Six years ago, Kenya enacted the Data Protection Act (DPA), becoming the first East African country to establish a comprehensive data protection framework and positioning itself as a continental leader in privacy regulation by bringing accountability to how personal data is collected, processed and stored across both the public and private sectors.
Yet, as the Act enters its seventh year, the conditions in which it operates have shifted considerably. Organisations across Kenya are no longer simply holding or processing data; they are actively using it to understand consumer behaviour, analyse transactions, assess credit risk and personalise services.
Kenyan firms are already deploying artificial intelligence for credit scoring and debt management, and mobile money transactions through agents reached KSh 8.7 trillion in 2024, equivalent to more than half of the country’s GDP. In this environment, the Act is no longer simply a compliance instrument; it is also a reflection of how Kenyan businesses treat the people behind the data.Increasingly, consumers are paying attention to what that reflection reveals.
This matters because consumer sentiment has shifted in step with the proliferation of data-driven services. Research confirms that trust now sits alongside quality and price as a core consideration in purchasing decisions, and that consumers are willing to take their business elsewhere when they feel their personal information is mishandled.
The DPA reinforces this shift by placing real power in the hands of individuals. Kenyan consumers have the legal right to be informed, to access data held about them, to challenge inaccuracies, to object to certain forms of processing and to request deletion where data no longer serves a lawful purpose. Privacy is no longer an implied courtesy — it is an enforceable right. SMEs that recognise this early will be better positioned than those that are waiting for a reminder from the regulator.
The DPA as a catalyst for market accountability
Kenya’s DPA did not simply introduce new rules; it fundamentally changed the accountability structure of the market. Before the Act, privacy was largely an implied institutional responsibility.
Today, SMEs are explicitly recognised as data controllers and processors, with clear legal obligations across the entire data lifecycle. Non-compliance carries penalties of up to Sh5 million or 1% of annual turnover (whichever is lower), alongside the risk of civil liability that can far exceed these statutory caps. Beyond the financial exposure, an EY Kenya survey found that a sizable portion of businesses have yet to fully comply, with the most recurring obstacle being a lack of senior management commitment to devote the necessary resources to the task. That is a gap with an increasingly visible price tag attached.
The Act’s close alignment with GDPR also creates a commercial opportunity that many SMEs are not yet exploiting. Businesses that can demonstrate GDPR-equivalent data governance may find it easier to access European and international partnerships, where stricter due diligence requirements apply..
Research from the Centre for Information Policy Leadership suggeststhat GDPR-aligned frameworks, when properly embedded rather than superficially implemented, can elevate privacy from a compliance function into a business enabler that strengthens institutional credibility with partners and investors. Kenya’s DPA offers exactly this dual dividend.
Trust as currency in a mobile-first economy
Kenya’s digital economy is largely mobile-driven, and the volume of personal data in circulation is substantial. With 66 million active mobile connections serving a population of 55.6 million people, data is generated at scale through everyday interactions.
In this context, businesses that handle data transparently andresponsibly are more likely to build trust that translates into customer retention and referrals. Conversely, those that fail to do so faceexposure — not only to regulatory action but also to reputational damage and customer attrition.
This dynamics is particularly acute for SMEs serving the mass market through mobile-first interfaces, where consent flows, privacy notices and data handling practices are visible to users at every touchpoint.
The DPA’s requirements for lawful, specific and transparent processing are not obstacles to good customer experience, they form part of it’s foundation. An SME that collects only what it needs, explains why, and enables customers to exercise their rights with easeis not just compliant — it is demonstrably trustworthy.
Unified data and the SME case for privacy-by-design
One of the most practical arguments for treating the DPA as a framework rather than a checkbox is what it demands of data architecture. The Act’s accountability requirements, including the obligation to maintain accurate records, respond to data subject requests and demonstrate compliance on demand, are structurally incompatible with fragmented, siloed data environments.
When data is scattered across disconnected systems, organisations face compounding problems: greater vulnerability to breaches, inconsistent records that undermine regulatory reporting and an inability to form the coherent view of customers that effective service delivery requires. The IBM Cost of a Data Breach Report 2024 found that organisations with high data complexity face significantly higher breach costs and longer resolution times than those operating integrated environments.
Encouragingly, the barriers to building integrated data systems are decreasing. Low-code and no-code platforms now enable businesses to develop secure, privacy-conscious workflows without requiring deep technical expertise. Increasingly, these platforms embed governance features such as consent management, audit logs and controlled data access.
Gartner projects that low-code tools will account for 75% of new application development by 2026, and modern platforms increasingly embed compliance controls, consent management, audit logs and data access workflows directly into the tooling. This makes privacy-by-design, the principle of building data protection into systems from the outset rather than retrofitting it afterwards, practically achievable for businesses without large technical teams. Embedding it from the start avoids costly remediation, creates auditable processes by default and produces the kind of transparent data environment that the DPA, and international partners, expect to see.
Responsible AI starts with responsible data
As SMEs deploy artificial intelligence for customer segmentation, fraud detection and behavioural analysis, the DPA’s requirements apply directly to every model and every output. The challenge is that AI built on poorly governed or fragmented data is AI built on an unstable foundation, prone to producing outputs that cannot be explained, audited or defended. Kenya’s own National AI Strategy 2025 to 2030 makes this connection explicit, placing data privacy, cybersecurity and ethics at the core of the country’s AI ecosystem rather than treating them as constraints on it.
There is also a local relevance dimension worth building into any AI strategy. Global AI platforms, when properly configured and governed in accordance with the DPA, can be tuned to reflect Kenyan market realities: local languages, local transaction patterns, local consumer behaviours and local regulatory requirements.
Kenya’s DPA has given this country a six-year head start, and the window to capitalise on it is open now. As data-driven services become the norm rather than the exception, the businesses that will define Kenya’s next decade of digital growth will not be those that processed the most data, but the ones that processed it most responsibly.
By Veerakumar Natarajan, Country Head, Zoho Kenya