Home / Blog / GRC & Compliance

How to Conduct a DPIA Under the Kenya Data Protection Act: A Practical Guide

How to Conduct a DPIA Under the Kenya Data Protection Act: A Practical Guide

The Office of the Data Protection Commissioner (ODPC) has already issued penalties running into millions of shillings against Kenyan businesses for processing violations. If your organisation handles biometric data, runs large-scale customer profiling, or deploys CCTV across public-facing branches, a Data Protection Impact Assessment (DPIA) under the Kenya Data Protection Act is not optional. It is a documented legal obligation under Section 31 of the Act and the Data Protection (General) Regulations, 2021.

A DPIA is a structured process to identify, assess, and mitigate privacy risks before you start a high-risk processing activity. Done properly, it protects data subjects, satisfies the regulator, and gives your board a defensible record of due diligence. Done as a checkbox exercise, it becomes the first document the ODPC asks for when a complaint lands.

When a DPIA Is Legally Required in Kenya

Not every processing activity triggers a DPIA. The Data Protection (General) Regulations, 2021 are specific. You must conduct one when processing is likely to result in high risk to the rights and freedoms of a data subject. Concretely, this includes:

  • Systematic and extensive profiling with legal or similarly significant effects (credit scoring, insurance underwriting, HR analytics)
  • Large-scale processing of sensitive data such as health records, biometrics, or genetic data — highly relevant to hospitals, SACCOs using fingerprint authentication, and fintechs running KYC
  • Systematic monitoring of publicly accessible areas including CCTV in malls, banks, and transport hubs
  • Processing involving children's data at scale
  • Cross-border transfers of personal data outside Kenya where safeguards are unclear
  • New technologies like AI-driven decisioning, facial recognition, or IoT deployments
If you cannot clearly answer "no" to all of the above, assume a DPIA is required and document your reasoning either way. The ODPC has been explicit that absence of documentation is itself a compliance failure.

The Six-Step DPIA Process That Actually Works

Most DPIA templates floating around online are adapted from the GDPR and miss Kenya-specific nuances. Here is a process aligned to the ODPC's expectations.

Step 1: Describe the Processing

Map the data flow end-to-end. What personal data is collected, from whom, for what purpose, using which systems, stored where, retained for how long, and shared with which third parties? Include cloud providers, offshore support teams, and marketing platforms. Vague descriptions here doom the entire assessment.

Step 2: Assess Necessity and Proportionality

Can you achieve the same business outcome with less data or a less intrusive method? A retailer wanting to reduce shrinkage does not automatically need facial recognition — behavioural analytics on anonymised footage may suffice. Document the alternatives you considered and why you rejected them.

Step 3: Identify and Assess Risks

List risks to data subjects, not just to the business. Think unauthorised access, discriminatory profiling, identity theft, reputational harm, and loss of control over personal data. Score each risk on likelihood and severity using a consistent matrix. SecureZaidi Risk Assessment Service

Step 4: Identify Mitigations

For every high or medium risk, define a specific control. Encryption at rest and in transit. Role-based access with quarterly reviews. Data minimisation at collection. Retention schedules with automated deletion. Vendor DPAs signed and filed. Vague mitigations like "strengthen security" will not survive regulator scrutiny.

Step 5: Consult Stakeholders

Engage your Data Protection Officer, legal, IT security, and — where feasible — representatives of affected data subjects. For high-residual-risk processing, Section 31(4) requires prior consultation with the Data Commissioner before proceeding.

Step 6: Document, Approve, and Review

The DPIA is a living document. Assign an owner, set a review cadence (annually at minimum, or on any material change), and get formal sign-off from the accountable executive. Store it where you can produce it within 24 hours of an ODPC request.

Common Mistakes Kenyan Businesses Make

  • Treating the DPIA as an IT exercise. It is a legal and business risk process. Legal, HR, and operations must be in the room.
  • Copy-pasting GDPR templates without adapting to Kenyan definitions, ODPC guidance, and local processing realities like M-Pesa integrations or Huduma Namba interfaces.
  • Skipping third-party risk. Your cloud provider, call centre outsourcer, and analytics vendor all extend your risk surface. Third-Party Vendor Risk Management Blog
  • No evidence of mitigation implementation. Writing "we will encrypt data" is not the same as showing encryption is enabled and tested.

Making the DPIA Part of Business-As-Usual

The organisations getting this right have embedded DPIAs into their project intake process. Before any new system, marketing campaign, or vendor engagement kicks off, a screening questionnaire determines whether a full DPIA is needed. This shifts privacy from reactive firefighting to proactive design — what the regulation calls data protection by design and by default.

SecureZaidi helps East African enterprises achieve and maintain compliance. Get in touch.