KENYA

Data Protection
Laws of the World
Introduction
Welcome to the 2025 edition of DLA Piper's Data Protection Laws of the
World Handbook. Since the launch of our first edition in 2012, this
comprehensive guide has been a trusted resource for navigating the
complex landscape of privacy and data protection laws worldwide. Now in
its fourteenth edition, the Handbook has grown to provide an extensive
overview of key privacy and data protection regulations across more than
160 jurisdictions. In 2025, the global landscape of data protection and
privacy law continues to evolve at an unprecedented pace. With new
legislation emerging in jurisdictions around the world, businesses face a
growing need to stay informed and agile in adapting to these changes.
This year promises to bring new developments and challenges, making the
Handbook an invaluable tool for staying ahead in this ever-changing field.

Europe
Established data protection laws in Europe continue to evolve through
active regulatory guidance and enforcement action. In the United
Kingdom, the UK government has proposed reforms to data protection
and e-privacy laws through the new Data (Use and Access) Bill (“DUAB“).
The DUAB follows the previous government’s unsuccessful attempts to
reform these laws post-Brexit, which led to the abandonment of the Data
Protection and Digital Information (No.2) Bill (“DPDI Bill“), in the run-up to
the general election. Although the DUAB comes with some bold
statements from the government that it will “unlock the power of data to
grow the economy and improve people’s lives“, the proposals represent
incremental reform, rather than radical change.

United States
In the United States, legislation on the federal and in particular state level
continues to evolve at a rapid pace. Currently, the US has fourteen states
with comprehensive data privacy laws in effect and six state laws will take
effect in 2025 and early 2026. Additionally, at the federal level, the new
administration has signaled a shift in enforcement priorities concerning
data privacy. Notably, there is a renewed focus on the regulation of
artificial intelligence (AI), with an emphasis on steering away from
regulation and promoting innovation. This includes the revocation of
previous executive orders related to AI and the implementation of new
directives to guide AI development and use.

In the realm of children's privacy, many of the new administration's

supporters in Congress have indicated a desire to make the protection of
children on social media a top priority, and new leadership at the Federal
Trade Commission (FTC) appears aligned on this goal, albeit with a
willingness to take another look at the recently adopted amendments to
the Children's Online Privacy Protection Act (COPPA) Rule. Health data
privacy remains a critical concern, with a handful of states following

DATA PROTECTION LAWS OF THE WORLD | DLAPIPERDATAPROTECTION.COM 2

 Washington state's lead in enhancing or adopting health data privacy laws.
On the international data transfer front, Executive Order (E.O.) 14117 “
Preventing Access to Americans’ Bulk Sensitive Personal Data and United
States Government-Related Data by Countries of Concern” as
supplemented by the DOJ’s final Rule will impact companies transferring
data into certain jurisdictions, such as China, Iran and Russia. Another area
of focus for companies with an EU presence will be the Trump
administration's approach to the Privacy and Civil Liberties Oversight
Board, as it is a critical pillar of the EU/UK/Swiss-US Data Privacy
Framework.

Asia, the Middle East, and Africa

Nowhere is the data protection landscape changing faster – and more
fundamentally – than in Asia, with new laws in India, Indonesia, Australia
and Saudi Arabia, as well continued new data laws and regulations in China
and Vietnam. The ever-evolving data laws, as well as the trend towards
regulating broader data categories (beyond personal data), in these
regions continue to raise compliance challenges for multi-national
businesses.

Emerging trends in data governance

Unlocking data, regulating the relentless advance of AI, creating fairer
digital markets and safeguarding critical infrastructure against the ever
growing cyber threat, continue to impact and overlap with the world of
data protection and privacy. Perhaps most notably, the EU have introduced
a raft of new laws forming part of its ambitious digital decade, which will
bring huge change to businesses operating within the EU. With the rapid
adoption of artificial intelligence enabled solutions and functionality, data
protection supervisory authorities have been closely scrutinising the
operation of AI technologies and their alignment with privacy and data
protection laws. For businesses, this highlights the need to integrate date
protection compliance into the core design and functionality of their AI
systems. In the midst of this, the privacy community found itself at the
centre of an emerging debate about the concept of ‘AI governance’. This is
not a surprising development – AI systems are creatures of data and the
principle-based framework for the lawful use of personal data that sits at
the heart of data protection law offers a strong starting point for
considering how to approach the safe and ethical use of AI. As AI
technologies advance, so will regulatory expectations. It is expected that
regulatory scrutiny and activity will continue to escalate and accelerate in
tandem with the increase in integration of powerful AI models into existing
services to enrich data. Whilst privacy professionals cannot tackle the AI
challenge alone, expect them to continue to be on the front lines
throughout 2025 and beyond.

