Data Protection Act, 2019 · ODPC Compliance

Technology law counsel for a data-driven Kenya.

We advise fintechs, platforms, and data controllers and processors on registration with the Office of the Data Protection Commissioner, cross-border transfer, and the compliance obligations that come with handling personal data at scale.

DPA 2019Core Framework
ODPCRegistration & Audits
DPIAImpact Assessments
Compliance Snapshot

Obligations most Kenyan data handlers underestimate

  • 01 Registering as a data controller or processor with the ODPC before processing personal data at scale.
  • 02 Running a Data Protection Impact Assessment before high-risk processing, including biometric and financial data.
  • 03 Meeting adequacy or contractual safeguards before transferring personal data outside Kenya.
  • 04 Notifying the Commissioner and affected data subjects promptly after a personal data breach.
Overview of the firm's legal, compliance, and technical data protection services
Legal, compliance, and technical services under one roof — built around the Data Protection Act, 2019.
About the Firm

Counsel built for Kenya's data economy

Muchangi Patrick & Co. Advocates is a Nairobi-based technology law practice focused on data protection, privacy, and digital regulatory compliance. We work with founders, in-house counsel, and compliance teams who need law explained in terms their engineering and product teams can act on.

Our practice sits squarely under the Data Protection Act, 2019 and its regulations, and extends to the cross-border questions Kenyan companies face when their users, vendors, or servers sit outside the country — including GDPR exposure for firms handling EU personal data.

  • ODPC registration & renewals
  • Data protection impact assessments
  • Cross-border transfer agreements
  • Breach response & notification
  • Privacy policies & consent design
  • Regulatory investigations & disputes
Practice Areas

Where clients bring us in

Each engagement maps to a specific compliance obligation under Kenyan and, where relevant, international data protection law.

Registration

ODPC Registration & Renewal

Determining whether you register as a controller, processor, or both — and managing the filing, category classification, and annual renewal.

Assessment

Data Protection Impact Assessments

Structured DPIAs for high-risk processing: biometric identity checks, credit scoring, geolocation, and large-scale profiling.

Transfer

Cross-Border Data Transfer

Adequacy analysis, standard contractual clauses, and vendor agreements for data leaving Kenya — including AWS, EU, and US-hosted infrastructure.

Incident

Breach Response & Notification

Rapid-response counsel when a breach occurs: containment advice, Commissioner notification, and communication to affected data subjects.

Governance

Privacy Policies & Consent Design

Drafting privacy notices, consent flows, and internal data handling policies that hold up to regulatory scrutiny and actually get read.

Disputes

Regulatory Investigations

Representation before the Office of the Data Protection Commissioner and in data-related civil litigation.

How We Work

From audit to registration

A typical compliance engagement moves through four stages — timelines vary with the scale of processing involved.

Compliance team reviewing a data privacy framework and forensic audit findings
Stage 01–02 in practice: mapping data flows and reviewing forensic audit findings against the DPA Kenya framework.
Stage 01

Data Mapping & Gap Audit

We inventory what personal data you collect, where it lives, who touches it, and where your current practices fall short of the Data Protection Act.

Stage 02

Risk Assessment

High-risk processing activities are flagged for a formal DPIA; everything else is prioritised against ODPC enforcement patterns.

Stage 03

Registration & Documentation

We prepare and file ODPC registration, draft or revise your privacy policy, and put data processing agreements in place with vendors.

Stage 04

Ongoing Compliance

Annual renewals, breach-readiness reviews, and standing counsel as your product or data footprint changes.

Who We Advise

Sectors we work in

Personal data obligations look different depending on what you collect and why.

Fintech & Digital Lending

KYC data, credit scoring, and mobile money compliance.

Startups & SaaS

Privacy-by-design for products scaling across borders.

Health-Tech

Sensitive personal data and heightened consent requirements.

E-Commerce & Retail

Customer data, marketing consent, and payment information.

Banking & Insurance

Large-scale data processing under sectoral regulation.

Cloud & Infrastructure

Processor obligations and data hosting arrangements.

HR & Employment Platforms

Employee data, background checks, and workplace monitoring.

EdTech

Data on minors and the added duty of care it requires.

Firm team leading a statutory compliance workshop with a client
A statutory compliance workshop — mapping obligations across IT, marketing, finance, and HR to reduce ODPC penalty exposure.
Client Feedback

What clients say

"They translated the Data Protection Act into a checklist our engineering team could actually implement, instead of a document that sat in a drawer."

