Why cybersecurity and data protection are priorities

Corporate compliance is moving beyond financial controls, with cybersecurity and data protection now central to regulatory risk in the digital economy.

Photo credit: Shutterstock

By  Hilda Gituro

Director-Compliance

Diamond Trust Bank

For decades, corporate compliance was defined by familiar priorities: anti-bribery and corruption controls, anti-money laundering systems and financial reporting safeguards. These remain essential. But they are no longer sufficient.

Across global markets, cybersecurity and data protection have emerged as among the most prominent compliance priorities, reflecting a deeper transformation in how regulatory risk is understood in a digital economy.

Recent surveys by firms such as PwC and EY consistently rank cybersecurity and data privacy among the top concerns for organisations. Regulatory analyses from Thomson Reuters similarly point to digital risk and regulatory complexity as defining themes shaping compliance planning in 2025 and beyond.

Related

The implication is clear: digital risk is no longer a technical issue; it is a regulatory and governance priority.

A decade ago, a cyberattack might have been treated as an operational disruption. Today, it carries legal, financial and reputational consequences. Data breaches can trigger regulatory investigations, enforcement action and litigation.

In many jurisdictions, boards and senior executives are increasingly expected to demonstrate active oversight of digital systems and data governance frameworks.

Data surge

This shift is driven by the rapid digitisation of economic activity. Organisations now collect and process unprecedented volumes of personal and commercial data.

In response, regulators have expanded privacy frameworks, tightened cross-border data transfer requirements and increased disclosure obligations. Compliance, as a result, is no longer confined to domestic law. It increasingly requires alignment with global standards.

Kenya is not insulated from these developments. The Data Protection Act, 2019 established a comprehensive legal framework governing the processing of personal data. The Office of the Data Protection Commissioner has since required registration of data controllers and processors, issued compliance guidance and initiated enforcement action in cases of non-compliance. While enforcement capacity is still evolving, the direction of travel is clear.

In the financial sector, the Central Bank of Kenya has strengthened supervisory expectations around cybersecurity resilience and operational risk management, particularly in banking and digital lending. These developments align Kenya with broader global regulatory trends, even as compliance maturity varies across sectors.

AI frontier

As Kenya deepens its digital transformation, the strength of its cybersecurity culture and data governance systems will play a decisive role in shaping both public trust and economic resilience. Kenyan institutions must adapt accordingly.

At the same time, new risks are emerging. The adoption of the AI Act marks the first comprehensive attempt to regulate artificial intelligence through a risk-based model.

While Kenya has yet to introduce standalone AI legislation, the underlying principles of fairness, accountability and lawful data use are already embedded within existing legal frameworks.

Read: What tougher data protection oversight means for business

As financial institutions, fintech platforms and technology firms increasingly deploy algorithmic systems, regulatory scrutiny in this area is likely to intensify.

None of this diminishes the importance of traditional compliance priorities. Anti-money laundering, anti-bribery and corruption controls remain central to Kenya’s regulatory landscape.

However, global evidence suggests that cybersecurity and data protection now command a more immediate and cross-cutting level of regulatory attention.

The implications are significant. A major cyber incident can disrupt operations, expose sensitive data and erode public confidence within hours. Data misuse can trigger scrutiny that extends beyond national borders, particularly for organisations operating regionally or internationally.

Weak digital controls are no longer just internal vulnerabilities; they are barriers to investment, partnerships and market expansion.

Strategic stakes

Kenya’s ambition to position itself as a regional leader in digital innovation, fintech development and mobile payments makes this shift especially consequential.

Investors and international partners increasingly assess cybersecurity resilience and data governance maturity as part of their risk evaluation. Strong frameworks enhance credibility. Weaknesses invite scrutiny.

The compliance agenda has evolved. It now extends beyond preventing financial misconduct to safeguarding digital infrastructure, protecting personal data and ensuring responsible use of emerging technologies.

This is not a temporary trend. It reflects a fundamental redefinition of accountability in a digital economy.

The writer is the Director, Compliance, at Diamond Trust Bank (DTB).

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.

Get it First!

Stay up to date on the editors' picks of the week.

Latest

  1. PRIME The flower horse that stopped visitors, and told a bigger story

  2. PRIME Kenyattas, Ndegwas to get over Sh22bn in NCBA deal

  3. PRIME Entrepreneur built a nut-butter business from a health crisis

  4. Fuel protests

    PRIME How fuel protests triggered freeze in electricity tariffs hike

In the headlines

View All