The Compliance Brief
Mauritius now requires DPOs to be certified. Nigeria requires them to earn 20 continuing-education points a year to keep their verification. Kenya's Data Protection Act 2019 doesn't require a DPO to have any qualification at all — or even to exist.
Across East and Southern Africa, the Data Protection Officer has quietly become the most consequential role in corporate compliance — the person who signs off on impact assessments, fields regulator queries, and stands between an organisation and an enforcement notice. Mauritius and Nigeria have both just moved to make sure that person is actually qualified to hold the job. Kenya, despite being an early mover on data protection legislation, has not. This piece sets out what changed in Mauritius and Nigeria, exactly where Kenya's Data Protection Act 2019 falls short by comparison, and what we think the Office of the Data Protection Commissioner (ODPC) should do about it.
Mauritius and Nigeria took different routes to the same destination: a DPO function that regulators can actually verify, not just a name on a website footer.
The Nigeria Data Protection Commission didn't just say DPOs should keep learning — it quantified exactly how much, and from where.
The remaining points can come from knowledge contribution (peer-reviewed articles, industry briefs, capped at 10 points) and professional engagement (speaking, conferences, technical working groups, mentorship, capped at 8 points). DPOs keep records — certificates, confirmation emails, PEER forms — and the Commission reviews compliance annually at revalidation.
Section 24 of the Data Protection Act 2019 defines what a DPO does. It says almost nothing about who is allowed to do it, whether they need to, or how anyone would know if they're any good at it.
Unlike Mauritius, which requires every controller to designate a DPO, Kenya leaves the decision optional — leaving organisations to decide for themselves whether the role exists at all.
The Act and its Regulations are silent on what a DPO needs to know, or how anyone would verify it. Nothing stops an unqualified employee from being named DPO purely to tick a compliance box.
There is no mechanism requiring a Kenyan DPO to keep their knowledge current, in a field — AI governance, cross-border transfer rules, breach notification practice — that changes every year.
Nigeria reviews and revalidates DPO status annually. Kenya has no equivalent system for checking whether a designated DPO still meets any particular standard, because no standard is set.
Kenya's Act offers some protection, but nothing as explicit as Mauritius's bar on dismissing, suspending or penalising a DPO for lawfully performing their duties.
Larger, more complex organisations are given no framework for how several DPOs should coordinate, or who the regulator and data subjects should treat as the primary contact.
Mauritius requires the DPO to report to the highest level of management, framing data protection as a governance matter. Kenya's framework doesn't say who the DPO answers to internally.
| Requirement | Mauritius | Nigeria | Kenya |
|---|---|---|---|
| Mandatory designation | Yes | Yes (verification-based) | No |
| Certification requirement | Yes — Office or accredited body | Implicit via verification | None |
| Continuing education (CPD) | Not specified | 20 pts/year, quantified | None |
| Annual verification/revalidation | Not specified | Yes | None |
| Protection from penalisation | Explicit | Not addressed | Limited |
| Multiple DPO / lead DPO guidance | Yes | Not addressed | None |
| Reporting line specified | Highest management level | Not addressed | None |
The case for reform isn't cosmetic. It rests on four practical points.
Certification and CPD both signal, and enforce, a verifiable standard of competence — rather than leaving quality entirely to an employer's discretion.
Data protection law and practice move fast. A qualification earned once, years ago, says little about whether a DPO is current today.
Clear requirements reduce compliance guesswork and make it easier for boards to budget for, and invest in, proper data protection governance.
A regulator can only hold a DPO — or the organisation that appointed them — accountable against a standard that actually exists.
We've drawn directly on the strengths of both the Mauritian and Nigerian approaches to prepare a full set of draft guidelines for the ODPC's consideration — covering mandatory designation, qualification and certification, an annual verification process, a structured CPD points framework, independence safeguards, and transitional provisions for DPOs already in post.
Kenya was an early mover on data protection legislation, and that head start is worth protecting. But a framework that defines what a DPO does without saying who is qualified to do it, or how anyone would check, leaves a genuine gap in the country's compliance architecture. Mauritius and Nigeria have both shown workable ways to close that gap. Kenya doesn't need to choose between them — it can, and in our view should, draw on both.
These are proposed guidelines, not law. Their value depends on stakeholder engagement and, eventually, formal adoption or legislative amendment. We'll track this as it develops.
If your organisation has a designated DPO — internal or outsourced — this is a good moment to check that their qualifications, independence, and reporting line would hold up under a more rigorous framework, before one is imposed on you.
Muchangi Patrick & Co. Advocates advises organisations on structuring and resourcing the DPO function, from designation through to ODPC engagement, and offers outsourced DPO services for businesses that need the function without the full-time headcount.