Why SMEs Can’t Ignore Data Protection
Kenya’s economy is increasingly data-driven. From e-commerce platforms and fintech startups to small consultancies and schools, businesses of all sizes now rely on collecting and processing personal data. While this shift creates opportunities, it also comes with new legal responsibilities.
For Small and Medium Enterprises (SMEs), the risks are especially high. Unlike large corporates with in-house legal teams, SMEs often lack the resources to keep up with evolving regulations. Unfortunately, this makes them prime targets for regulatory penalties under Kenya’s Data Protection Act, 2019 (DPA).
The Law: Understanding the Data Protection Act, 2019
The Data Protection Act, 2019 established a comprehensive framework for the collection, storage, and use of personal data in Kenya. It mirrors global standards such as the EU’s General Data Protection Regulation (GDPR).
At the center of enforcement is the Office of the Data Protection Commissioner (ODPC), tasked with ensuring businesses comply with the Act. The ODPC has powers to:
• Register data controllers and data processors, including SMEs.
• Audit organizations’ compliance practices.
• Investigate complaints of data misuse.
• Impose administrative fines and penalties.
For SMEs, this means that even if you run a small online shop, a clinic, or a consultancy handling client detail, you fall under the Act’s scope.
SME Compliance Essentials
Every SME should prioritize the following steps to comply with the Data Protection Act:
1. ODPC Registration
o If your business collects or processes personal data, you must register with the ODPC.
o This applies even to SMEs with fewer than 50 employees if they handle sensitive or large volumes of data.
2. Data Protection Impact Assessments (DPIAs)
o Required under section 31 of the Act for high-risk processing activities (e.g., health data, financial data, tracking, surveillance).
o SMEs in fintech, healthcare, education, and HR outsourcing are especially affected.
3. Privacy Policies & Notices
o SMEs must have clear privacy policies that explain how data is collected, used, stored, and shared.
o Terms of Service should include consent provisions that align with section 32 DPA.
4. Data Security Measures
o Implement reasonable technical and organizational safeguards to protect customer data from unauthorized access, loss, or breach.
Penalties & Enforcement
The consequences of non-compliance are significant:
• Fines of up to KES 5 million or 1% of annual turnover, whichever is lower (section 63 DPA).
• Orders to suspend data processing operations.
• Reputational damage and loss of customer trust.
The ODPC has already issued fines to companies, proving that enforcement is not theoretical. For SMEs, such penalties can cripple operations.
Practical Tips: Low-Cost Compliance Strategies for SMEs
Compliance does not have to be expensive. SMEs can adopt cost-effective strategies to stay compliant:
• Use template privacy policies tailored to your industry and scale.
• Appoint an internal data champion to oversee compliance (you don’t always need a full-time DPO).
• Leverage cloud providers that are already compliant with global security standards.
• Train staff on data handling basics — human error is the leading cause of breaches.
• Work with external advisors to conduct periodic compliance checks.
Conclusion & CTA
Kenya’s Data Protection Act, 2019 is not just a corporate law — it affects every business that handles personal data, no matter the size. SMEs that adopt compliance early gain customer trust, reduce legal risk, and position themselves for growth in a digital economy.
👉 Need help with ODPC compliance? Book a consultation with Miano Njogu Advocates today. We help SMEs register with ODPC, draft privacy policies, and implement data protection frameworks that are affordable and practical.