Kenya: Office of the Data Protection Commissioner adopted guidance note on processing personal data by micro, small, and medium enterprises

On 6 November 2025, the Office of the Data Protection Commissioner (ODPC) adopted a guidance note on processing personal data by micro, small, and medium enterprises (MSMEs). The guidance note, prepared under the Data Protection Act, 2019, and its subsidiary regulations, aimed to simplify compliance obligations for MSMEs that often operate with limited financial and technical resources. It provided practical templates, checklists, and basic security recommendations to guide MSMEs in lawful data processing. The guidance note further encouraged the minimisation of data collection, implementation of proper storage and retention practices, and promotion of accountability measures. It also supported self-assessment procedures and preparedness for data breach response, ensuring MSMEs maintain proportionate safeguards consistent with statutory obligations.