Issued pursuant to Section 8 of the Data Protection Act, 2019, to operationalise the Data Protection Officer function under Section 24
Kenya's Data Protection Act, 2019 provides for the designation of Data Protection Officers under Section 24, but is silent on their qualification, certification, verification and continuous professional development. Mauritius and Nigeria have each recently addressed that gap through detailed regulation. The guidelines below draw on the strengths of both frameworks, adapted to the Kenyan context, and are put forward for consideration and consultation by the Office of the Data Protection Commissioner. They are not currently in force. For the full comparative analysis behind this proposal, see our Insights article.
WHEREAS Section 24 of the Data Protection Act, 2019 (the "Act") provides for the designation of Data Protection Officers (DPOs) to advise on and ensure compliance with data protection requirements;
WHEREAS the Act provides that DPOs shall advise data controllers and data processors, ensure compliance, facilitate capacity building, provide advice on data protection impact assessments, and cooperate with the Data Commissioner;
WHEREAS there is a need to clarify the qualifications, tasks, and protections to be afforded to DPOs to ensure effective implementation of the Act;
WHEREAS there is a need to establish a framework for the verification of DPO qualifications and ongoing professional development to ensure that DPOs maintain the competence required to fulfil their functions;
NOW, THEREFORE, the Office of the Data Protection Commissioner, pursuant to Section 8 of the Act, is invited to issue these Guidelines to operationalise the DPO function.
In these Guidelines, unless the context otherwise requires:
Every data controller and data processor shall designate a DPO from among their staff members. Where a group of entities share a DPO, the designation must be made by each controller or processor, and the shared arrangement clearly documented.
A DPO shall be designated on the basis of professional qualifications and shall demonstrate:
Every DPO shall hold evidence of certification issued either by:
A data controller or data processor shall publish the DPO's contact details on the organisation's website, communicate them to the Office, and notify the Office and data subjects of any change in designation.
A DPO shall perform the following core functions under Section 24 of the Act:
In addition, a DPO shall:
The DPO shall be involved, in a timely manner, in all issues related to the protection of personal data, including the development of policies, implementation of technical and organisational measures, DPIAs, and the handling of data subject requests and complaints.
A DPO shall report to the highest management level of the organisation. Where multiple DPOs are designated, the Lead DPO shall have direct access to the highest management level.
A data controller or data processor shall provide the DPO with necessary resources — time, budget, access to information and appropriate training — and allow participation in relevant meetings and decisions relating to data protection.
Duties assigned to the DPO must be compatible with their regulatory tasks and must not create a conflict of interest that would compromise independence.
A data controller or data processor shall not dismiss, suspend, or otherwise penalise a DPO for lawfully performing their duties under the Act and these Guidelines.
A DPO shall be permitted to carry out their functions independently, without unlawful interference from the controller, processor, or any other person.
Every DPO shall be verified by the Office to confirm compliance with the qualification, certification, and professional development requirements under these Guidelines.
An application shall be submitted in the prescribed form and shall include evidence of certification; a curriculum vitae; a statement of duties and responsibilities; a declaration of no conflict of interest; and any other information the Office may require.
A DPO verification shall be valid for one year from issuance, subject to annual renewal.
Renewal requires evidence of compliance with the CPD requirements under Part VI.
A DPO who fails to meet prescribed requirements may be placed on temporary inactive status pending remediation, and may be required to cease performing certain functions during that period.
The Office shall establish a digital platform for the submission and monitoring of DPO verification and CPD records.
6.2.1 Formal Training and Certification (minimum 10 points): Office-accredited training programmes; recognised workshops and webinars; approved e-learning courses; the Office's Virtual Privacy Academy courses; acquisition or renewal of recognised international privacy certifications.
6.2.2 Knowledge Contribution (maximum 10 points annually): publication of peer-reviewed articles; publication of industry articles and policy briefs.
6.2.3 Professional Engagement (maximum 8 points annually): speaking engagements, panels and facilitation of accredited training; participation in recognised privacy conferences; membership in professional bodies; participation in Office technical working groups; mentorship of emerging privacy professionals; contributions to regulatory consultations.
A DPO shall retain verifiable evidence — certificates of attendance, confirmation emails, copies or links to publications, formal letters of participation, and Professional Education and Engagement Review (PEER) Forms.
The Office shall prescribe a CPD points framework, review compliance annually at revalidation, and may request CPD records for review at any time.
Compliance with these Guidelines shall be reviewed annually during DPO verification revalidation.
A data controller or processor who fails to designate a DPO or ensure compliance may be subject to enforcement action under the Act, including a compliance notice, an enforcement notice, administrative fines, and any other available remedy.
A DPO who fails to meet prescribed CPD requirements may be placed on temporary inactive status pending remediation; failure to remediate within a specified period may result in suspension of verification status.
Existing DPOs designated under Section 24 shall have twelve (12) months from issuance of these Guidelines to comply with the qualification, certification, and verification requirements.
A DPO who does not meet the certification requirements under Section 2.3 but possesses significant experience may be recognised case-by-case, provided they demonstrate expert knowledge of Kenyan data protection law, have held the role for at least three (3) years, submit a development plan to achieve certification within twelve (12) months, and meet all other requirements.
The Office shall, within six (6) months of issuance, establish a process for accrediting training institutions and approving certification programmes.
The Office shall, within twelve (12) months of issuance, develop and launch the digital platform for submission and monitoring of DPO verification and CPD records.
These Guidelines shall be interpreted in accordance with the Data Protection Act, 2019 and any other relevant laws.
The Office may amend these Guidelines from time to time as necessary to give effect to the Act or to align with emerging best practices.
The Office shall review these Guidelines within three (3) years of issuance.
Muchangi Patrick & Co. Advocates prepared this draft framework as part of our ongoing regulatory and policy work on data protection in Kenya. We welcome engagement from the ODPC, industry bodies, and fellow practitioners on refining it ahead of any formal consultation process.