Disclaimer

DATA PROTECTION LAWS OF THE WORLD | DLAPIPERDATAPROTECTION.COM 3

 Disclaimer

This handbook is not a substitute for legal advice. Nor does it cover all
aspects of the legal regimes surveyed, such as specific sectorial
requirements. Enforcement climates and legal requirements in this area
continue to evolve. Most fundamentally, knowing high-level principles of
law is just one of the components required to shape and to implement a
successful global data protection compliance program.

DATA PROTECTION LAWS OF THE WORLD | DLAPIPERDATAPROTECTION.COM 4

Kenya
LAST MODIFIED 6 FEBRUARY 2025

Data protection laws The Data Protection Act, 2019 (the “Act”) came into force on 25th November, 2019 and
is now the primary statute on data protection in Kenya. It gives effect to Article 31 c)
and d) of the Constitution of Kenya, 2010 (right to privacy).

In October 2020, by virtue of the powers conferred to him under the Act, the Cabinet
Secretary for Information, Communication, Technology, Innovation and Youth Affairs
gazetted the Data Protection (Civil Registration) Regulations, 2020 (the “Regulations”).
The Regulations apply to civil registries involved in processing personal data for
registrations such as births, deaths, adoptions, persons, passports and marriages.

Since the Data Protection Commissioner’s (DPC) appointment on 16 November 2020,

significant efforts have been made in developing regulations for the implementation of
the Act.

Data Protection (Complaints Handling Procedure & Enforcement) Regulation,

2021 (the “Complaints Handling Regulations”) - sets out the complaints handling
procedures and enforcement mechanisms in the event of non-compliance with the
provisions of the Act;

Data Protection (Registration of Data Controllers & Data Processors) Regulations,

2021 (the “Registration Regulations”) - provides for the registration of data
controllers and data processors with the Office of the Data Protection
Commissioner (ODPC). The threshold for mandatory registration is also set out
under these regulations; and

Data Protection (General) Regulations, 2021 (the “General Regulations”) –

elaborates in more detail the rights of data subjects, restrictions on commercial use
of personal data, duties and obligations of data controllers and data processors,
elements of implementing data protection by design or default, notification of
personal data breaches, transfer of personal data outside Kenya, conduct of data
protection impact assessment and other general provisions.

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 5

 The above regulations were gazetted in January and came into effect on 14 February
2022 with the exception of the Registration Regulations, 2021 which came into force
on 14 July 2022.

The ODPC has also issued a number of guidelines, these include:

Guidance Note on Registration of Data Controllers and Data Processors -

developed to assist entities in ascertaining if they are data controllers or data
processors, and to understand their obligations with respect to mandatory
registration;

Guidance Note on Processing Personal Data for Electoral Purposes - developed to

assist data controllers and data processors dealing with voters’ personal data and
members of political parties’ personal data to understand their obligations under
the Act;

Guidance Note on Data Protection Impact Assessment - to assist data controllers

and data processors to understand their obligations under the Act and the need to
undertake a Data Protection Impact Assessment;

Guidance Note on Consent - developed to assist data controllers and data

processors to understand their duties under the Act and their obligations as far as
obtaining consent is concerned;

Guidance Note for the Communications Sector – it applies to communication

service providers processing personal data in either the public or private sectors
and provides considerations that must be present in when processing subscribers’
personal data, network traffic, location or geographical data, financial data, and
mobile operators’ privacy policies;

Guidance Note for the Education Sector – developed to assist educational

institutions to understand their obligations under the DPA and remain compliant.
The guidance note also covers institutions offering remote e-learning solutions and
services;

Guidance Note on the Processing of Health Data – developed to provide

healthcare institutions with a clear understanding of their obligations under the
DPA and applies to all healthcare institutions operating in Kenya, including hospitals
& clinics, laboratories, pharmaceutical services, health insurance providers, health
research and training institutions, and professional health bodies. The guidance
note also extends to the processing of digital health processing platforms such as
Health Management Information System (HMIS), eHealth and mHealth applications;
and

Guidance Note for Digital Credit Providers – sets out the compliance requirements
that digital credit providers (DCPs) must implement while processing personal data
in line with the administration of digital credit and in compliance with the DPA.

