The 10 Biggest Data Protection Mistakes Kenyan Organisations Keep Making
Lessons from Recent Decisions of the Office of the Data Protection Commissioner and the High Court
Over the past few years, Kenya has quietly entered a new era of privacy regulation. What began as a legislative experiment with the enactment of the Data Protection Act, 2019 is rapidly evolving into a robust compliance regime driven by regulatory enforcement and judicial oversight.
The Office of the Data Protection Commissioner (ODPC), which was established to oversee the implementation of the Act, has increasingly exercised its powers to investigate complaints, issue enforcement notices, and award compensation to aggrieved data subjects. Meanwhile, the High Court has begun to interpret and clarify various aspects of the law, shaping an emerging body of data protection jurisprudence.
A review of recent regulatory determinations and Court decisions reveals a striking pattern. Many organisations in Kenya, ranging from small businesses to established institutions, are still grappling with fundamental compliance failures when handling personal data. These mistakes are rarely the result of malicious intent. More often, they arise from outdated business practices, lack of awareness, or a failure to appreciate how deeply data protection law now permeates everyday commercial activity.
This article examines ten of the most common mistakes emerging from recent enforcement actions and explains why organisations must urgently rethink how they collect, process, and safeguard personal data.
The Foundation of the Law: Processing Without a Lawful Basis
Perhaps the most fundamental error organisations make is processing personal data without establishing a clear legal basis for doing so.
The Data Protection Act is explicit: personal data must only be processed where there is lawful justification. This may arise through consent, contractual necessity, legal obligation, public interest, or legitimate interests that do not override the rights of the data subject.
In practice, however, many organisations collect personal information simply because it is convenient or because it has always been done that way. Forms request identification documents without explaining why. Databases retain personal information long after the original transaction has been completed. Documents circulate internally with little regard for legal justification.
When disputes arise, organisations often struggle to explain the legal foundation for their actions. In the eyes of the law, that absence of justification can render the entire processing activity unlawful.
When Data Is Used Beyond Its Original Purpose
Closely related to the issue of lawful basis is the principle of purpose limitation.
Personal data must be collected for a specific, legitimate purpose and must not later be used for something incompatible with that purpose. Yet many enforcement cases reveal how easily organisations stray from this rule.
Consider the common scenario where a client submits documents for a narrow purpose—such as verification, printing, or administrative processing. If those documents later appear in unrelated contexts, are shared with third parties, or are uploaded to online platforms, the original purpose has been exceeded.
What begins as routine administrative handling can quickly transform into unlawful processing once the data is used for a new purpose without proper legal authority.
The Risks of Publishing Personal Information Online
In an era dominated by digital communication and social media, another recurring problem has emerged: the casual publication of personal data online.
Many individuals and organisations underestimate how serious this form of disclosure can be. Posting a document, image, or piece of personal information on a website or social media platform is not merely an act of communication, it is a form of data processing under the law.
Once information is placed online, it becomes accessible to an unpredictable and potentially global audience. The damage caused by such disclosure may be difficult to reverse, particularly when search engines or digital archives replicate the content.
The regulator has increasingly taken a firm stance on this issue, recognizing that the permanence and reach of online publication significantly magnify the impact of privacy violations.
The Habit of Collecting Too Much Information
Another persistent mistake lies in the excessive collection of personal data.
Many organisations still operate under the assumption that gathering as much information as possible is beneficial. Identification documents, financial records, and transaction histories are often requested without careful consideration of necessity.
The Data Protection Act rejects this approach. Instead, it embraces the principle of data minimisation, which requires that only information strictly necessary for a specific purpose should be collected.
This principle reflects a broader philosophy within modern privacy law: organisations should not accumulate personal data simply because they can. Each piece of information collected must be justified by a legitimate operational need.
Resistance to the Right of Erasure
Among the most empowering provisions of the Data Protection Act is the right to erasure, sometimes referred to as the right to be forgotten.
This right allows individuals to request that their personal data be deleted when it is no longer necessary for the purpose for which it was collected. Yet organisations often resist or complicate such requests.
Some require excessive documentation before processing deletion requests. Others delay indefinitely or impose administrative hurdles that effectively discourage the exercise of the right.
Regulatory decisions increasingly indicate that such practices will not be tolerated. Where individuals legitimately request deletion, organisations must respond promptly and in good faith.
The Special Protection of Sensitive Personal Data
Not all personal information carries equal weight under the law. Certain categories, known as sensitive personal data, require heightened protection.
This category includes information relating to health, religious beliefs, family circumstances, biometric identifiers, and other deeply personal aspects of an individual’s life.
Handling such data demands stronger safeguards and greater caution. Even minor errors, such as sending sensitive records to the wrong recipient, may constitute a serious violation because of the potential harm to the affected individual.
The law recognizes that some forms of information touch the very core of personal dignity and therefore deserve special protection.
Weak Security Practices
A large proportion of data protection breaches stem from poor internal systems rather than deliberate misconduct.
Shared computers may retain confidential files long after transactions are completed. Email accounts used for client communication may be accessible to multiple staff members. Internal databases may lack proper access controls.
The law requires organisations to implement technical and organisational measures designed to safeguard personal data. These measures must be appropriate to the risks involved and must ensure that data remains secure from unauthorized access or disclosure.
Failure to establish such safeguards often exposes organisations to liability even where the breach occurs unintentionally.
The Misconception That Data Protection Only Applies to Large Corporations
One of the most surprising developments in recent enforcement actions is the number of cases involving small businesses or individual service providers.
Many operators assume that data protection law targets large technology companies or financial institutions. In reality, the law applies to any person who processes personal data, regardless of organisational size.
Small businesses, such as printing shops, cybercafés, and service providers, frequently handle highly sensitive personal documents. Their role in processing such information brings them squarely within the scope of the Act.
Compliance is therefore not optional simply because an organisation operates on a small scale.
Ignoring Regulatory Investigations
When the regulator initiates an investigation, some organisations make the costly mistake of ignoring the process.
Failure to respond to regulatory notices or complaint notifications can significantly worsen an organisation’s position. The ODPC possesses statutory authority to issue enforcement orders and impose administrative penalties where violations occur.
Engagement with the investigative process is therefore essential. Organisations that cooperate early and transparently often place themselves in a far stronger position than those that remain silent.
The Growing Financial Consequences of Privacy Violations
Perhaps the most important lesson emerging from recent cases is that privacy violations now carry tangible financial consequences.
The regulator has begun awarding compensation to individuals whose data protection rights have been violated. These awards vary depending on the nature and severity of the breach, but they demonstrate a clear shift toward meaningful enforcement.
In addition to compensation, organisations may face enforcement notices, regulatory penalties, and reputational damage that extends far beyond the immediate financial cost.
Data protection is no longer a theoretical compliance requirement, it is a practical legal risk.
A New Compliance Landscape
Kenya’s data protection framework is entering a period of maturation. Through the combined efforts of the regulator and the Courts, a coherent body of jurisprudence is gradually taking shape.
Organisations that adapt to this environment will recognise that privacy protection is not merely a regulatory burden. Rather, it is a critical element of responsible governance and public trust.
Businesses that treat personal data with transparency, care, and accountability will not only avoid regulatory sanctions but also strengthen their credibility with customers, employees, and partners.
In a digital economy increasingly driven by information, respect for privacy may prove to be one of the most valuable assets an organisation can possess.