GLOBAL
Your 7-Step Practical Checklist for Full Compliance with Kenya's Data Protection Act (DPA)
Yuvin Kim
August 14, 2025
GLOBAL
Your 7-Step Practical Checklist for Full Compliance with Kenya's Data Protection Act (DPA)
Yuvin Kim
August 14, 2025
As Kenya's digital economy flourishes, building trust with your customers has never been more critical. The Data Protection Act (DPA), 2019 is not just a set of rules; it's a framework for building that trust. For many businesses, navigating the path to full compliance can seem daunting.
At Walla, we believe that great customer relationships are built on a foundation of trust and security. That's why we've created this practical, 7-step checklist to help you understand your obligations and turn DPA compliance into a competitive advantage.
Step 1: Map Your Data Flow
Before you can protect data, you need to know what you have. Conduct a thorough audit of all the personal data your business handles.
Actionable Checklist:
What specific types of personal data do you collect (e.g., names, emails, phone numbers, payment details)?
Where does this data come from (e.g., website forms, mobile apps, physical documents)?
Why are you collecting it? What is the specific purpose for each data point?
Where is it stored, and who has access to it?
Step 2: Establish a Lawful Basis for Processing
You cannot process personal data without a valid legal reason. For most businesses, the most common basis is consent, but it must be explicit and freely given.
Actionable Checklist:
For each processing activity, identify your lawful basis (e.g., consent, performance of a contract, legal obligation).
Review your consent mechanisms. Are you using pre-ticked boxes? The DPA requires a clear affirmative action.
Is it easy for users to withdraw their consent at any time?
Step 3: Update Your Privacy Policy
Your privacy policy is a public declaration of your commitment to data protection. It must be transparent, concise, and easy to understand.
Actionable Checklist:
Does your policy clearly state what data you collect and why?
Does it explain how long you store the data?
Does it inform users of their rights under the DPA?
Is the policy easily accessible on your website and other platforms?
Step 4: Implement a Process for Data Subject Rights
The DPA grants individuals several rights over their data, including the right to access, rectify, and erase it. You must be prepared to respond to these requests in a timely manner.
Actionable Checklist:
Do you have a clear internal procedure for handling user requests?
Who is responsible for receiving and responding to these requests?
How will you verify the identity of the person making the request?
Step 5: Strengthen Your Data Security
You have a legal duty to protect the personal data you hold. This involves implementing appropriate technical and organizational measures to prevent unauthorized access, loss, or damage.
Actionable Checklist:
Is all personal data encrypted, both in transit (like using HTTPS on your website) and at rest (in your databases)?
Do you have strong access control policies, ensuring only authorized personnel can access sensitive data?
Are your employees trained on data protection best practices?
Step 6: Prepare an Incident Response Plan
In the event of a data breach, a swift and organized response is crucial. The DPA requires you to notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of a breach.
Actionable Checklist:
Do you have a clear plan that defines what constitutes a data breach?
Does the plan outline steps for containment, investigation, and risk assessment?
Does it specify who is responsible for notifying the ODPC and affected individuals?
Step 7: Register with the ODPC
If your business processes personal data, you are required to register as a Data Controller and/or Data Processor with the Office of the Data Protection Commissioner (ODPC).
Actionable Checklist:
Have you completed the official registration process on the ODPC website?
Have you paid the required registration fees?
Do you maintain accurate records of your data processing activities, as required by law?
Conclusion
Achieving DPA compliance is an ongoing journey, not a one-time task. By systematically working through these steps, you can not only meet your legal obligations but also build deeper, more lasting trust with your customers.
While this checklist covers the essentials, using tools designed with compliance at their core can make this journey much smoother. At Walla, we are obsessed with making data collection simple, secure, and compliant, so you can focus on what you do best: growing your business.