The ODPC has also published a Complaints Management Manual which sets out the
complaints management handling procedure by the ODPC; and the Alternative
Disputes Resolution Framework which provides guidance to stakeholders who wish to
engage in Alternative Dispute Resolution (ADR) to resolve their disputes arising under
the Act.

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 6

 The ODPC is also in the process of developing the following regulations, which are
currently undergoing public participation:

Data Protection (Conduct of Compliance Audit) Regulations, 2024 – sets out the
procedure for the conduct of audits by the ODPC as well as the procedure for
entities that want to be accredited by the ODPC to carry out data protection audits;
and

Data Sharing Code – outlines the requirements that data controllers and
processors are required to observe prior to sharing personal data, as well as the
measures to put in place to ensure the protection of the data subject.

Definitions Definition of personal data

Section 2 of the Act

Personal data is defined as data relating to an identified or identifiable natural person.

Definition of sensitive personal data

Section 2 of the Act

Sensitive personal data is defined as data revealing the natural person's race, health
status, ethnic social origin, conscience, belief, genetic data, biometric data, property
details, marital status, family details including names of the person's children, parents,
spouse or spouses, sex or the sexual orientation of the data subject.

National data protection Part II of the Act

authority The Act established the ODPC whose mandate includes overseeing the
implementation and enforcement of the provisions of the Act. The ODPC is also tasked
with the maintenance of the register of data controllers and processors, receiving and
investigation of complaints under the Act and carrying out inspections of public and
private entities to evaluate the processing of personal data.

Registration Section 18 of the Act

Data processors and data controllers are required to be registered with the ODPC. The
ODPC, however, has discretion to prescribe the thresholds for mandatory registration
based on:

the nature of industry;

the volumes of data processed; and

whether sensitive personal data is being processed.

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 7

 The Registration Regulations provide for the registration of data controllers and data
processors with the ODPC. The threshold for mandatory registration is also set out
under these regulations. The ODPC also launched a portal where applications for
registration are submitted in the prescribed form and upon payment of a prescribed
fee. Where the ODPC is satisfied that the applicant has fulfilled the requirements for
registration, a certificate of registration is issued within 14 days and entry of the
applicant’s details is made in the register of data controllers and data processors.

The certificate of registration issued is valid for 24 months from the date of issuance.

A data controller or data processor with an annual turnover or revenue of below Kenya
Shillings Five Million (approx. USD 40,000) and has less than 10 employees is exempt
from mandatory registration.

Data controllers and data processors who process data for the following purposes
regardless of their annual turnover or revenue or number of employees have to be
registered under the Registration Regulations:

Canvassing political support among the electorate;

Crime prevention and prosecution of offenders (including operating security CCTV

systems);

Gambling;

Operating an educational institution;

Health administration and provision of patient care;

Hospitality industry firms, excluding tour guides;

Property management including the selling of land;

Provision of financial services;

Telecommunications network or service providers;

Businesses that are wholly or mainly in direct marketing; and

Transport services firms (including online passenger hailing applications); and

businesses that process genetic data.

Data protection officers Section 24 of the Act

The Act makes provisions for the designation of Data Protection Officers (DPOs) but
this obligation is not mandatory.

DPOs can be members of staff and may perform other roles in addition to their roles.
A group of entities can share a DPO and the contact details of the ODPO must be
published on the organisation’s website and communicated to the DPC.

DPOs have the following roles:

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 8

 Advising the data controller or data processor and their employees on data
processing requirements provided under the Act or any other written law;

Ensuring compliance with the Act;

Facilitating capacity building of staff involved in data processing operations;

Providing advice on data protection impact assessment; and

Co-operating with the DPC and any other authority on matters relating to data
protection.

DPO’s under the Regulations also have the following additional roles:

Monitoring and evaluating the efficiency of the data systems in the organization;
and

Keeping written records of the processing activities of the civil registration entity.

