Does my business need to register with the ODPC?

Any organisation that processes personal data as a data controller or processor is required to register with the Office of the Data Protection Commissioner. The obligation covers Kenyan organisations and foreign organisations that process data about persons in Kenya.

What must a privacy policy contain under Kenyan law?

A compliant privacy notice must identify the data controller, describe the categories of data processed, state the purpose and legal basis for processing, explain data-subject rights, and provide data-retention and security information. We draft these to meet the Act's specific requirements.

What should we do if our business has suffered a data breach?

Contact us immediately. The DPA requires notification to the ODPC within 72 hours of becoming aware of a breach that poses a risk to individuals' rights. We advise on whether the obligation to notify applies, manage the notification, and represent the organisation in any subsequent investigation.

Can you draft the technology agreements for a software business?

Yes. We draft and review software licences, SaaS terms, API agreements, technology-services contracts, and the IP assignments and licences that technology products require — structured for enforceability under Kenyan law.

Transactional Practice

Technology & Data Privacy

Data Protection Act compliance, privacy advisory, technology agreements, and cyber-law matters for businesses.

Speak with a partner 0723 731 349

Framework: Data Protection Act 2019
Regulator: ODPC
Acting for: Businesses · Institutions · Start-ups

Overview

How we approach technology & data privacy.

Kenya's Data Protection Act 2019 created a comprehensive data-protection regime overseen by the Office of the Data Protection Commissioner, and compliance is now a genuine legal obligation for every business that processes personal data. The firm advises organisations on how to comply — from registration as a data controller or processor, through to privacy policies, data-processing agreements, and the response to a data breach.

Beyond data protection, the technology practice covers the agreements and structures that digital and technology businesses require: software licences, technology-services contracts, e-commerce terms, platform agreements, and the intellectual-property arrangements that digital products depend on. Where a technology matter becomes a dispute — a data breach, a software claim, a cyber-fraud — the firm brings its litigation capability to bear.

Services

What we cover in technology & data privacy.

Data Protection Compliance

Registration with the ODPC, data-protection audits, privacy notices, internal policies, and the compliance programme that the Data Protection Act requires.

Privacy Policies & Notices

Drafting and review of privacy policies, cookie notices, and the layered data-processing notices that organisations must provide to data subjects.

Data Processing Agreements

Drafting and negotiation of data-processing and data-sharing agreements — between controllers and processors, and between organisations that share personal data.

Data Breach Response

Advisory and representation in data breach incidents — breach notification to the ODPC, communication to affected individuals, and the regulatory investigation that a notified breach may trigger.

Technology Agreements

Software licences, technology-services contracts, SaaS agreements, e-commerce terms, and the platform agreements that technology businesses and their customers rely on.

Cyber-Law & Digital Disputes

Advisory on cybercrime under the Computer Misuse and Cybercrimes Act, cyber-fraud response, and litigation arising from digital transactions and online activity.

Approach

The way we run a technology & data privacy matter.

A four-step discipline applied to every brief, so the work is senior-led at the points where senior judgement matters, and moves predictably between them.

Data Mapping & Gap Analysis

The organisation's data flows are mapped; processing activities identified; a gap analysis against the DPA prepared with a prioritised compliance plan.

Documentation

Privacy policy, data processing register, consent mechanisms, and third-party data agreements drafted to meet the Act's requirements.

Registration & Submission

Registration as a data controller or processor with the ODPC completed, and any required impact assessments or prior-consultation submissions filed.

Ongoing Compliance

Annual review, training advisory, breach response support, and the day-to-day guidance that keeps the organisation compliant as its data activities evolve.

FAQs

Questions clients ask about technology & data privacy.

The ones we hear most often. For anything specific to your matter, a short call is usually the fastest way to an answer.

All firm FAQs →

Any organisation that processes personal data as a data controller or processor is required to register with the Office of the Data Protection Commissioner. The obligation covers Kenyan organisations and foreign organisations that process data about persons in Kenya.

Related Practice Areas

Adjacent counsel from the firm.

Intellectual Property & Rights

Trade mark and patent registration, copyright, licensing, and enforcement of intellectual property rights.

Commercial, Corporate & Business Law

Company formation, commercial agreements, governance, and the structures that businesses need to operate cleanly.

Labour Relations & Industrial Matters

Employment advisory, HR documentation, employer-employee disputes, and proceedings before the ELRC.

Technology & Data Privacy Counsel

Speak with a partner about your technology & data privacy matter.

We will tell you, plainly, whether we are the right firm, and how we would propose to handle it. The first call is confidential and at no charge.

Request a consultation All practice areas