Further Reading:
Decide with Data, Not Gut Feeling: How to Build a Data-Driven Culture in Your Kenyan Business
From Agri-tech to Fintech: Data Collection Strategies to Innovate Kenya's Key Industries
Growth Hacking for Silicon Savannah Startups: Using Forms for MVP Testing and Customer Validation
Designing a Satisfaction Survey Process to Captivate Kenyan Gen Z
Your 7-Step Practical Checklist for Full Compliance with Kenya's Data Protection Act (DPA)
As Kenya's digital economy flourishes, building trust with your customers has never been more critical. The Data Protection Act (DPA), 2019 is not just a set of rules; it's a framework for building that trust. For many businesses, navigating the path to full compliance can seem daunting.
At Walla, we believe that great customer relationships are built on a foundation of trust and security. That's why we've created this practical, 7-step checklist to help you understand your obligations and turn DPA compliance into a competitive advantage.
Step 1: Map Your Data Flow
Before you can protect data, you need to know what you have. Conduct a thorough audit of all the personal data your business handles.
Actionable Checklist:
What specific types of personal data do you collect (e.g., names, emails, phone numbers, payment details)?
Where does this data come from (e.g., website forms, mobile apps, physical documents)?
Why are you collecting it? What is the specific purpose for each data point?
Where is it stored, and who has access to it?
Step 2: Establish a Lawful Basis for Processing
You cannot process personal data without a valid legal reason. For most businesses, the most common basis is consent, but it must be explicit and freely given.
Actionable Checklist:
For each processing activity, identify your lawful basis (e.g., consent, performance of a contract, legal obligation).
Review your consent mechanisms. Are you using pre-ticked boxes? The DPA requires a clear affirmative action.
Is it easy for users to withdraw their consent at any time?
Step 3: Update Your Privacy Policy
Your privacy policy is a public declaration of your commitment to data protection. It must be transparent, concise, and easy to understand.
Actionable Checklist:
Does your policy clearly state what data you collect and why?
Does it explain how long you store the data?
Does it inform users of their rights under the DPA?
Is the policy easily accessible on your website and other platforms?
Step 4: Implement a Process for Data Subject Rights
The DPA grants individuals several rights over their data, including the right to access, rectify, and erase it. You must be prepared to respond to these requests in a timely manner.
Actionable Checklist:
Do you have a clear internal procedure for handling user requests?
Who is responsible for receiving and responding to these requests?
How will you verify the identity of the person making the request?
Step 5: Strengthen Your Data Security
You have a legal duty to protect the personal data you hold. This involves implementing appropriate technical and organizational measures to prevent unauthorized access, loss, or damage.
Actionable Checklist:
Is all personal data encrypted, both in transit (like using HTTPS on your website) and at rest (in your databases)?
Do you have strong access control policies, ensuring only authorized personnel can access sensitive data?
Are your employees trained on data protection best practices?
Step 6: Prepare an Incident Response Plan
In the event of a data breach, a swift and organized response is crucial. The DPA requires you to notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of a breach.
Actionable Checklist:
Do you have a clear plan that defines what constitutes a data breach?
Does the plan outline steps for containment, investigation, and risk assessment?
Does it specify who is responsible for notifying the ODPC and affected individuals?
Step 7: Register with the ODPC
If your business processes personal data, you are required to register as a Data Controller and/or Data Processor with the Office of the Data Protection Commissioner (ODPC).
Actionable Checklist:
Have you completed the official registration process on the ODPC website?
Have you paid the required registration fees?
Do you maintain accurate records of your data processing activities, as required by law?
Conclusion
Achieving DPA compliance is an ongoing journey, not a one-time task. By systematically working through these steps, you can not only meet your legal obligations but also build deeper, more lasting trust with your customers.
While this checklist covers the essentials, using tools designed with compliance at their core can make this journey much smoother. At Walla, we are obsessed with making data collection simple, secure, and compliant, so you can focus on what you do best: growing your business.
Further Reading:
Decide with Data, Not Gut Feeling: How to Build a Data-Driven Culture in Your Kenyan Business
From Agri-tech to Fintech: Data Collection Strategies to Innovate Kenya's Key Industries
Growth Hacking for Silicon Savannah Startups: Using Forms for MVP Testing and Customer Validation
Designing a Satisfaction Survey Process to Captivate Kenyan Gen Z
Your 7-Step Practical Checklist for Full Compliance with Kenya's Data Protection Act (DPA)
As Kenya's digital economy flourishes, building trust with your customers has never been more critical. The Data Protection Act (DPA), 2019 is not just a set of rules; it's a framework for building that trust. For many businesses, navigating the path to full compliance can seem daunting.
