Kenya: Implemented Data Protection (General) Regulations including data protection regulation

On 14 February 2022, the Data Protection (General) Regulations, 2021 entered into force. Provisions include data subjects' rights to access, rectify, erase, and port their personal information, as well as the obligation of data controllers and processors to ensure the security and confidentiality of the data. Specific measures include data minimisation, accuracy checks, and storage limitations. Organisations are required to notify authorities and affected individuals of personal data breaches within defined timeframes. Additionally, they set conditions for the international transfer of personal data, including the use of adequacy decisions, binding corporate rules, or explicit consent from data subjects. Obligations on data controllers and processors may include conducting data protection impact assessments for high-risk processing activities and ensuring compliance with principles of integrity, confidentiality, and fairness. The regulations define exemptions for certain public interest or national security purposes and provide guidelines for automated decision-making and the handling of sensitive personal data.