Kenya: Data Protection (Registration of Data Controllers and Data Processors) Regulations entered into force

On 14 July 2022, the Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 entered into force. The regulations establish the procedure for registering data controllers and data processors in accordance with the Data Protection Act (No. 24 of 2019). The regulations detail the requirements for registration, the application submission process, and the issuance of registration certificates. The regulations classify data controllers and processors into categories, including micro, medium, and large entities, and provide exemptions for those with limited annual turnover or a small workforce. They also specify the fees for registration and renewal, procedures for updating registration details, and penalties for non-compliance. Furthermore, the regulations establish mandatory registration criteria for data controllers and processors engaged in activities such as political canvassing, gambling, financial services, telecommunications, direct marketing, transport services (including online ride-hailing), and businesses processing genetic data. Entities involved in these activities must register as either data controllers or data processors as required.