At Walla, we believe that great customer relationships are built on a foundation of trust and security. That's why we've created this practical, 7-step checklist to help you understand your obligations and turn DPA compliance into a competitive advantage.
Step 1: Map Your Data Flow
Before you can protect data, you need to know what you have. Conduct a thorough audit of all the personal data your business handles.
Actionable Checklist:
What specific types of personal data do you collect (e.g., names, emails, phone numbers, payment details)?
Where does this data come from (e.g., website forms, mobile apps, physical documents)?
Why are you collecting it? What is the specific purpose for each data point?
Where is it stored, and who has access to it?
Step 2: Establish a Lawful Basis for Processing
You cannot process personal data without a valid legal reason. For most businesses, the most common basis is consent, but it must be explicit and freely given.
Actionable Checklist:
For each processing activity, identify your lawful basis (e.g., consent, performance of a contract, legal obligation).
Review your consent mechanisms. Are you using pre-ticked boxes? The DPA requires a clear affirmative action.
Is it easy for users to withdraw their consent at any time?
Step 3: Update Your Privacy Policy
Your privacy policy is a public declaration of your commitment to data protection. It must be transparent, concise, and easy to understand.
Actionable Checklist:
Does your policy clearly state what data you collect and why?
Does it explain how long you store the data?
Does it inform users of their rights under the DPA?
Is the policy easily accessible on your website and other platforms?
Step 4: Implement a Process for Data Subject Rights
The DPA grants individuals several rights over their data, including the right to access, rectify, and erase it. You must be prepared to respond to these requests in a timely manner.
Actionable Checklist:
Do you have a clear internal procedure for handling user requests?
Who is responsible for receiving and responding to these requests?
How will you verify the identity of the person making the request?
Step 5: Strengthen Your Data Security
You have a legal duty to protect the personal data you hold. This involves implementing appropriate technical and organizational measures to prevent unauthorized access, loss, or damage.
Actionable Checklist:
Is all personal data encrypted, both in transit (like using HTTPS on your website) and at rest (in your databases)?
Do you have strong access control policies, ensuring only authorized personnel can access sensitive data?
Are your employees trained on data protection best practices?
Step 6: Prepare an Incident Response Plan
In the event of a data breach, a swift and organized response is crucial. The DPA requires you to notify the Office of the Data Protection Commissioner (ODPC) within 72 hours of becoming aware of a breach.
Actionable Checklist:
Do you have a clear plan that defines what constitutes a data breach?
Does the plan outline steps for containment, investigation, and risk assessment?
Does it specify who is responsible for notifying the ODPC and affected individuals?
Step 7: Register with the ODPC
If your business processes personal data, you are required to register as a Data Controller and/or Data Processor with the Office of the Data Protection Commissioner (ODPC).
Actionable Checklist:
Have you completed the official registration process on the ODPC website?
Have you paid the required registration fees?
Do you maintain accurate records of your data processing activities, as required by law?
Conclusion
Achieving DPA compliance is an ongoing journey, not a one-time task. By systematically working through these steps, you can not only meet your legal obligations but also build deeper, more lasting trust with your customers.
While this checklist covers the essentials, using tools designed with compliance at their core can make this journey much smoother. At Walla, we are obsessed with making data collection simple, secure, and compliant, so you can focus on what you do best: growing your business.
Further Reading:
Decide with Data, Not Gut Feeling: How to Build a Data-Driven Culture in Your Kenyan Business
From Agri-tech to Fintech: Data Collection Strategies to Innovate Kenya's Key Industries
Growth Hacking for Silicon Savannah Startups: Using Forms for MVP Testing and Customer Validation
Designing a Satisfaction Survey Process to Captivate Kenyan Gen Z
Your 7-Step Practical Checklist for Full Compliance with Kenya's Data Protection Act (DPA)
Continue Reading
