Skip links

Data Literacy and Data Protection Registration: – The Eight (8) Key Requirements


Njoki Kimemia

Legal & Data Protection Associate

South-End Tech Limited

Date: July 19, 2023

  1. Data Literacy

Data Protection compliance begins with a general awareness of Data Protection before registration with the Office of Data Protection (ODPC) in Kenya. Data Protection is emerging as a requirement for strengthening a brand image and serves as a competitive differentiator.  The ODPC Kenya has set in motion a nationwide awareness campaign for Data Subjects, Data Controllers, and Data Processors to be aware of the benefits of keeping personal data safe for business and data subjects. 

Data Protection compliance does not stop at registration as construed by entities already registered with the ODPC. Employing data literacy can strengthen your data protection efforts even further. Today, Data literacy happens through periodic training and awareness campaigns. To some, it is a nerve recking exercise that takes away their valuable time while to others, they view it as a challenge and learning opportunity.

Gartner® defines data literacy as the ability to read, write and communicate data in context, including an understanding of data sources and constructs, analytical methods and techniques applied, and the ability to describe the use-case application and resulting value. Data literacy is also defined as the ability to access, manage, understand, integrate, communicate, evaluate, and create information safely and appropriately through data devices and networked technologies for participation in economic and social life. It includes competencies that are variously referred to as computer literacy, ICT literacy, information literacy, and media literacy.

When data literacy is at the heart of an organization, employees are better prepared to execute data-driven decisions. This is because most data and security breaches occur internally based on the fact that, some employees who might not know how to process different types of data may inadvertently expose crucial information. To help protect data and address data protection laws, put data literacy at the core of the business.  So how then do we foster a culture of data literacy?

  1. Having the right policies. This would include drafting new ones if there are not there or reviewing current ones to be more aligned with the act and subsidiary legislations. Policies especially a Data Protection Policy is a game-changer for enhanced data protection and general awareness around data use.
  • Having the right implementation team. Key leadership roles, such as the Chief Privacy Officer (CPO), Chief Information Officer (CIO), Chief Information Security Officer (CISO), and Chief Data Protection Officer (CDPO), should be unified on an approach to compliance and privacy so that it is centralized across the business. While each has a distinct mission concerning the organization as a whole, an alignment of strategy between these offices can help advance an overall goal of data literacy and a unified data strategy that enhances data protection.
  • Awareness among staff. Continuous awareness training supported by senior leadership and aligned around common principles and practices can help achieve data literacy in an organization.

Data illiteracy poses a significant threat to business especially if the businesses are not willing to invest in training their staff. Therefore, businesses should improve on Data literacy to avoid compliance issues that will consequently affect their brand image. Remember, ignorance is not a defense.

  • Registration with the Office of the Data Protection Commissioner (ODPC) Kenya

As part of the registration process, the law requires entities to organize for and provide the documents described below to facilitate the registration:

  1. A copy of establishment documents;
  2. particulars of the data controllers or processors including name and contact details;
  3. Description of the purpose for which personal data is processed E.g. for payroll, invoicing, Know Your Customer (KYC), registration, etc.
  4. Description of categories of personal data processed e.g. name, address, and Identification number;
  5. Description of categories of data subjects e.g. employee, client, students, supplier, shareholder
  6. Recipient (s) to whom personal data is (are) disclosed e.g. KRA, CBK among other requirements as per the regulations.
  7. The previous annual turnover/revenue of the entity seeking to be registered.
  8. Technical measures in place for the protection of personal data by identifying risks to personal data (E.g. unauthorized access/disclosure, theft, etc.) and putting Safeguards, security measures, and mechanisms implemented to protect personal data (E.g. Access control, visitors’ logbook, privacy policy, information security policy, etc.)
  • Policies and Templates for Data Protection

After registration, the following reference policies and templates are mandatory for Data Protection Compliance.

  1. Data Protection Policy
  2. Data Privacy Policy
  3. Data Retention/Destruction Policy
  4. Privacy Notice Statement
  5. Opt-In & Opt-Out Forms
  6. Breach Notification Letter Template
  7. Record of Processing Activities Template
  8. Data-sharing agreements with third parties (if applicable)
  9. Data Protection Officer

Contact South-End Tech Ltd for your Cybersecurity Solutions, Data Protection Legal & Technical Support at +254115867309 or +254728223333


This website uses cookies to improve your web experience. Privacy Policy