Many small business owners in Kenya believe the Data Protection Act (2019) only applies to tech giants or banks. This is a dangerous misconception. In recent months, the Office of the Data Protection Commissioner (ODPC) has issued fines to schools, clubs, and small digital lenders for privacy violations.
If you collect names, phone numbers, or ID numbers from your customers, you are a Data Controller, and the law applies to you.
Common Offenses Small Businesses Commit
- Unsolicited SMS Marketing: You cannot take a customer's phone number from M-Pesa records and start sending them "Happy Hour" or "Discount" texts without their explicit consent. This is the #1 reason for fines.
- CCTV Cameras: If you have CCTV in your shop or office, you must display a clear sign saying "CCTV in Operation." Recording people without notice is a violation.
- Sharing Data: You cannot sell or give your client list to another business.
How to Be Compliant (The Basics)
You don't need a complex system, but you do need these three things:
- Registration: You must register with the ODPC as a Data Controller. The fee is minimal for small businesses.
- Consent Forms: Before you take a client's details, have them tick a box or sign a form saying: "I consent to my data being used for..."
- Privacy Policy: Have a simple policy (even a one-pager) explaining what data you collect and how long you keep it.
The Penalties
The ODPC can fine businesses up to Ksh 5 Million or 1% of their annual turnover. For a small business, this can be fatal.
Need a Data Privacy Audit?
Wanyoike & Partners can draft your Privacy Policy and Consent Forms to keep you on the right side of the law.