On 7th April 2021, the Task Force on Development of Data Protection General Regulations tabled draft data protection regulations before the Cabinet Secretary, Ministry of ICT, Innovation and Youth Affairs, Joe Mucheru. In addition, the Data Protection Commissioner published the draft Regulations on its website, paving the way for public consultation.
The published draft regulations are threefold:
- The Data Protection General Regulations, 2021: These regulations provide guidance on the following matters:-
- how to facilitate the rights of data subjects
- obligations of data controllers and data processors
- elements to implementation of data protection by design or by default
- notification of personal data breaches
- transfer of personal data outside Kenya
- conduct of data protection impact assessments
- provisions on exemptions under the Data Protection Act, 2019
- compounding of offences
- Enforcement
- The Data Protection (Compliance and Enforcement Regulations) 2021: These regulations deal with complaint handling and enforcement procedures under the Act
- The Data Protection (Registration of Data Controllers and Processors) Regulations 2021 outline the requirements and process of registration of data controllers and data processors. They also outline thresholds for the registration as a data controller or processor.
The Data Protection Commissioner has also published a notice calling for comments and inviting members of the public to participate in the draft regulations. The notice states that there will be virtual public meetings from 27th to 29th April 2021 to receive comments or views from the public.
Once the public participation process is concluded, the regulations are expected to become law. Evidently, they will provide much-needed guidance on the implementation of the Data Protection Act, 2019.