For many Kenyans, messaging companies on social media has become the quickest way to get help. But what happens when those official accounts are hacked and personal information, from phone numbers to financial details, falls into the wrong hands?
“Companies are required to implement appropriate technical and organisational safeguards, maintain data retention schedules, and ensure personal data is deleted or anonymised once the lawful purpose has expired. In the event of a breach involving social media DMs, companies must notify the Office of the Data Protection Commissioner (ODPC) within 72 hours,” says Catherine Kamau, Partner and Head of Data Privacy, Tech & Corporate Governance at Ashitiva Advocates LLP, Nairobi.
Legally, companies can be held liable for breaches, even if their accounts are hacked. “Liability depends on whether the company exercised due diligence,” Ms Kamau explained. “If a breach results from inadequate security measures, the company may face penalties. Liability may be mitigated if the company can show it implemented industry-standard security measures and promptly notified affected individuals and the ODPC.”
In 2024, Perpetual Wanjiku vs Casa Vera Lounge resulted in a Sh1.8 million fine for posting customer photos on social media without consent.
Similarly, OPPO Kenya was fined Sh5 million in December 2022 for using a customer photo on Instagram without permission and failing to comply with an ODPC enforcement notice.
While organisations must comply with the law, users also have a role in protecting their data. Ms Kamau advises: “Stop sharing personal information immediately if you suspect an account has been compromised. Inform the company through alternative channels, change passwords, and monitor accounts for suspicious activity. Sensitive information like passwords, ID numbers, OTPs, or bank details should never be shared through social media DMs. Only share information via verified, secure channels.”
To reduce risks, companies are encouraged to educate customers about safe data sharing, provide clear instructions on what information they will never request via social media, publish accessible privacy notices, and deploy technological safeguards such as multi-factor authentication, encryption, and incident-response strategies.
Ms Kamau notes that most Kenyans are unaware of their rights under the Data Protection Act, how to give or withdraw consent, or how to lodge complaints when breaches occur. Limited outreach, high illiteracy levels, and competing socio-economic priorities exacerbate the problem.
“Organisations must treat data protection as a strategic issue,” Ms Kamau says. “They should create accountability structures, conduct staff training, develop policies and procedures, carry out audits, appoint qualified data protection officers, and embed a culture of data privacy within the organisation.”
Cynthia Seeyian, a Data Privacy and Governance Society of Kenya member and lawyer at McKay Advocates & Company LLP, adds: “Under Kenyan law, companies that collect or process personal data through social media DMs must comply with core data protection principles, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability.”
With Kenya poised for changes under the Draft Data Protection (Amendment) Bill, 2025, organisations are expected to strengthen compliance, particularly in areas such as automated decision-making, profiling, and processing of sensitive data.
Ms Seeyian emphasises that boards and executives must treat data protection as a strategic priority: appoint Data protection officers, conduct regular audits, integrate privacy by design, and ensure enterprise-wide accountability to safeguard personal data.
