Muchangi Patrick is an Advocate of the High Court of Kenya advising boards, fintechs, and regulated businesses on data protection compliance, ODPC registration and enforcement, and privacy litigation — built on eight years of active courtroom practice.
About Counsel
Kenya's Data Protection Act, 2019 turned data handling into a legal exposure — not just an IT policy question.
Muchangi Patrick built his practice on eight years of civil and commercial litigation before the High Court, Environment and Land Court, and various tribunals — the kind of grounding that shapes how a compliance opinion is written, because it comes from someone who has also had to defend one in front of a judge.
That litigation background now anchors a focused data protection and compliance practice: registering controllers and processors with the Office of the Data Protection Commissioner, running data protection impact assessments, serving as outsourced Data Protection Officer for growing businesses, and representing clients in ODPC complaints and enforcement matters.
He also sits on the Law Society of Kenya's Public Interest Litigation Committee, where his work has touched directly on data and privacy rights — including litigation on the state's disclosure of children's records in the justice system, and public health and environmental litigation concerning GMO approvals.
Each engagement is scoped against a specific instrument — the Data Protection Act, its regulations, or the frameworks a cross-border client already answers to.
Registering data controllers and processors, responding to ODPC inquiries, and representing clients in complaints and enforcement proceedings.
Structured DPIAs for new products, AI tools, and data-heavy processes, before regulators or customers ask for one.
Acting as outsourced Data Protection Officer, or advising boards and executives on data governance and regulatory risk.
Transfer mechanisms and vendor contracts for businesses moving Kenyan personal data to processors abroad, mapped against GDPR-equivalent standards.
Breach notification to the ODPC and affected data subjects, and litigating unlawful processing or unauthorised disclosure claims.
Privacy policies, consent frameworks, and staff training built to be used, not filed away.
31 case law notes and 8 compliance briefs on the Data Protection Act, ODPC enforcement, and privacy litigation — published on an ongoing basis, and free to read or download in full.
The Data Protection Act, 2019 requires certain data controllers and processors to designate a DPO, generally where processing is carried out by a public body, involves large-scale regular monitoring, or involves large-scale processing of sensitive data. Many businesses outside that threshold appoint one anyway, since it centres accountability in one place.
Registration runs through the Office of the Data Protection Commissioner's registration portal, with tiers based on turnover, staff numbers, and the nature of processing. Getting the tier and processing description right the first time avoids delays and follow-up queries.
The DPA 2019 was modelled closely on the GDPR, sharing core concepts like lawful bases for processing, data subject rights, and cross-border transfer restrictions. The differences sit mostly in enforcement mechanics, registration requirements, and how the ODPC exercises its powers compared to EU supervisory authorities.
The ODPC can issue enforcement notices, investigate complaints, and impose penalties, and affected individuals can separately pursue claims for unlawful processing. In practice, most exposure comes from unresolved breach incidents or unregistered processing rather than any single clause — which is exactly what a compliance audit is meant to catch early.
Both. Startups usually need a lean compliance foundation built once and reused — registration, a real privacy policy, and a breach-response plan. Larger and regulated businesses tend to need ongoing DPO support, vendor reviews, and board-level reporting.
Tell me briefly what you handle — customer data, health records, employee data, cross-border transfers — and I'll tell you honestly where your exposure actually sits before we talk engagement.