Operations Lead
Fintech, Nairobi

"Our ODPC registration and DPIA were handled end-to-end, with clear timelines at every step."

Founder
Health-Tech Startup

"Responsive during a live incident, and thorough with the notification process afterward."

Head of Compliance
E-Commerce Platform

Illustrative client feedback — replace with verified quotes and attributions before publishing.

Insights

Recent writing

2026 · 06 What ODPC registration actually requires of a Kenyan fintech Registration Read →
2026 · 05 Cross-border transfer: when your data leaves Kenya without you realising it Transfer Read →
2026 · 04 Building a breach response plan before you need one Incident Read →
Get In Touch

Book a consultation

Tell us about your data processing activities and we'll get back to you with next steps — usually within one business day.

Nairobi, Kenya
# dataprivacyadvoates.co.ke — Website A single-file, dependency-light site for Muchangi Patrick & Co. Advocates. No build step — it's one `index.html` plus a `CNAME` file for GitHub Pages. ## Before you publish — replace these placeholders - **Testimonials** — currently illustrative. Swap in real, attributed client quotes (with permission) or remove the section. - **Stats / claims** — the hero and about copy avoid invented numbers (years of practice, case counts, client counts) on purpose. Add real figures once you have them. - **Google Analytics** — none is wired in yet. Add your GA4 snippet or a privacy-respecting alternative (Plausible, Fathom) once you have a measurement ID — worth a mention given the firm's own subject matter. - **Contact form** — the form currently only shows a browser alert on submit (see the deployment note below on wiring it up for real). - **Legal disclaimers** — Kenyan advocates are subject to LSK advertising rules; have a partner review final copy (especially the "who we advise" and service claims) before it goes live. ## Deploy on GitHub Pages 1. Create a new GitHub repo (e.g. `dataprivacyadvocates-site`), and push `index.html`, `CNAME`, and the `assets/` folder (the crest, logo, and photos) to the `main` branch (root, not a subfolder) — keep the folder structure as-is so the image paths resolve. 2. In the repo: **Settings → Pages → Build and deployment → Source: Deploy from a branch**, branch `main`, folder `/ (root)`. 3. Under **Settings → Pages → Custom domain**, enter `www.dataprivacyadvoates.co.ke` and save (this matches the `CNAME` file already in the repo). Wait for the DNS check to pass, then tick **Enforce HTTPS**. ## Point Cloudflare DNS at GitHub Pages In the Cloudflare dashboard for `dataprivacyadvoates.co.ke`, under **DNS → Records**, add: | Type | Name | Content | Proxy status | |-------|------|---------------------------|--------------| | CNAME | www | `.github.io` | Proxied | | A | @ | 185.199.108.153 | Proxied | | A | @ | 185.199.109.153 | Proxied | | A | @ | 185.199.110.153 | Proxied | | A | @ | 185.199.111.153 | Proxied | (The four A records point the bare domain at GitHub's Pages IPs; the CNAME handles `www`. Add a page rule or redirect rule in Cloudflare so the bare domain forwards to `https://www.dataprivacyadvoates.co.ke` if you want one canonical URL.) Set Cloudflare's SSL/TLS mode to **Full** (not Flexible) so it doesn't loop with GitHub's own certificate. ## Setting up email on the same domain GitHub Pages only serves the website — it doesn't handle `@dataprivacyadvoates.co.ke` email. Since Cloudflare is already your DNS host, the simplest options: - **Cloudflare Email Routing** (free) — forwards `info@dataprivacyadvoates.co.ke` to an existing inbox (e.g. Gmail). Good for receiving mail; you'll still send from the forwarding address unless you pair it with a "send as" alias in Gmail. - **Google Workspace or Microsoft 365** (paid) — gives you a real mailbox at the domain, calendar, etc. You'll add their MX, SPF, and DKIM records in Cloudflare DNS alongside the records above. Either way, add an **SPF** TXT record and, once you have a provider, **DKIM**/**DMARC** records — this matters more than usual for a firm whose own service is data protection compliance. ## Wiring up the contact form GitHub Pages can't run server code, so the form needs an external handler. Two low-effort options: - **Formspree** or **Getform** — point the form's `action` at the endpoint they give you, no backend required. - **Cloudflare Pages Functions** — if you move hosting from GitHub Pages to Cloudflare Pages instead, you can write a small function to email submissions directly, keeping everything in one platform.