Collection and processing Section 25 of the Act

The processing of personal data must comply with the principles prescribed in this
part. It must be:

processed in accordance with the right to privacy of the data subject;

processed lawfully, fairly and in a transparent manner in relation to any data subject;

collected for explicit, specified and legitimate purposes and not further processed
in a manner incompatible with those purposes;

adequate, relevant, limited to what is necessary in relation to the purposes for

which it is processed;

collected only where a valid explanation is provided whenever information relating

to family or private affairs is required;

accurate and, where necessary, kept up to date, with every reasonable step being
taken to ensure that any inaccurate personal data is erased or rectified without
delay;

kept in a form which identifies the data subjects for no longer than is necessary for
the purposes which it was collected; and

not transferred outside Kenya, unless there is proof of adequate data protection
safeguards or consent from the data subject.

Section 30 of the Act

The Act recommends personal data to be collected and processed lawfully. The lawful
reasons for processing include:

a. consent of the data subject; or

b. the processing is necessary:

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 9

 b.

for the performance of a contract to which the data subject is a party or in

order to take steps at the request of the data subject before entering into a
contract;

for compliance with any legal obligation to which the controller is subject;

in order to protect the vital interests of the data subject or another natural
person;

for the performance of a task carried out in the public interest or in the
exercise of

official authority vested in the controller;

the performance of any task carried out by a public authority;

for the exercise, by any person in the public interest, of any other functions
of a public nature;

for the legitimate interests pursued by the data controller or data processor
by a third party to whom the data is disclosed, except if the processing is
unwarranted in any particular case having regard to the harm and prejudice
to the rights and freedoms or legitimate interests of the data subject; or

for the purpose of historical, statistical, journalistic, literature and art or

scientific research.

It is an offence to process personal data without a lawful reason.

Under the Regulations civil registration entities must ensure that they collect only
personal data permitted by the data subject and that the appropriate steps are taken
to ensure the quality and security of the personal data.

Where the registries intend to use such data for another purpose, they must either
ensure that the purpose is compatible with the initial purpose or, where that is not the
case, seek fresh consent.

The General Regulations elaborate in more detail restrictions on commercial use of

personal data, duties and obligations of data controllers and data processors,
elements of implementing data protection by design or default, conduct of data
protection impact assessment and other general provisions.

Transfer Part VI of the Act

The transfer of personal data outside Kenya is highly regulated under the Act. Prior to
any transfer the data controller or data processor must provide proof to the DPC on
the appropriate safeguards with respect to the security and protection of the personal
data including jurisdictions with similar data protection laws.

The consent of the data subject is required for the transfer of sensitive personal data
out of Kenya.

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 10

 Under the Regulations, civil registration registries cannot transfer personal data
collected for civil registration purposes outside Kenya without the written approval of
the DPC.

The General Regulations elaborate in more detail transfer of personal data outside
Kenya. They provide for 4 legal bases for the transfer of personal data out of the
country which include:

a. appropriate data protection safeguards in the country or territory where

recipient is based in;
b. adequacy: an adequacy decision made by the DPC that the country, territory or
the international organization where data is being transferred ensures an
adequate level of protection of personal data;
c. necessity: transfer is deemed to be necessary if it is:
for the performance of a contract to which the data subject is a party or in
order to take steps at the request of the data subject before entering into a
contract;

for the conclusion or performance of a contract concluded in the interest of

the data subject between the controller and another person;

for any matter of public interest;

for the establishment, exercise or defence of a legal claim in order to protect

the vital interests of the data subject or of other persons, where the data
subject is physically or legally incapable of giving consent;

for the purpose of compelling legitimate interests pursued by the data

controller or data processor which are not overridden by the interests,
rights and freedoms of the data subjects.

d. consent of the data subject on the condition they have consented to the
proposed transfer and have been informed of the possible risks of transfer.

Security Sections 41 and 42 of the Act

Data controllers and processors are required to implement the appropriate

organizational and technical measures to implement data protection principles in an
effective manner.

Civil registration registries are mandated to formulate written data security procedures
which must include the following:

Instructions concerning physical protection of the database sites and their

surroundings;

Access authorizations to the database and database systems;

Description of the means intended to protect the database systems and the
manner of their operation for this purpose;

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 11

 Instructions to authorized officer of the database and database systems regarding
the protection of data stored in the database;

The risks to which the data in the database is exposed in the course of the civil
registration entity's ongoing activities;

The manner of dealing with information security incidents, according to the severity
of the incident;

Instructions concerning the management and usage of portable devices;

Instructions with respect to conducting periodical audits to ensure that appropriate

security measures, in accordance with the Procedure and the Regulations exist; and

Instructions regarding backup of personal data.

