to organisations that decide how and why data is processed (data controllers) and those that process it on their behalf (data processors).

The core principles

  • Lawfulness, fairness and transparency — people should know what you do with their data.
  • Purpose limitation — collect data for a specific, stated reason.
  • Data minimisation — only collect what you actually need.
  • Accuracy — keep it correct and up to date.
  • Storage limitation — keep it no longer than necessary.
  • Integrity and confidentiality — keep it secure.

Rights of data subjects

  • To be informed about how their data is used.
  • To access the data held about them.
  • To correct inaccurate data.
  • To have data deleted in certain cases.
  • To object to or restrict certain processing.

How to handle personal data compliantly, step by step

  1. 1

    Map the data you hold

    List what personal data you collect, why, where it is stored and who can access it. You cannot protect what you have not mapped.

  2. 2

    Establish a lawful basis

    For each use of data, identify your lawful basis — often consent for verification and background checks. Be clear and specific about the purpose.

  3. 3

    Collect consent properly

    Where consent is your basis, make it clear, informed and freely given, and keep a record of it. Verifisha requests and stores consent before any check runs.

  4. 4

    Secure the data

    Apply encryption, access controls and good hygiene so only the right people can see personal data.

  5. 5

    Honour data-subject rights

    Have a way to respond when someone asks to access, correct or delete their data within the timelines the law expects.

  6. 6

    Keep records and an audit trail

    Document your processing and keep evidence of consent and decisions — it demonstrates accountability if you are ever asked.

Registration with the ODPC

Many data controllers and processors are required to register with the Office of the Data Protection Commissioner, depending on their size and the nature of their processing. Whether and how you must register — and any fees — are set by the ODPC and change over time, so confirm your obligations directly with the ODPC.

Penalties for getting it wrong

The Act provides for penalties for non-compliance, and beyond fines there is reputational and trust damage. The exact figures and enforcement approach are set by law and the regulator, so treat compliance as ongoing rather than a one-off.

Data protection and background checks

Verification and background checks involve personal data, so they sit squarely within the Act. The safe way to run them is consent-led: get the person’s approval, only run what the decision needs, keep the evidence secure, and store proof of consent. That is exactly how Verifisha is built.

This guide is general information, not legal advice. The Data Protection Act, registration requirements, fees and penalties are set by law and the Office of the Data Protection Commissioner and change over time. Confirm your obligations with the ODPC or a qualified adviser before relying on this guide.

Verifying someone else?

Verifisha brings identity, business, CRB, AML and reference checks together — with consent built in — so you get the full picture in one place.

No subscription · pay per check · consent-led & ODPC-aligned

For individuals & job seekers

Or get verified yourself

It is not only for checking other people — verify your own identity and build a vetted, shareable trust profile you can send to employers, landlords or partners. Get verified once and reuse it everywhere, with consent.

FAQ

Frequently asked questions

What is the Data Protection Act in Kenya?

It is Kenya's law governing how personal data is collected, used and stored, overseen by the Office of the Data Protection Commissioner (ODPC). It sets principles for handling data and gives individuals rights over their own information.

Do I need to register with the ODPC?

Many data controllers and processors must register, depending on their size and processing activities. The current requirements and any fees are set by the ODPC, so confirm your specific obligation with them.

Is consent always required to process personal data?

Not always — the Act recognises several lawful bases — but for verification and background checks, consent is usually the cleanest and safest basis. Whatever the basis, be transparent and keep records.

Does the Data Protection Act apply to background checks?

Yes. Background checks involve personal data, so they must follow the Act — which is why consent-led verification with stored proof of consent, like Verifisha’s, matters.

For teams and individuals

Verify anyone — or get verified yourself.

Run consent-led KYC, KYB, AML, CRB and background checks in one place — or build your own verified, shareable trust profile for jobs, rentals and deals. Trust made simple, for Kenya and Africa.

Start verifying with consent today

Create free account