Celebrating Data Privacy Day

Data protection and privacy remains a core operational and strategic imperative for how organisations conduct business, driven by increased regulatory enforcement, digitization, artificial intelligence integration, proactive "privacy by design" requirements, and exponential social media growth. The Data Protection Act, 2019 (the "DPA") and the regulations thereunder continue to impose significant obligations on organisations processing personal data of data subjects in Kenya. As we commemorate Data Privacy Day 2026, here are key themes businesses should prioritize in strengthening their data protection and privacy practices.

Consent remains a key lawful basis for processing personal data, though not the only one. Where organisations rely on consent, they must ensure it is express, unequivocal, freely given, specific and informed, evidenced by a clear affirmative action. Businesses should avoid bundling consent into non-negotiable terms or making service access conditional on consent to unnecessary processing. They should provide data subjects with a simple mechanism to withdraw consent and demonstrate when and how consent was obtained. Organisations should carefully assess when consent is appropriate versus when other bases (such as contractual necessity, legal obligation, or legitimate interests) are more suitable.

Data protection by design and default requires organisations to embed privacy considerations into systems, products, and processes from the outset, rather than treating compliance as an afterthought. The DPA and Regulations require data controllers and processors to implement appropriate technical and organizational measures ensuring, by default, that only necessary personal data is collected, used and retained. This involves assessing privacy implications when introducing new products, services or technologies; identifying foreseeable risks to personal data; maintaining appropriate safeguards; limiting access on a need-to-know basis; and adopting pseudonymization, encryption and strong access controls.

Images of individuals constitute personal data where a person is identified or identifiable, subject to DPA requirements. Where a business uses a person's image in brochures, websites, social media, or marketing materials, it must have a lawful basis. For commercial or direct marketing use, this typically requires express, specific and informed consent. The data controller must prove such consent was obtained. Organisations should clearly explain how images will be used and respect any objection or withdrawal. Failure to obtain valid consent for image use may constitute unlawful processing, exposing businesses to regulatory action and compensation claims.

Under the DPA and Regulations, using personal data to advance commercial interests—including sending promotional emails, SMS, or displaying targeted online adverts—constitutes commercial use and, where targeting specific individuals, direct marketing. Organisations may only use personal data for direct marketing where they collected it from the data subject, clearly notified that direct marketing was a collection purpose, and the data subject consented. Each communication must prominently indicate how to opt out using a simple, quick and free mechanism, and organisations must honor opt-out requests promptly. Persistent unsolicited direct marketing without valid consent, sender identification, and effective opt-out processes may constitute unlawful commercial use, exposing businesses to regulatory sanctions.

The DPA and Regulations allow personal data transfers outside Kenya only under strict conditions. Data controllers or processors must demonstrate appropriate safeguards for data security and protection; for sensitive personal data, they must obtain data subject consent and ODPC confirmation of safeguards. Transfers may also be justified where genuinely necessary for contract performance, public interest, legal claims, or vital interests, but these grounds must be carefully assessed and documented. Organisations should explain what data categories are exported, to which countries and recipients, for what purposes, and under what protections. Relying on consent alone or transferring sensitive data abroad without ODPC engagement is unlikely to meet Kenyan law requirements and may result in enforcement action.

Data protection and privacy continue giving data subjects greater control over their personal data, while creating complex compliance questions for organisations. The DPA and Regulations require businesses to think carefully about obtaining and relying on consent, embedding data protection by design, using images and personal data in marketing, handling sensitive personal data, and transferring information across borders. As technology, business models and regulatory expectations evolve, organisations must remain proactive, ensuring their practices are legally compliant and build trust with customers, employees, and stakeholders.

How PwC can help

• Data protection and privacy gap/maturity assessment and implementation roadmap.
• Data protection and privacy audit.
• Legal and regulatory advice on nuanced data protection and privacy concerns.
• Legal basis assessment.
• Development and review of data protection and privacy documentation, including policies, agreements, data flow maps, record of processing activities etc.
• Data protection impact assessment.
• Breach management support.
• Transfer impact assessment.
• Overall data protection and privacy program design.
• Data Protection Officer as a service
• Awareness and training