Compliance
Do you need to register with the ODPC? A plain guide for Kenyan businesses
Most Kenyan businesses are required to register with the Office of the Data Protection Commissioner (ODPC). You are only exempt if your annual turnover is under KES 5 million and you have fewer than 10 employees — and several sectors must register no matter their size.
Do you actually need to register with the ODPC?
This is where almost everyone gets it wrong. The common assumption is “we’re small, so the law doesn’t apply to us.” That is not how the exemption works. Under the Data Protection (Registration of Data Controllers and Data Processors) Regulations, you are exempt from mandatory registration only if you meet both of these at the same time:
- Your annual turnover or revenue is below KES 5 million, and
- You have fewer than 10 employees.
Cross either line and the exemption falls away. A 12-person business with modest revenue must register. So must a lean four-person company turning over KES 8 million. The two tests are joined by “and,” not “or” — that single word is the most misunderstood point in Kenyan data-protection compliance.
Which businesses must register no matter their size?
Even if you would otherwise qualify for the exemption, the ODPC lists activities that require registration at any size, because of how sensitive the data is. They include:
- Crime prevention — including operating security CCTV systems and private security
- Health and patient care — clinics, pharmacies, labs, wellness providers
- Education — schools, colleges, training centres
- Hospitality — hotels, restaurants, event companies
- Financial services and insurance — including credit reference and debt collection
- Gaming and betting
- Faith-based and religious organisations
- Pension schemes and political canvassing
Are you a data controller, a processor — or both?
A data controller decides why and how personal data is collected (most businesses, for their own customers and staff). A data processor handles personal data on someone else’s behalf — a payroll bureau, an IT provider, a marketing agency. If your business does both, you are expected to register twice: once as a controller and once as a processor, with a separate fee for each.
What does ODPC registration cost?
The registration fee depends on the size of your organisation. The tiers below reflect the ODPC’s published schedule at the time of writing — always confirm the current figures on the ODPC portal before you pay, because fee schedules are updated from time to time.
The certificate is valid for 24 months. Renewal fees are lower than the initial registration, and you should renew at least 30 days before expiry so your compliance never lapses.
What happens if you don’t comply?
Enforcement in Kenya has moved from theory to practice. The ODPC has issued penalty notices to named companies, and the number of complaints it determines has been rising year on year. The headline risks:
- An administrative penalty of up to KES 5 million, or 1% of your prior year's annual turnover — whichever is lower.
- A duty to report any personal-data breach to the ODPC within 72 hours of becoming aware of it.
- Reputational damage: ODPC determinations are public, and a finding against you is visible to clients and partners.
The practical takeaway is simple: registration is the cheap part. Reconstructing your data practices under enforcement pressure — after a complaint or a breach — is the expensive part.
A practical path to compliance
Compliance is less about paperwork for its own sake and more about being able to show, calmly, that you handle people’s data responsibly. The route we take Kenyan businesses through:
- Map it — list what personal data you hold, where it lives, and who can reach it.
- Register — file with the ODPC as a controller, processor, or both, correctly tiered.
- Document — privacy notice, data-protection policy, retention rules, and a breach plan an audit will accept.
- Fix the gaps — the handful of real risks the mapping surfaces, prioritised.
- Maintain — keep the registration renewed and the records current as the business changes.
Common questions
Is my small business too small to register with the ODPC?
Probably not. You are only exempt if you meet both conditions at once: an annual turnover under KES 5 million and fewer than 10 employees. If you cross either line — say you have 12 staff but modest turnover, or high turnover with a small team — you are expected to register. And some sectors must register at any size.
I run CCTV at my premises. Does that affect me?
Yes. Operating security cameras counts as processing personal data for crime prevention, which the ODPC lists as a mandatory-registration activity regardless of your size. If you have CCTV — most shops, clinics, schools, and offices do — you should treat registration as required, not optional.
How long does ODPC registration last?
A registration certificate is valid for 24 months. You should renew at least 30 days before it expires to stay continuously compliant.
What is the fine for not registering?
The Data Protection Commissioner can impose an administrative penalty of up to KES 5 million, or 1% of your prior year's annual turnover — whichever is lower. Separately, a personal-data breach must be reported to the ODPC within 72 hours of becoming aware of it.
Can you handle the whole registration for us?
Yes. We map what personal data you hold, register you with the ODPC as a data controller or processor, write the policies an audit expects, and keep the renewal on track. It is part of our governance, risk and compliance work.
Want this handled for you?
Tell us where your business is now. We'll map the practical next steps — no obligation, and a fixed quote after a free call.