2024 saw the scatter-gun enforcement style of the Office of the Data Protection Commissioner (ODPC) in Kenya with 51 determinations and average fines in the region of 522,308 Kenyan Shillings (KSh) per case being meted out as punishment for data protection violations. The fines have been levied against businesses in many sectors-from financial institutions to education and healthcare-for data protection breaches.

This appears to be a strong stride toward safeguarding consumer data rights. But is such regulation proving effective, or may it become a symbolic exercise rather than a transformational change?

The crackdown is in accordance with the provisions in the Data Protection Act (2019) because of increasing public outcry about the manner in which personal data is being collected, retained, and utilized-most notably in the finance, digital lending, health, education, and hospitality industry. As such, it has been made clear by the ODPC that violations will not go unchecked.

Companies which have been found to breach these laws were fined an average of 522,308 KSh, and fines went higher than 1 million KSh in some cases. Top off-line offenders are digital lenders, financial service providers, schools, and health institutions-all of which handle data that is extremely sensitive.