MNW & Advocates LLP | Data Protection Practice | March 2026
There is a common assumption among small and medium enterprises in Kenya that data protection law is a concern for banks, hospitals, and multinationals — not for the hardware shop that keeps a customer contact list, the salon that stores client records on WhatsApp, or the accounting firm that emails payslips without encryption. That assumption is wrong, and it is becoming expensive.
The Law Applies to You
The Data Protection Act, No. 24 of 2019 applies to any person or entity that collects, stores, uses, or shares personal data — regardless of size, sector, or turnover. Personal data is broadly defined: it includes names, ID numbers, phone numbers, email addresses, location data, photographs, biometric data, and anything else that can identify a living individual. If your business touches any of that, the Act applies to you.
The Exemption Is Narrower Than You Think
The Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 provide one concession to small businesses: entities with an annual turnover below KES 5,000,000 and fewer than ten employees are exempt from mandatory registration with the ODPC. Both conditions must be satisfied simultaneously. Eleven categories of businesses — including financial service providers, property agents, schools, hospitality firms, transport operators, and any business running CCTV — must register regardless of size.
But even exempt entities are not off the hook. They remain bound by the Act’s core obligations: collecting data lawfully, keeping it secure, not sharing it without a legal basis, and honouring data subject rights such as the right of access and erasure.
What SMEs Are Getting Wrong
The most common compliance failures among small businesses are not dramatic data breaches. They are mundane and entirely avoidable:
1. Customer databases shared over unsecured WhatsApp groups2
2. Employee payroll data emailed without encryption or password protection
3. CCTV footage retained indefinitely with no written policy
4. Third-party vendors (IT providers, cloud storage services, payroll bureaus) engaged without written Data Processing Agreements
5. No privacy notice on websites or at points of data collection
6. No process for responding to a customer who asks what data you hold about them
Each of these is a breach of the Act. Each exposes the business to an ODPC complaint, an enforcement notice, or a compensation claim by the affected individual under section 65 and 72 of the Act.
The Cost of Doing Nothing
Section 73 of the Act provides for fines of up to KES 3,000,000 and imprisonment of up to ten years for operating without registration where it is required. ODPC enforcement is no longer theoretical — the office has been issuing compliance notices and conducting investigations across sectors. Beyond regulatory consequences, a data breach that becomes public can cause reputational damage that no SME can easily absorb.
What Compliance Actually Looks Like for an SME
The good news is that baseline compliance for a small business is neither complicated nor prohibitively expensive. It involves:
1. Knowing what personal data you collect and why
2. Having a simple, written privacy notice
3. Putting a basic data retention and deletion policy in place
4. Signing a Data Processing Agreement with any third party that handles your clients’ data
5. Checking whether you need to register with the ODPC — and if so, doing it (registration fees start at KES 4,000/-)
Data protection compliance is not a luxury reserved for large organisations. It is a legal baseline obligation, and the time to get it right is before the ODPC comes knocking.
MNW & Advocates LLP advises SMEs on ODPC registration, privacy policy drafting, Data Processing Agreements, and ODPC complaint representation. Contact us at mokua@mnwlaw.co.ke or +254 733 491 415.
