Skip to main content
CommercialData Protection

The Data Protection Officer Role Under The Data Protection Act

By November 10, 2021January 17th, 2024No Comments

The Data Protection Act No. 24 of 2019 (the “Act”) was signed into law on 8thth November 2019 and established a comprehensive data protection regime in Kenya. The Act provides for the rights of data subjects in relation to their personal information and sets out various duties of entities collecting or processing personal data. Processing of data in any manner contrary to the provisions of the Act could attract fines of up to Kshs. 5,000,000/= or 1% of annual turnover; and to imprisonment for a term of up to 5 years.

The Act’s main aim is to protect personal data collected, used, or stored by both private and public entities. It provides for the legal framework for protection of a person’s privacy in instances where personal data is collected, stored, used, or processed by another person.

Data Protection Officer and the role

A Data Protection Officer (the “DPO”) is an independent data protection expert who under section 24(7) of the Act, is responsible for: –

  1. Advising on data processing requirements under the Act.
  2. Ensure on behalf of the organization that the Act is complied with.
  3. Facilitate capacity building of staff involved in data processing operations.
  4. Provide advice on data protection impact assessments; and
  5. Co-operate with the Data Commissioner and any other authority on matters relating to data protection. The Act establishes the office of the Data Protection Commissioner who has wide ranging powers regarding ensuring compliance to the Act, investigation of offences and penalizing offenders.

The DPO’s responsibilities will naturally extend beyond those specifically listed in section 24(7) of the Act and cover all personal data processing activities.

  • When conducting their tasks, the DPO should consider the risk associated with the processing you are undertaking. They must have regard to the nature, scope, context, and purposes of the processing.
  • The DPO should prioritize and focus on the riskier activities, for example where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organization.
  • If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.

It is worth noting that the DPO is not personally liable for data protection compliance. While the DPO plays a crucial role in helping the organization to fulfill its data protection obligations, the organization ultimately remains responsible for compliance with the Act.

Which organizations should appoint a Data Protection Officer?

Given that non-compliance with the provisions of the Act attracts hefty and consequential penalties, all organizations that process personal data must assess whether they need a DPO to mitigate the risks. Under section 24(1) Of the Data Protection Act, you may appoint a DPO if: –

  1. You are a public or private body that processes personal data of data subjects. Courts acting in their judicial capacity are exempt.
  2. The core activity of your organization consists of processing operations which by their nature, scope, or purposes, require regular and systematic monitoring of data subjects.
  3. The organizations core activity consists of processing of sensitive categories of personal data. This includes data revealing a person’s race, health status, property details, marital status, family details, sex etc.

Appointing a Data Protection Officer

The Act allows organizations to choose whether to appoint an internal or external DPO. The DPO may be a permanent member of staff (internal) or acting under a service contract (external). A group of entities may also share a DPO with other organizations provided the DPO is accessible by each entity.

Section 24(2) stipulates that an existing employee who fulfils other tasks and duties can only be the DPO if the said tasks and duties do not result in a conflict of interest. Basically, this means the DPO cannot hold a position within the organization that leads her to determine the purposes and the means of processing personal data. In addition, The DPO should not be expected to manage competing objectives that could result in data protection taking a secondary role to business interests.

Section 24(5) of the Act specifies that a DPO should be appointed based on relevant academic or professional qualifications which may include knowledge and technical skills in matters related to data protection. With a shortage of individuals trained to manage the specific DPO responsibilities, outsourcing these tasks and duties can help your organization address the compliance demands of the Act while staying focused on core business activities.

Details to publish about the Data Protection Officer

The Act requires Data Processors and Data Controllers to publish the contact details of the DPO on the organization website and communicate them to the Data Commissioner. This is to enable data subjects, your employees, and the Commissioner to contact the DPO as needed.

Please reach out to us (ponyango@aliumlaw.com) if you require specific advice on the Data Protection Act, 2019 and appointing a Data Protection Officer.