Kenya stands at a critical juncture in its digital evolution. The enactment of the Data Protection Act 2019 was a bold and necessary step, aligning the country with global standards set by frameworks such as Europe’s GDPR.
Yet, as is increasingly evident, passing a law is one thing; embedding it into everyday institutional practice is quite another.
Nowhere is this problem more visible, and more consequential, than in public and private institutions.
Globally, data protection has shifted from a technical or legal concern into a fundamental issue of human rights, trust and institutional accountability. From social media giants in the US to public institutions in Europe, breaches of personal data, and especially misuse of images, have resulted in regulatory penalties and reputational crises.
The lesson is clear: data protection is no longer optional or peripheral, but a strategic focus area central to governance in the digital age.
Kenya is not insulated from these global trends. Recent legal cases and regulatory actions suggest that the country is entering a more assertive enforcement phase. Organisations have been fined millions of shillings for unauthorised use of images, and courts have consistently emphasised that consent must be explicit, informed and documented, indicating that the era of implied consent is over.
Many Kenyan institutions across sectors appear stuck in an old tradition of data handling, a tradition that still relies on implied consent.
So, what must change?
First, institutions must move beyond symbolic compliance. It is no longer enough to have a policy document gathering dust on a shelf. Compliance must be implemented.
Second, investment in training is non-negotiable. Staff, particularly those in communication, marketing, customer engagement and digital roles, need targeted, practical training that goes beyond legal jargon.
Third, institutional leadership must take ownership. Data protection cannot be delegated entirely to a Data Protection Officer, assuming one even exists. It requires a cultural shift, driven from the top, where privacy is recognised as a core value rather than a regulatory burden.
Institutions across sectors must lead this transition. If they fail, they risk not only legal penalties but also erosion of public confidence. But if they succeed, they can set a standard for responsible data governance in Kenya and the rest of Africa.
The writer is a communication practitioner - Multimedia University of Kenya.
Unlock a world of exclusive content today!Unlock a world of exclusive content today!
