The Assessment of Organizations Readiness to Comply with the Kenya Data Protection Act: A Case of a Humanitarian Arganization

Authors

  • Francis Ndichu Department of Computing & Informatics, University of Nairobi, Nairobi, Kenya
  • Agnes Wausi Department of Computing & Informatics, University of Nairobi, Nairobi, Kenya

DOI:

https://doi.org/10.24203/xvcq8z18

Keywords:

Data Protection, Readiness assessment for Organizations to comply with Kenya Data Protection Act

Abstract

Privacy is a crucial aspect of life as it impacts on how we behave, feel and make decisions. It recognizes the dignity and inherent worth of individuals. The right to privacy as a fundamental right is recognized in our 2010 constitution under article 31 sub article c & d. Kenya enacted the Kenya Data Protection Act in 2019 (KDPA, 2019) to safeguard personal information, in accordance with a set of statutory principles.

The act requires organizations to register with data commissioner’s office (ODPC), demonstrate safeguards in place for personal data processing, carry out a data protection impact assessment (DPIA) for processes that pose a significant risk to the privileges and autonomies of its citizens and report any breach within 72 hours.

In order to evaluate an organization's compliance with the act, it is imperative to perform readiness assessment to review organizations privacy practices across different domains and identify any gaps as well as the necessary steps for achieving and maintaining compliance. 

To streamline readiness evaluation therefore, this study reviewed the privacy maturity models currently in use for organizations to measure their readiness to comply with privacy laws and assessed readiness of a humanitarian organization to comply with the act.

The AICPA / CICA privacy maturity model informed the readiness assessment of the humanitarian organization to KDPA compliance. The study adopted Quantitative research methodology.

The research identified regulatory, culture and technology readiness as dimensions influencing organizations readiness to comply with KDPA and to improve the overall readiness score, organizations need to put emphasis on all the three domains (regulatory, culture and technology).

Organizations can evaluate their compliance with the provisions of the act using the study’s findings, identify areas of non-compliance and prioritize remediation efforts.

Author Biography

  • Agnes Wausi, Department of Computing & Informatics, University of Nairobi, Nairobi, Kenya

    Prof Agnes Wausi

    Associate Professor, University of Nairobi

    Department of Computing & Informatics

References

[1] AICPA/CICA. (2011). Privacy Maturity Model. Retrieved February 4, 2023, from https://vvena.nl/wp-content/uploads/2018/04/aicpa_cica_privacy_maturity_model.pdf

[2] Albrechtsen, E. & Hovden, J. (2010). Improving information security awareness and behavior through dialogue, participation and collective reflection. An intervention study. Computers & Security, 29, 432-445.

[3] Authority, I.C.T (2022). The Kenya National Digital Master Plan. https://cms.icta.go.ke/sites/default/files/2022-04/Kenya%20Digital%20Masterplan%202022-2032%20Online%20Version.pdf

[4] Constitution of Kenya (2010).https://kenyalaw.org/lex/actview.xql?actid=Const2010#sec_31

[5] Creswell, J. W. (2013). Research design: qualitative, quantitative, and mixed methods approaches. Los Angelis: SAGE Publications Ltd.

[6] Da Veiga, A. and Eloff, J.H.P. (2010), “A framework and assessment instrument for information security culture,” Computers & Security, Vol. 2010, No. 29, pp. 196-207

[7] Data Protection (Complaints Handling and Enforcement Procedures) Regulations, (2021). (Data Protection (Compliance and Enforcement) Regulations, 2021 – OFFICE OF THE DATA PROTECTION COMMISSIONER KENYA (odpc.go.ke))

[8] Data Protection (General) Regulations, (2021) (Data Protection (General) Regulations, 2021 – OFFICE OF THE DATA PROTECTION COMMISSIONER KENYA (odpc.go.ke))

[9] Data Protection (Registration of Data Controllers and Data Processors) Regulations, (2021). (Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021 – OFFICE OF THE DATA PROTECTION COMMISSIONER KENYA (odpc.go.ke))

[10] De Bruin, T.; Rosemann, M.; Freeze, R.; Kulkarni, U. (2005). Understanding the Main Phases of Developing a Maturity Assessment Model.ACIS 2005 Proceedings. Australasian Chapter of the Association for Information Systems.

