You Collected the Data. Now What? A Guide to Data Protection Compliance in Kenya

Collecting Personal Data is easy. Compliance isn’t

A few months ago, a small but fast-growing travel business called me in a panic. One of their customers, a foreign client who had booked a luxury trip through their platform, had filed a complaint with the ODPC. Why? She’d received a marketing email weeks after her trip ended and couldn’t recall ever giving permission.

The company thought it was harmless she had shared her email during booking, after all. But they had no signed consent form. No opt-in record. And their privacy policy? A generic template copied from a U.S. website that hadn’t been updated in years.

Now they were being asked to explain, in writing, how they collected, stored and used personal data. They had no idea where to start.

That’s when it hit them. They hadn’t broken into someone’s account, leaked sensitive information or lost files. But they had no proof of consent, no documented process and no one responsible for data protection.

That was enough to put their business and reputation at risk.

‍

1. The Moment You Collect Personal Data, You Take On Legal Risk

That client’s case was a wake-up call for the entire team.

They had assumed that because the customer had entered her name and email to make a booking, they were free to use it for anything, follow-ups, newsletters, future promotions. But under Kenya’s Data Protection Act, 2019, that is not how it works.

‍

The moment they collected that email, they became a data controller. That comes with legal responsibilities, including:

      i.         Declaring why they’re collecting the data;

    ii.         Getting clear, informed consent for specific marketing use;

   iii.         Keeping the data safe;

   iv.         And making sure it’s not used for anything beyond its original purpose.

It doesn’t matter if you are a large bank, a two-person marketing agency or a tour company, the law applies the same. Once you collect, store or process someone’s personal data, be it a phone number, ID number, email or travel history, you’re accountable.

The travel company hadn’t meant to misuse the data. But intent doesn’t matter. What matters is what the law expects and whether you can prove you complied.

In their case, they couldn’t. No proper policy. No audit trail. No assigned data protection contact. And that’s what triggered a regulatory response not malice, just lack of structure.

‍

‍

2. Consent Is Not Always Required — But When It Is, It Must Be Clear and Purpose-Specific

When the ODPC contacted the travel company, their immediate defence was,

“She gave us her email, we didn’t do anything wrong.”

And in part, that was true.

Collecting the customer’s personal data, including her name, email and travel details, was lawful under the performance of a contract basis. She was booking a trip. The business needed her information to arrange accommodation, process payment and deliver the service. Consent wasn’t required for that, the contract justified it.

But the issue wasn’t about the trip. It was about what they did months later.

After the trip, they used the same email to send a marketing offer for a new destination. That’s when the complaint landed. And that’s where their legal footing fell apart.

Under Kenya’s Data Protection Act, each use of personal data must have a lawful basis. Just because you lawfully collected data for one purpose (contract delivery) doesn’t mean you can automatically reuse it for another (marketing).

Marketing requires valid consent. That means:

      i.         Consent must be informed, freely given, specific and unambiguous.

    ii.         The individual must have had the real choice to say yes or no.

   iii.         There must be a record showing how and when they consented and what exactly they consented to.

In this case, the business had no opt-in for marketing. No consent banner. No sign-up checkbox. Just a recycled email from a past booking. That’s what made their marketing campaign a breach.

This is where many businesses go wrong. They collect data lawfully but then reuse it for a new purpose without reassessing the legal basis.

Consent isn’t needed for everything but when it is, it must be clearly requested, clearly recorded and clearly limited to that purpose.

In Kenya, there are several lawful grounds for processing personal data, including:

      i.       Consent;

    ii.         Performance of a contract;

   iii.         Legal obligation;

   iv.         Vital interest;

    v.         Public interest;

   vi.         Legitimate interest, where appropriately assessed.

‍

‍

3. Behind the Scenes: What Your Privacy Policy Should Actually Cover

After we walked the travel company through the consent issue, we turned to their privacy policy. They had one buried in the footer of their website. It was over 1,500 words long, full of vague terms and borrowed phrases from a U.S. SaaS platform. It talked about “cookies,” “data processors,” and “California residents.” Nowhere did it mention Kenya’s Data Protection Act, their actual data flows or what customers could realistically expect.

The truth is, most businesses don’t write privacy policies for people they write them to tick a box. But under Kenyan law, a privacy notice is not a formality. It’s a legal requirement and it needs to reflect how you actually handle data in real life.

Here are some key things a privacy policy should clearly cover:

     i.         What personal data you collect (e.g. names, contact info, travel history, ID numbers)

    ii.         Why you’re collecting it (e.g. booking trips, sending confirmations, marketing, if applicable)

  iii.         Your legal basis for each purpose (contract, consent, legal obligation, etc.)

   iv.         Who you share it with (e.g. hotels, payment processors, delivery services)

    v.         Where the data is stored and for how long

   vi.         How individuals can access, correct or delete their data

 vii.         Whether any data is transferred outside Kenya and on what safeguards

The travel business hadn’t covered any of these in clear, actionable terms. That disconnect between paper and practice became the core of their legal exposure.

In short, if your privacy policy doesn’t mirror your operations, it can become evidence against you. It’s not about sounding legal. It’s about being honest, structured and aligned with your real-world processes.

‍

‍

4. Fixing It: What Practical Compliance Looks Like Today

Once the panic subsided, the travel business did the smart thing they stopped guessing and started documenting. We didn’t begin with policy templates or tech tools. We started with a single question:

“What data do you collect and what do you actually do with it?”

That’s where real compliance begins not in legal jargon but in tracing real business processes.

Here’s what practical compliance looked like for them and what it should look like for most Kenyan businesses today.

I.               A Data Map

They listed every point where personal data entered their system, from booking forms to WhatsApp confirmations. Then, they tracked who had access to it, where it was stored, how long it was kept and whether it was shared.

That alone revealed two critical gaps; an old backup email with thousands of unencrypted client records and a hotel partner they’d been forwarding IDs to without any formal agreement.

II.             A Clean, Real-World Privacy Policy

We restructured their privacy policy to:

     i.         Reflect Kenyan law not GDPR clones;

    ii.         Use plain language;

  iii.         Explain their actual data flows;

   iv.         Spell out individual rights, including how customers could opt out of marketing or request deletion.

III.          Contracts with Third-Party Processors

The business relied on third party service providers, hotels, payment platforms, SMS gateways. We helped them review or draft Data Processing Agreements (DPAs) with each one, to ensure data shared externally was still lawfully handled.

IV.           Staff Awareness

The marketing team had been reusing email lists without thinking twice. Now they knew better. We ran a brief internal session so everyone, from sales to support, understood what data they handled and what the law expects of them.

V.             A Compliance Contact

They appointed one internal team member, not a lawyer, to be the data lead, someone to track requests, monitor retention and coordinate updates.

They also registered as a data Ccontroller with the Office of the Data Protection Commissioner.

Compliance doesn’t mean perfection. It means structure, ownership and honesty. You don’t need a five-year policy framework to get started.

You need to know what data you hold, why you hold it and whether the person it belongs to would be surprised to find out.

If the answer is yes, that’s the place to start fixing.