As far as technical measures are concerned, the General Regulations require

the use of hashing and cryptography to limit the possibility of repurposing
personal data. The General Regulations also require that the contract
between a data controller and a data processor to include a clause on
security measures subjecting the data processor to appropriate technical
and organizational measures in relation to keeping personal data secure.

With respect to organizational measures, the General Regulations require a

data controller or data processor to develop, publish and regularly update a
policy reflecting their personal data handling practices. The policy may
include:

a. the nature of personal data collected and held;

b. how a data subject may access their personal data and exercise their
rights in respect to that personal data;
c. complaints handling mechanisms;
d. lawful purpose for processing personal data;
e. obligations or requirements where personal data is to be transferred
outside the country, to third parties, or other data controllers or data
processors located outside Kenya and where possible, specify such
recipients;
f. the retention period and schedule; and
g. the collection of personal data from children, and the criteria to be
applied.

The General Regulations provide for specific obligations to the data

controller and data processor under the data protection principle of
integrity, confidentiality and availability. These include:

having an operative means of managing policies and procedures for

information security;

assessing the risks against the security of personal data and putting in
place measures to counter identified risks;

processing that is robust to withstand changes, regulatory demands,

incidents, and cyber-attacks;

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 12

 ensuring only authorised personnel have access to the data necessary for
their processing tasks;

securing transfers shall be secured against unauthorised access and

changes;

securing data storage from use, unauthorised access and alterations;

keeping back-ups and logs to the extent necessary for information

security;

using audit trails and event monitoring as a routine security control;

protecting sensitive personal data with adequate measures and, where

possible, kept separate from the rest of the personal data;

having in place routines and procedures to detect, handle, report, and

learn from data breaches; and

regularly reviewing and testing software to uncover vulnerabilities of the

systems supporting the processing.

Breach notification Section 43 of the Act

As far as technical measures are concerned, the General Regulations require the use
of hashing and cryptography to limit the possibility of repurposing personal data. They
also require that the contract between a data controller and a data processor to
include a clause on security measures subjecting the data processor to appropriate
technical and organizational measures in relation to keeping personal data secure.

With respect to organizational measures, the General Regulations require a data

controller or data processor to develop, publish and regularly update a policy
reflecting their personal data handling practices. The policy may include:

a. the nature of personal data collected and held;

b. how a data subject may access their personal data and exercise their rights in
respect to that personal data;
c. complaints handling mechanisms;
d. lawful purpose for processing personal data;
e. obligations or requirements where personal data is to be transferred outside
the country, to third parties, or other data controllers or data processors
located outside Kenya and where possible, specify such recipients;
f. the retention period and schedule; and
g. the collection of personal data from children, and the criteria to be applied.

The General Regulations provide for specific obligations to the data controller and data
processor under the data protection principle of integrity, confidentiality and
availability. These include:

a. having an operative means of managing policies and procedures for

information security;

b.

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 13

 b. assessing the risks against the security of personal data and putting in place
measures to counter identified risks;
c. processing that is robust to withstand changes, regulatory demands, incidents,
and cyber-attacks;
d. ensuring only authorised personnel have access to the data necessary for their
processing tasks;
e. securing transfers shall be secured against unauthorised access and changes;
f. securing data storage from use, unauthorised access and alterations;
g. keeping back-ups and logs to the extent necessary for information security;
h. using audit trails and event monitoring as a routine security control;
i. protecting sensitive personal data with adequate measures and, where
possible, kept separate from the rest of the personal data;
j. having in place routines and procedures to detect, handle, report, and learn
from data breaches; and
k. regularly reviewing and testing software to uncover vulnerabilities of the
systems supporting the processing.

Mandatory Breach Notification

Yes. Please see above analysis under “Breach Notification”. The ODPC has also
launched a portal where data breach notifications should be made.

Enforcement The DPC has the duty to ensure the implementation and enforcement of the Act.

The Compliance & Enforcement Regulations set out the complaints handling
procedures and enforcement mechanisms in the event of non-compliance with the
provisions of the Act. The Regulations provide for the process and procedure of
lodging of complaints with the DPC.

The DPC is also required to maintain an up-to-date register of complaints stating the
particulars of the complainant and complaint.

