Kenya Data Protection Act 2019: what your SME actually needs to do

The Kenya Data Protection Act 2019 applies to every business that collects or processes personal data — not just banks and telcos. If you have customer phone numbers, employee records, or supplier contacts, it applies to you.

The good news: for a small business, compliance is mostly about discipline, not expensive software. Here's a practical checklist.

The 10-step SME checklist

1. Know what you collect. List customer, employee, and supplier data you store. Phone numbers and ID copies count.
2. Have a clear purpose. Only collect data for a specific business reason. Do not keep it "just in case."
3. Get consent where needed. For marketing messages, make sure you have a record of opt-in.
4. Limit access. Not every employee needs access to every customer file.
5. Use strong passwords + MFA. This is the single biggest protection against data breaches.
6. Encrypt devices. Laptops and phones used for business should have disk encryption and remote wipe enabled.
7. Back up data. Ransomware is a data-loss event. Offline or cloud backups are essential.
8. Have a breach plan. Know who to notify and how. The ODPC must be told about serious breaches within 72 hours.
9. Respect data-subject requests. If someone asks what data you hold, or asks you to delete it, respond in 21 days.
10. Review annually. Data handling changes as your business grows. Schedule one review per year.

How Codec8 Prove helps

Codec8 Prove turns your self-assessment into a shareable Readiness Certificate. It gives insurers, partners, and auditors a clear, plain-language view of what you have in place and what you are working on. It is not a legal audit, but it is a strong starting point for any compliance conversation.