← Muchangi Patrick Published Work
⇩ Download PDF
Muchangi Patrick & Co. Advocates logo Muchangi Patrick & Co. Advocates ← Back to Insights

The Compliance Brief

Vol. 03 — Issue 31
Nairobi Edition
Regulation, technology & the business of Kenya
Comparative Regulatory Analysis

Kenya's Data Protection Officer framework is a decade behind Mauritius and Nigeria. Here's the gap, and the fix.

Mauritius now requires DPOs to be certified. Nigeria requires them to earn 20 continuing-education points a year to keep their verification. Kenya's Data Protection Act 2019 doesn't require a DPO to have any qualification at all — or even to exist.

Analysis 9 min read Data Protection & Regulatory
By Patrick Muchangi, Founder & Advocate — Muchangi Patrick & Co. Advocates · Published July 2026
Download PDF

Across East and Southern Africa, the Data Protection Officer has quietly become the most consequential role in corporate compliance — the person who signs off on impact assessments, fields regulator queries, and stands between an organisation and an enforcement notice. Mauritius and Nigeria have both just moved to make sure that person is actually qualified to hold the job. Kenya, despite being an early mover on data protection legislation, has not. This piece sets out what changed in Mauritius and Nigeria, exactly where Kenya's Data Protection Act 2019 falls short by comparison, and what we think the Office of the Data Protection Commissioner (ODPC) should do about it.

§1 Two jurisdictions just professionalised the DPO role

Mauritius and Nigeria took different routes to the same destination: a DPO function that regulators can actually verify, not just a name on a website footer.

Mauritius

Data Protection (Designation, Tasks and Position of DPOs) Regulations 2026

  • DPO designation is mandatory, and must be filled from within the organisation's own staff
  • The DPO must hold a certification issued by the Data Protection Office or an accredited training institution
  • Explicit protection from dismissal, suspension or penalty for lawfully performing DPO duties
  • Multiple DPOs are permitted for larger operations, with one designated as lead
  • The DPO must report to the highest level of management
  • In force from 1 January 2027
Nigeria

NDPC Guidance Notice on Continuous Professional Development for DPOs

  • Builds on the DPO verification regime under the Nigeria Data Protection Act 2023 and the GAID 2025
  • Verified DPOs must earn 20 CPD points a year to keep active verification status
  • At least 10 of those points must come from structured training and certification
  • Points can also come from publications, conference participation and mentorship
  • Non-compliant DPOs can be moved to inactive verification status until remediated
  • A digital platform is planned for submitting and tracking CPD records

§2 Nigeria's CPD framework, by the numbers

The Nigeria Data Protection Commission didn't just say DPOs should keep learning — it quantified exactly how much, and from where.

40
Points available annually
20
Minimum required to stay verified
10
Must come from formal training

The remaining points can come from knowledge contribution (peer-reviewed articles, industry briefs, capped at 10 points) and professional engagement (speaking, conferences, technical working groups, mentorship, capped at 8 points). DPOs keep records — certificates, confirmation emails, PEER forms — and the Commission reviews compliance annually at revalidation.

§3 Where Kenya's framework falls short

Section 24 of the Data Protection Act 2019 defines what a DPO does. It says almost nothing about who is allowed to do it, whether they need to, or how anyone would know if they're any good at it.

3.1 Designation isn't mandatory

Unlike Mauritius, which requires every controller to designate a DPO, Kenya leaves the decision optional — leaving organisations to decide for themselves whether the role exists at all.

3.2 No qualification or certification requirement

The Act and its Regulations are silent on what a DPO needs to know, or how anyone would verify it. Nothing stops an unqualified employee from being named DPO purely to tick a compliance box.

3.3 No continuous professional development framework

There is no mechanism requiring a Kenyan DPO to keep their knowledge current, in a field — AI governance, cross-border transfer rules, breach notification practice — that changes every year.

3.4 No verification or assessment mechanism

Nigeria reviews and revalidates DPO status annually. Kenya has no equivalent system for checking whether a designated DPO still meets any particular standard, because no standard is set.

3.5 Thinner independence safeguards

Kenya's Act offers some protection, but nothing as explicit as Mauritius's bar on dismissing, suspending or penalising a DPO for lawfully performing their duties.

3.6 No guidance on multiple DPOs or a lead DPO

Larger, more complex organisations are given no framework for how several DPOs should coordinate, or who the regulator and data subjects should treat as the primary contact.

3.7 No clear reporting line to senior management

Mauritius requires the DPO to report to the highest level of management, framing data protection as a governance matter. Kenya's framework doesn't say who the DPO answers to internally.

§4 The three frameworks, side by side

RequirementMauritiusNigeriaKenya
Mandatory designationYesYes (verification-based)No
Certification requirementYes — Office or accredited bodyImplicit via verificationNone
Continuing education (CPD)Not specified20 pts/year, quantifiedNone
Annual verification/revalidationNot specifiedYesNone
Protection from penalisationExplicitNot addressedLimited
Multiple DPO / lead DPO guidanceYesNot addressedNone
Reporting line specifiedHighest management levelNot addressedNone

§5 Why this matters beyond box-ticking

The case for reform isn't cosmetic. It rests on four practical points.

"A DPO framework that says what the role does, but not who is qualified to hold it, is a job description without a hiring bar."

§6 What we think Kenya should do

We've drawn directly on the strengths of both the Mauritian and Nigerian approaches to prepare a full set of draft guidelines for the ODPC's consideration — covering mandatory designation, qualification and certification, an annual verification process, a structured CPD points framework, independence safeguards, and transitional provisions for DPOs already in post.

Draft Guidelines on the Designation, Tasks, Position and Professional Development of DPOs
Our full proposed framework for the ODPC, published in the Resource Centre.
Read the Guidelines →

§7 The bottom line

Kenya was an early mover on data protection legislation, and that head start is worth protecting. But a framework that defines what a DPO does without saying who is qualified to do it, or how anyone would check, leaves a genuine gap in the country's compliance architecture. Mauritius and Nigeria have both shown workable ways to close that gap. Kenya doesn't need to choose between them — it can, and in our view should, draw on both.

Where this goes next

These are proposed guidelines, not law. Their value depends on stakeholder engagement and, eventually, formal adoption or legislative amendment. We'll track this as it develops.

How this touches your data protection exposure

If your organisation has a designated DPO — internal or outsourced — this is a good moment to check that their qualifications, independence, and reporting line would hold up under a more rigorous framework, before one is imposed on you.

Muchangi Patrick & Co. Advocates advises organisations on structuring and resourcing the DPO function, from designation through to ODPC engagement, and offers outsourced DPO services for businesses that need the function without the full-time headcount.