Section 62 of the Act

In instances where the DPC is satisfied that any person has violated the provisions of
the Act, he has the power to issue penalty notices for up to a maximum of Kenya
Shillings Five Million (approximately USD 50,000) or 1% of an undertaking’s annual
turnover the preceding year, whichever is lower.

In addition, any act which constitutes an offence under the Act where a penalty is not
provided attracts a fine of up to Kenya Shillings Three Million (approx. USD 30,000) or
imprisonment for up to 10 years or both a fine and imprisonment.

Under the Data Protection (Compliance & Enforcement) Regulations, 2021

the DPC has the power to issue an enforcement notice where a person fails
to comply with the provisions of the Act or the Regulations. A penalty notice
is issued where there is failure to comply with the enforcement notice. The
penalty notice will contain the reasons why the DPC is imposing a penalty,

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 14

 the administrative fine imposed, how the fine is to be paid and the rights of
appeal the decision. The DPC may impose a daily fine of not more than Ksh.
10,000 (approx. USD 100/-) for each penalty identified, until the breach is
rectified.

Electronic marketing Section 37 of the Act

The use of personal data for commercial purposes is prohibited unless the person
undertaking this processing:

has sought and obtained express consent from a data subject; or

is authorized to do so under any written law and the data subject has been
informed of such use when collecting the data from the data subject.

The General Regulations states that a data controller or data processor is considered
to be using personal data for commercial purposes if the personal data of a data
subject is used to advance commercial or economic interests, including inducing
another person to buy, rent, lease, join, subscribe to, provide or exchange products,
property, information or services, or enabling or effecting, directly or indirectly, a
commercial transaction.

The General Regulations further include circumstances where the personal data is
used for direct marketing through:

sending of a catalogue through any medium addressed to a data subject;

displaying an advertisement on an online media site where a data subject is logged

on using their personal data; or

sending an electronic message to a data subject about a sale, or other advertising

material relating to a sale, using personal data provided by a data subject.

An exception to direct marketing restrictions is provided where the personal data is

not used or disclosed to identify or target a particular recipient.

Personal data other than sensitive personal data is only permitted to be used for direct
marketing where:

the data controller or data processor has collected the personal data directly from
the data subject;

a data subject is notified that direct marketing is one of the purposes for which
personal data is collected;

the data subject has consented to the use or disclosure of the personal data for the
purpose of direct marketing;

the data controller or data processor provides a simplified opt-out mechanism for
the data subject to request not to receive direct marketing communications; or

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 15

 the data subject has not made an opt-out request.

The Cabinet Secretary in charge of information, communication and technology may,

in consultation with the DPC, develop guidelines on the commercial use of personal
data.

Online privacy Kenyan law does not regulate online privacy. The Regulations have not prescribed any
requirements or guidelines in regulating online privacy.

Data protection lawyers

William Maema Imelda Anika

Senior Partner Legal Director
IKM Advocates IKM Advocates
william.maema@ikm. imelda.anika@ikm.
dlapiperafrica.com dlapiperafrica.com
View bio View bio

For more information About us

DATA PROTECTION LAWS OF THE WORLD | KENYA | DLAPIPERDATAPROTECTION.COM 16

For more information About us

To learn more about DLA Piper, visit dlapiper.com or contact: DLA Piper is a global law firm with lawyers located in
more than 40 countries throughout the Americas,
Carolyn Bigg Europe, the Middle East, Africa and Asia Pacific,
Partner positioning us to help companies with their legal
Global Co-Chair Data, Privacy and needs around the world.
Cybersecurity Group
carolyn.bigg@dlapiper.com
Full bio

John Magee
Partner
Global Co-Chair Data, Privacy and
Cybersecurity Group
john.magee@dlapiper.com
Full bio

Andrew Serwin
Partner
Global Co-Chair Data, Privacy and
Cybersecurity Group
andrew.serwin@us.dlapiper.com
Full bio

dlapiper.com

This publication is for general information only. The information presented is not legal advice, and your use of it does not create a lawyer-client relationship. All legal matters are unique
and any prior results described in this publication do not guarantee a similar outcome in future matters. DLA Piper is a global law firm operating through DLA Piper LLP (US) and
affiliated entities. For further information, please refer to dlapiper.com. Attorney Advertising. Copyright © 2025 DLA Piper LLP (US). All rights reserved.