HIGH COURT OF KENYA  ·  DPA 2019  ·  ODPC

Counsel for organisations that hold other people's data.

Muchangi Patrick is an Advocate of the High Court of Kenya advising boards, fintechs, and regulated businesses on data protection compliance, ODPC registration and enforcement, and privacy litigation — built on eight years of active courtroom practice.

Muchangi Patrick, Advocate of the High Court of Kenya
MUCHANGI PATRICK · ADVOCATE, HCK
8+
YEARS AT
THE BAR
DATA PROTECTION ACT, 2019 ODPC REGISTRATION & ENFORCEMENT DPIA CROSS-BORDER TRANSFER GDPR ARTICLES 44–50 BREACH NOTIFICATION OUTSOURCED DPO 31 CASE LAW NOTES PUBLISHED
Muchangi Patrick About Counsel

From the courtroom
into the boardroom.

Years in active litigation8+
Case law notes & compliance briefs published40
Public interest litigation committee6 yrs
Practicing certificateValid

Kenya's Data Protection Act, 2019 turned data handling into a legal exposure — not just an IT policy question.

Muchangi Patrick built his practice on eight years of civil and commercial litigation before the High Court, Environment and Land Court, and various tribunals — the kind of grounding that shapes how a compliance opinion is written, because it comes from someone who has also had to defend one in front of a judge.

That litigation background now anchors a focused data protection and compliance practice: registering controllers and processors with the Office of the Data Protection Commissioner, running data protection impact assessments, serving as outsourced Data Protection Officer for growing businesses, and representing clients in ODPC complaints and enforcement matters.

He also sits on the Law Society of Kenya's Public Interest Litigation Committee, where his work has touched directly on data and privacy rights — including litigation on the state's disclosure of children's records in the justice system, and public health and environmental litigation concerning GMO approvals.

Practice Areas

Where the advice has to hold up.

Each engagement is scoped against a specific instrument — the Data Protection Act, its regulations, or the frameworks a cross-border client already answers to.

DPA 2019

ODPC Registration & Representation

Registering data controllers and processors, responding to ODPC inquiries, and representing clients in complaints and enforcement proceedings.

DPIA

Data Protection Impact Assessments

Structured DPIAs for new products, AI tools, and data-heavy processes, before regulators or customers ask for one.

OUTSOURCED DPO

DPO & Board Advisory

Acting as outsourced Data Protection Officer, or advising boards and executives on data governance and regulatory risk.

ART. 44–50

Cross-Border Data Transfers

Transfer mechanisms and vendor contracts for businesses moving Kenyan personal data to processors abroad, mapped against GDPR-equivalent standards.

INCIDENT RESPONSE

Breach Notification & Litigation

Breach notification to the ODPC and affected data subjects, and litigating unlawful processing or unauthorised disclosure claims.

POLICY & TRAINING

Privacy Governance Frameworks

Privacy policies, consent frameworks, and staff training built to be used, not filed away.

Register of Credentials

Standing at the Bar.

2014
Bachelor of Laws (LL.B), Second Class Upper
University of Nairobi
DEGREE
2014
Post-Graduate Diploma in Law
Kenya School of Law
ATP
Current
Advocate of the High Court of Kenya
Valid practicing certificate
ADMITTED
Current
Commissioner for Oaths
Empowered to administer oaths and take affidavits
APPOINTED
Certified Professional Mediator
Mediation Training Institute
CERTIFIED
2023
LSK Presidential Award — Legal Aid & Pro Bono Service Excellence
Law Society of Kenya
AWARD
Experience

Eight years, two chairs.

Principal Advocate

JUN 2023 — PRESENT
Muchangi Patrick Law Offices, Advocates & Technology Law Firm
  • Leads a portfolio of civil, commercial, and — increasingly — data protection compliance and privacy matters.
  • Advises corporate and fintech clients on ODPC registration, DPIAs, and outsourced DPO functions.
  • Represents clients before the High Court, Environment and Land Court, tribunals, and mediation forums.

Advocate / Legal Associate

2014 — JUN 2023
Kariuki Mwangi & Co. Advocates
  • Civil and commercial litigation across contract, land, succession, and constitutional matters.
  • Drafted pleadings, submissions, and legal opinions; conducted discovery and due diligence.
  • Built the courtroom and negotiation experience that now underpins his compliance advisory work.

Public Interest Litigation Committee

6+ YEARS
Law Society of Kenya
  • Litigation on the state's release of GMO maize, on environmental and public health grounds.
  • Litigation seeking to restrict disclosure of the identities of children in conflict with the law.
  • Pro bono representation for indigent clients and children in the justice system.
Published Work

The docket, in real time.

31 case law notes and 8 compliance briefs on the Data Protection Act, ODPC enforcement, and privacy litigation — published on an ongoing basis, and free to read or download in full.

Browse the full library Download the case law digest (PDF)
Frequently Asked

Before you call, you probably want to know —

Do I need a Data Protection Officer in Kenya?+

The Data Protection Act, 2019 requires certain data controllers and processors to designate a DPO, generally where processing is carried out by a public body, involves large-scale regular monitoring, or involves large-scale processing of sensitive data. Many businesses outside that threshold appoint one anyway, since it centres accountability in one place.

How do I register with the ODPC?+

Registration runs through the Office of the Data Protection Commissioner's registration portal, with tiers based on turnover, staff numbers, and the nature of processing. Getting the tier and processing description right the first time avoids delays and follow-up queries.

How is Kenya's Data Protection Act different from the GDPR?+

The DPA 2019 was modelled closely on the GDPR, sharing core concepts like lawful bases for processing, data subject rights, and cross-border transfer restrictions. The differences sit mostly in enforcement mechanics, registration requirements, and how the ODPC exercises its powers compared to EU supervisory authorities.

What happens if my business isn't compliant?+

The ODPC can issue enforcement notices, investigate complaints, and impose penalties, and affected individuals can separately pursue claims for unlawful processing. In practice, most exposure comes from unresolved breach incidents or unregistered processing rather than any single clause — which is exactly what a compliance audit is meant to catch early.

Do you work with startups, or only larger corporates?+

Both. Startups usually need a lean compliance foundation built once and reused — registration, a real privacy policy, and a breach-response plan. Larger and regulated businesses tend to need ongoing DPO support, vendor reviews, and board-level reporting.

Get in Touch

Start with a compliance consultation.

Tell me briefly what you handle — customer data, health records, employee data, cross-border transfers — and I'll tell you honestly where your exposure actually sits before we talk engagement.

AddressPinetree Plaza, 8th Floor, Kaburu Drive, Off Ngong Rd
P.O. Box 44512-00100, Nairobi
FirmMuchangi Patrick Law Offices, Advocates & Technology Law Firm
AdmissionAdvocate, High Court of Kenya · Commissioner for Oaths