GeraCompliance in Kenya 2026 — DPA 2019 and ODPC Obligations for SMEs
Published April 21, 2026 · 9 min read
Kiswahili translation coming soon.
Quick answer
GeraCompliance is a privacy & governance toolkit for Kenyan SMEs covering the Data Protection Act 2019 (DPA 2019), Office of the Data Protection Commissioner (ODPC) registration, Data Protection Impact Assessments (DPIAs), cross-border transfer rules, and GDPR alignment for SMEs serving UK/EU customers. Priced in KSh, paid by M-Pesa.
The Kenyan regulatory landscape
- Data Protection Act 2019 — the primary framework, mirroring GDPR in structure.
- Office of the Data Protection Commissioner (ODPC) — the regulator; registration required for data controllers and processors above the prescribed turnover threshold.
- Data Protection (General) Regulations 2021 — detail on DPIAs, complaints, notifications.
- Data Protection (Registration of Data Controllers and Data Processors) Regulations 2021 — registration tiers.
- Computer Misuse and Cybercrimes Act 2018 — cybercrime, intersects with incident response.
Who must register with the ODPC
Generally, data controllers and processors with an annual turnover above KSh 5 million or handling personal data at scale (for example, financial, health, employment, or data of children) must register with the ODPC. Certain sectors — health, education, telecoms, finance, political parties — are specifically called out.
Fines and exposure
The DPA 2019 provides for administrative fines of up to KSh 5 million or 1% of annual turnover, whichever is lower, for serious breaches. Criminal penalties can reach KSh 3 million or ten years' imprisonment under section 72 of the Act. Civil claims from data subjects are also possible.
What GeraCompliance gives you
- ODPC registration wizard with pre-filled templates
- Kenya-specific privacy notice and consent templates (English + Kiswahili)
- DPIA workflow aligned to ODPC Guidance Notes
- Record of Processing Activities (RoPA) manager
- Cross-border transfer checks (adequacy, SCCs, binding corporate rules)
- Breach notification workflow (72-hour clock)
- Employee awareness training (short CPD-style modules)
Pricing in KSh
- Starter (SMEs < 25 staff): KSh 3,500/month
- Growth: KSh 9,500/month
- Regulated sector (finance/health): KSh 25,000/month with dedicated DPO hours
- One-off ODPC registration assistance: KSh 15,000
Competitive landscape
Kenyan law firms (Bowmans, ALN Kenya, Anjarwalla & Khanna) offer bespoke DPO services; OneTrust and TrustArc serve the enterprise segment globally. GeraCompliance's positioning: self-serve toolkit priced for SMEs, in KSh with M-Pesa billing, with optional escalation to a panel of Kenyan privacy counsel.
Related Gera products for Kenya
- GeraGuard in Kenya — browser-side privacy controls for Kenyan users.
- GeraCash in Kenya — CBK and POCAMLA-aware KYC tooling.
- GeraJobs in Kenya — employer templates aligned with DPA 2019.
Get DPA 2019 ready — M-Pesa billing, Kenya templates
ODPC registration in under a day.
Start Compliance Check