Kenya: Office of the Data Protection Commissioner closed consultation on guidance note on processing personal data by micro, small, and medium enterprises

On 30 May 2025, the Office of the Data Protection Commissioner (ODPC) closed the public consultation, which had been open since 16 May 2025, on the draft guidance note on processing personal data by micro, small, and medium enterprises (MSMEs). The draft guidance, prepared under the Data Protection Act, 2019, and its subsidiary regulations, aimed to simplify compliance obligations for MSMEs that often operate with limited financial and technical resources. It provided practical templates, checklists, and basic security recommendations to guide MSMEs in lawful data processing. The draft further encouraged the minimisation of data collection, implementation of proper storage and retention practices, and promotion of accountability measures. It also supported self-assessment procedures and preparedness for data breach response, ensuring MSMEs maintain proportionate safeguards consistent with statutory obligations.