Data Protection Act, 2019 · ODPC Compliance

Technology law counsel for a data-driven Kenya.

We advise fintechs, platforms, and data controllers and processors on registration with the Office of the Data Protection Commissioner, cross-border transfer, and the compliance obligations that come with handling personal data at scale.

DPA 2019Core Framework
ODPCRegistration & Audits
DPIAImpact Assessments
Compliance Snapshot

Obligations most Kenyan data handlers underestimate

  • 01 Registering as a data controller or processor with the ODPC before processing personal data at scale.
  • 02 Running a Data Protection Impact Assessment before high-risk processing, including biometric and financial data.
  • 03 Meeting adequacy or contractual safeguards before transferring personal data outside Kenya.
  • 04 Notifying the Commissioner and affected data subjects promptly after a personal data breach.

Practising at the intersection of law and technology

We read code and contracts with the same scrutiny — because in a regulated data economy, the two increasingly say the same thing.

About the Firm

Counsel built for Kenya's data economy

Muchangi Patrick & Co. Advocates is a Nairobi-based technology law practice focused on data protection, privacy, and digital regulatory compliance. We work with founders, in-house counsel, and compliance teams who need law explained in terms their engineering and product teams can act on.

Our practice sits squarely under the Data Protection Act, 2019 and its regulations, and extends to the cross-border questions Kenyan companies face when their users, vendors, or servers sit outside the country — including GDPR exposure for firms handling EU personal data.

  • ODPC registration & renewals
  • Data protection impact assessments
  • Cross-border transfer agreements
  • Breach response & notification
  • Privacy policies & consent design
  • Regulatory investigations & disputes
Practice Areas

Where clients bring us in

Each engagement maps to a specific compliance obligation under Kenyan and, where relevant, international data protection law.

Registration

ODPC Registration & Renewal

Determining whether you register as a controller, processor, or both — and managing the filing, category classification, and annual renewal.

Assessment

Data Protection Impact Assessments

Structured DPIAs for high-risk processing: biometric identity checks, credit scoring, geolocation, and large-scale profiling.

Transfer

Cross-Border Data Transfer

Adequacy analysis, standard contractual clauses, and vendor agreements for data leaving Kenya — including AWS, EU, and US-hosted infrastructure.

Incident

Breach Response & Notification

Rapid-response counsel when a breach occurs: containment advice, Commissioner notification, and communication to affected data subjects.

Governance

Privacy Policies & Consent Design

Drafting privacy notices, consent flows, and internal data handling policies that hold up to regulatory scrutiny and actually get read.

Disputes

Regulatory Investigations

Representation before the Office of the Data Protection Commissioner and in data-related civil litigation.

How We Work

From audit to registration

A typical compliance engagement moves through four stages — timelines vary with the scale of processing involved.

Stage 01

Data Mapping & Gap Audit

We inventory what personal data you collect, where it lives, who touches it, and where your current practices fall short of the Data Protection Act.

Stage 02

Risk Assessment

High-risk processing activities are flagged for a formal DPIA; everything else is prioritised against ODPC enforcement patterns.

Stage 03

Registration & Documentation

We prepare and file ODPC registration, draft or revise your privacy policy, and put data processing agreements in place with vendors.

Stage 04

Ongoing Compliance

Annual renewals, breach-readiness reviews, and standing counsel as your product or data footprint changes.

Who We Advise

Sectors we work in

Personal data obligations look different depending on what you collect and why.

Fintech & Digital Lending

KYC data, credit scoring, and mobile money compliance.

Startups & SaaS

Privacy-by-design for products scaling across borders.

Health-Tech

Sensitive personal data and heightened consent requirements.

E-Commerce & Retail

Customer data, marketing consent, and payment information.

Banking & Insurance

Large-scale data processing under sectoral regulation.

Cloud & Infrastructure

Processor obligations and data hosting arrangements.

HR & Employment Platforms

Employee data, background checks, and workplace monitoring.

EdTech

Data on minors and the added duty of care it requires.

Client Feedback

What clients say

"They translated the Data Protection Act into a checklist our engineering team could actually implement, instead of a document that sat in a drawer."

Operations Lead
Fintech, Nairobi

"Our ODPC registration and DPIA were handled end-to-end, with clear timelines at every step."

Founder
Health-Tech Startup

"Responsive during a live incident, and thorough with the notification process afterward."

Head of Compliance
E-Commerce Platform

Illustrative client feedback — replace with verified quotes and attributions before publishing.

Insights

Recent writing

2026 · 06 What ODPC registration actually requires of a Kenyan fintech Registration Read →
2026 · 05 Cross-border transfer: when your data leaves Kenya without you realising it Transfer Read →
2026 · 04 Building a breach response plan before you need one Incident Read →
Get In Touch

Book a consultation

Tell us about your data processing activities and we'll get back to you with next steps — usually within one business day.

Nairobi, Kenya