1. The CRUX of
Data Protection & Privacy Engineering
Dissecting the Kenya
Data Protection Act:
Key Definitions
Laying out all the steps required to reach a desired level of compliance
Douglas Nderitu
Privacy Engineer
douglasnderitu@yahoo.com
2. Data Protection terms you need to know
1
Personal
Data
2
Data
Subject
3
Processing
4
Data
Controller
8
Individual
Rights
7
Lawful
Basis
6
Personal Data
Breach
5
Data
Processor
3. DEFINITIONS
A walk through of the common terms in the Kenya Data Protection Act (2019)
01
02
Personal data
This is any information that relates to an
identified or identifiable natural person. It
means any and all information that
identifies you as a data subject
Data subject
A living individual who can be
identified from personal data
(an identifiable individual)
4. 04
Data Controller
The entity that determines the
purpose and means of
processing personal data
03
Processing
Any operations performed on
personal data e.g. collection,
storage, transmission, alteration,
erasure, destruction etc
05
Data Processor
The entity which processes
personal data on behalf of the
data controller
5. 06
Personal data breach
Breach of security leading to the loss,
accidental or unlawful destruction,
alteration, damage or unauthorized
disclosure of personal data
07
Lawful basis
This is the reason or legal
grounds you can rely on to
process personal data
08
Individual rights
These are the rights data
subjects have, and can
exercise, over the personal data
in custody of a data controller
6. 10
Office of Data
Protection Commissioner
The body set up to uphold personal
data rights in Kenya. It will oversee the
implementation and be responsible
for the enforcement of this Act
09
Sensitive personal data
These are special categories of
personal data such as biometric
data, health status, race etc that
must be treated with extra security
11
Registration
The Data Commissioner shall
prescribe thresholds for
mandatory registration of
Controllers and Processors
7. 12
Data Protection Officer
An individual who ensures that
the Data Controller processes
personal data in compliance with
the Data Protection Act (2019)
13
Data Protection Act (2019)
An ACT of Parliament that regulates the
processing of personal data, provides
rights of data subjects and obligations of
Controllers and Processors.
8. The CRUX of
Data Protection & Privacy Engineering
Laying out all the steps required to reach a desired level of compliance
Douglas Nderitu
Privacy Engineer
douglasnderitu@yahoo.com