Kenya: Office of the Data Protection Commissioner opened consultation on draft guidance note on processing personal data by micro, small, and medium enterprise

On 16 May 2025, the Office of the Data Protection Commissioner (ODPC) opened a public consultation, until 30 May 2025, on the draft guidance note on processing personal data by micro, small, and medium enterprises (MSMEs). The draft guidance, issued under the Data Protection Act, 2019, and its subsidiary regulations, aims to simplify compliance obligations for MSMEs that often operate with limited financial and technical resources. It provides practical templates, checklists, and basic security recommendations to guide MSMEs in lawful data processing. The draft further encourages the minimisation of data collection, implementation of proper storage and retention practices, and promotion of accountability measures. It also supports self-assessment procedures and preparedness for data breach response, ensuring MSMEs maintain proportionate safeguards consistent with statutory obligations.