[11] France/CNIL: Privacy maturity model, Web: https://www.privacydesign.ch/2021/09/10/france-cnil-privacy-maturity-model-with-self-assessment/ (2021)

[12] General Data Protection Regulation (GDPR) (EU) 2016/679. (REGULATION (EU) 2016/ 679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - of 27 April 2016 - on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/ 46/ EC (General Data Protection Regulation) (europa.eu))

[13] International Network of Privacy Law Professionals (INPLP). Accessed on 06 May 2023 https://inplp.com/latest-news/article/a-brief-history-of-data-protection-how-did-it-all-start/

[14] KDPA. (2019). https://www.odpc.go.ke/download/kenya-gazette-data-protection-act-2019/?wpdmdl=3235&refresh=64d810be383e81691881662

[15] Kothari, C.R. (2004) Research Methodology: Methods and Techniques. 2nd Edition

[16] Mena Financial Crime Compliance Group (MENA FCCG 2021): A Practical Guide: Establishing a Privacy and Data Protection Framework (https://menafccg.com/wp-content/uploads/2021/03/Privacy-and-Data-Protection-Guide.pdf)

[17] Mugenda, O.M., & Mugenda, A.G. (2003). Research methods.(3rd Ed.). Nairobi: Act Press publication.

[18] Murthy, G. and Medine, D. (2020). New Approaches to Data Protection and Privacy

[19] NGOs Co-ordination Board. (2023). Annual NGO Sector Report Year 2021/2022.https://ngobureau.go.ke/wp-content/uploads/2023/06/AR-Booklet.pdf

[20] ODPC. (2023). Register of Data Controllers and Data Processors. https://www.odpc.go.ke/registered-data-processors-and-controllers/?

[21] Ponemon Institute data breach 2022. Accessed on 08 July 2023

[22] Robert K. Yin. (2014). Case Study Research Design and Methods (5th ed.)

[23] Rogers, E.M. (2003). Diffusion of innovations (5th ed.). New York: Free Press.

[24] S. Woodhouse. (2007) Information Security: End User Behavior and Corporate Culture. Proceedings of the Seventh International Conference on Computer and Information Technology. IEEE.DOI 10.1109/CIT.2007.186.

[25] Taber, K.S. (2018). The Use of Cronbach’s Alpha When Developing and Reporting Research Instruments in Science Education. Res Sci Educ 48, 1273–1296. https://doi.org/10.1007/s11165-016-9602-2

[26] THE MITRE CORPORATION: Privacy Maturity Model, Web: https://www.mitre.org/publications, (2019)

[27] The National KE-CIRT/CC (2023). The National KE-CIRT/CC 2023-24-Q2-Cyber-Security-Report.https://ke-cirt.go.ke/wp-content/uploads/2024/01/2023-24-Q2-Cyber-Security-Report_compressed-1.pdf

[28] United Nations Conference on Trade and Development (UNCTAD). 2021. Data Protection and Privacy Legislation Worldwide? Accessed on 16 July 2023 https://unctad.org/page/data-protection-and-privacy-legislation-worldwide

[29] Warren, S. and Brandeis, L.D. (1890). “The right to privacy”, Harvard Law Review, Vol. 4 No. 5, pp. 193-220.

[30] Yamane, T. (1967). Elementary sampling theory

Downloads

Published

2025-07-11

Issue

Section

Articles

How to Cite

The Assessment of Organizations Readiness to Comply with the Kenya Data Protection Act: A Case of a Humanitarian Arganization. (2025). International Journal of Computer and Information Technology(2279-0764), 14(2). https://doi.org/10.24203/xvcq8z18

Similar Articles

21-30 of 75

You may also start an advanced similarity search for this article.