If your business operates from Nairobi but sells to customers in Berlin, processes data for a UK parent company, or runs a fintech app used by Kenyans in the diaspora, you are likely subject to both the General Data Protection Regulation (GDPR) and the Kenya Data Protection Act 2019 (KDPA). These laws share DNA — the KDPA was deliberately modelled on GDPR — but treating them as identical is a costly mistake. The key differences between GDPR and Kenya Data Protection Act 2019 sit in enforcement intensity, penalty calculations, consent thresholds, and cross-border transfer rules.
This matters because the Office of the Data Protection Commissioner (ODPC) in Kenya has shifted from awareness to active enforcement. Fines have already been issued against digital lenders, schools, and SACCOs. Meanwhile, European regulators continue to issue nine-figure penalties under GDPR. Compliance officers in East Africa need a clear comparative view — not a copy-paste of a European policy.
Scope and Territorial Reach
GDPR has famously long arms. It applies to any organisation — anywhere in the world — that processes the personal data of individuals located in the EU, whether through offering goods and services or monitoring behaviour. A Kenyan e-commerce site shipping to France is covered.
The KDPA applies to data controllers and processors established in Kenya, or those outside Kenya who process the personal data of data subjects located in Kenya. The extraterritorial reach exists but is narrower in practice and less aggressively enforced beyond Kenyan borders.
Practical takeaway: If you serve EU residents, GDPR governs that data flow regardless of where your servers sit. The KDPA does not exempt you from GDPR — and vice versa.
Penalty Structures: The Numbers Diverge Sharply
This is where the two regimes part ways most dramatically.
- GDPR: Maximum administrative fines of €20 million or 4% of global annual turnover, whichever is higher. Meta, Amazon, and Google have all faced fines exceeding €700 million.
- KDPA: Maximum penalty of KES 5 million or 1% of annual turnover, whichever is lower. The ODPC has issued fines in the range of KES 1.85 million to KES 5 million against entities like Mulla Pride Ltd and several digital credit providers.
The difference is not just the ceiling — it is the floor and the calculation method. GDPR fines scale upward with company size; KDPA fines are capped in a way that limits exposure but still creates reputational damage that often outweighs the financial hit.
Consent, Legal Basis, and Data Subject Rights
Both laws require a lawful basis for processing personal data. Both list six bases: consent, contract, legal obligation, vital interests, public interest, and legitimate interests. The wording is nearly identical.
The differences appear in execution:
- Sensitive data: GDPR calls it "special category data" and explicitly includes biometric and genetic data. The KDPA uses "sensitive personal data" and adds *property details, marital status, and family details* — categories not classified as sensitive under GDPR.
- Children's consent: GDPR sets the digital consent age at 16 (member states can lower to 13). The KDPA sets it at 18, meaning any service used by minors in Kenya needs parental consent up to a higher age threshold.
- Data Protection Officer (DPO): GDPR mandates a DPO for public authorities, large-scale monitoring, or large-scale processing of special categories. The KDPA's DPO requirement is less prescriptive but increasingly expected during ODPC audits.
Cross-Border Data Transfers
GDPR restricts transfers outside the EEA unless there is an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or explicit consent. Kenya does not currently have an EU adequacy decision.
The KDPA requires that cross-border transfers only occur where the data controller proves appropriate safeguards, the data subject has consented, or the transfer is necessary for specific listed purposes. The Data Protection (General) Regulations 2021 add registration and notification requirements with the ODPC for certain transfers.
Watch this: If you are a Kenyan business using AWS Frankfurt, Azure Europe, or Google Cloud EU regions, you are conducting cross-border transfers under *both* regimes. Document the legal basis for each direction of flow. Cloud Security Services
Registration and Regulatory Engagement
GDPR does not require general registration with a supervisory authority. The KDPA does — data controllers and processors meeting specific thresholds must register with the ODPC and pay an annual fee. Failing to register is itself a violation, and the ODPC has used registration data to identify enforcement targets.
This is often the first gap we find when conducting compliance assessments for new clients. GRC and Compliance Services
Building a Dual-Compliance Programme
The pragmatic approach for East African enterprises is to build to the higher standard where the two overlap, and to document the specific KDPA requirements that have no GDPR equivalent (ODPC registration, the 18-year consent age, additional sensitive data categories). A single Record of Processing Activities (RoPA) can serve both regimes if structured correctly.
Do not assume your European parent company's GDPR policies are sufficient. They likely miss Kenyan registration, local DPO expectations, and ODPC-specific breach notification procedures.
SecureZaidi helps East African enterprises achieve and maintain compliance. Get in touch.