Learn Privacy

Know Your Privacy Obligations

Want to check which privacy laws apply to you

Take Privacy Quiz

Check out our quick privacy quiz

Why (DBoM) Data Bill of Materials

The Data Bill of Materials (DBoM) records the ownership, sharing history, storage and collection purpose of a unit of data.

Blogs

Get latest information on data security,
data protection, and data privacy.

Events

Meet us in person or virtually in
upcoming events!

News

Be the first to catch our latest news,
happenings and more.

Follow Us

Products

Privacy Automation

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks.

Data Inventory

TurtleShield DI (Data Inventory) automates data asset inventory and performs realistic data mapping.

Privacy Intelligence

TurtleShield PI (Privacy Intelligence) applies the unique oil drilling-like approach to data discovery across the entire data footprint and not just a subset of data.

Data Minimization

TurtleShield DM (Data Minimization) helps you reduce the data and focus on enterprise-centric data.

Assured Deletion

With TurtleShield AD (Assured Deletion) businesses are empowered to comply with mandatory deletion of personal data.

Consent Management

TurtleShield CM (Consent management) is the process of obtaining, tracking, and managing individuals' consent for the collection and processing of their personal data.

Responsible AI

TurtleShield RA (Responsible AI) enables organizations to assess AI risk for internal applications and Third Party softwares utilizing AI.

Training and Awareness

TurtleShield TA (Training and Awareness) provides modern & engaging awareness solutions focused on effective privacy implementations that reach the last mile in your organization.

Solutions
Build Consumer Trust

Responsibility to protect customer data, opportunity to build brand value

Robust Enterprise Security

Implement a data-centric security approach which is aligned to your business-critical data.
Case Study / Use Cases

Fintech/BFSI

E-Commerce

Insurance

Banking

Data Protection (UK)

Heathcare Use Case

Edutech Use Case

TMT Use Case
Privacy Profit Center

Transform privacy from cost center to profit center

Data Minimization

Minimize data, and reduce business risk with data minimization

Industry

Fintech/BFSI

Privacy and meaningful data centric security for your Fintech/BFSI

Healthcare

Importance of data privacy in healthcare organizations

E-commerce

Safeguarding data privacy in E-commerce Industry

Insurance

Navigating data privacy regulations in the Insurance Industry

Edutech

Data protection in EduTech Industry is the need of the hour

Technology, Media &
Telecommunications (TMT)

The importance of data privacy in the TMT Industry

Compliance
Privacy

Data privacy compliance

India (DPDPA)

USA - United States (UCPA)

Europe (GDPR)

Australia - Privacy Act

Bahrain - (PDPL)

Brazil - (LGPD)

Angola - (PDPL)

Ukraine - (PDP)

California - (CCPA)

China - (PIPL)

Colorado - (CPA)

Connecticut - (CTDPA)

Ghana - (DPA)

Irish - (DPA)

Kenya - (DPA)

UK - (DPA)

Russia Fedral Law

Nigeria - (DPA)

Honkong - (PDPO)

Indonesia - (PDP)

Japan - (APPI)

Kuwait - (DPPR)

Malaysia - (PDPA)

Oman - (PDPL)

Philippines - (DPA)

New Zealand Privacy Act

Qatar - (PDPP)

Saudi Arabia - (PDPL)

Singapore - (PDPA)

South Africa - (POPIA)

South Korea - (PIPA)

Srilanka - (PDPA)

Thialand - (PDPA)

Uganda - (DPPA)

Virginia - (CDPA)
Security

Data security compliance

Cyber Security - IRDAI

Reserve Bank - RBI
Sectoral

Sectoral compliance

COPPA

FERPA

HIPAA

Telecom TRAI
Company

About us

Ardent is on a mission to help enterprises implement meaningful security and privacy programs aligned to their business mission; building trust, and protecting data assets.

Pricing

Get pricing aligned to your business needs. Stay data protected with best plans tailored to your needs.

Contact us

Contact us to know more about how Ardent can help you implement a robust privacy program.

Kenya Data Protection Act | Kenya DPA

Data Protection Act (DPA) - Kenya

Kenya’s Data Protection Act was enacted and came into effect right away on November 25, 2019, making the country one of the first ones in Africa to have a comprehensive data privacy law.

Kenya’s Data Protection Act is one of the latest major data privacy laws in the world to be modeled closely after the EU’s GDPR, which empowers individuals with enforceable rights over their personal information, while also providing clear guidelines for companies to handle their users’ data with care.

Key obligations and consequences

Applicability of the Law

The Data Protection Act in Kenya is applicable to data controllers or data processors who process personal data of data subjects located within the country of Kenya and who are either established or resident in or outside of Kenya. This means, Kenya’s Data Protection Act has both territorial and extraterritorial scope of application, which is one of the similarities with the EU’s GDPR.

Purpose of the Act

The Act seeks to

Give effect to Article 31(c) and (d) of the Constitution that contain the right to privacy;.
Establishment of the Office of the Data Commissioner.
Regulate the processing of personal data.
Provide for the rights of data ‘subjects’
Obligations of data ‘controllers’ (Person who determines the purpose and means of processing of personal data) and ‘processors’ (Person who processes personal data on behalf of the data controller).

Data Protection Principles

The Act requires Data Controllers and Processors to process data lawfully; minimise collection of data; restricts further processing of data; requires data controllers and processors to ensure data quality; that they establish and maintain security safeguards to protect personal data.

Registration of Data Controllers and Processors

The Act requires that any person who acts as a data controller or data processor must be registered with the Data Commissioner. Therefore, once the office of the Data Commissioner is established, organisations meeting the definition of a controller or processor will need to register as such, and renew their registration every 3 years.

Transfer of Personal Data Outside Kenya

Every data controller or data processor is required to ensure the storage, on a server or data centre located in Kenya, of at least one serving copy of personal data to which the Act applies.
Cross-border processing of sensitive personal data is prohibited and only allowed when certain conditions are met or under certain circumstances specified in the Act (Part IV – 48 – 50).
A data controller or data processor may transfer personal data to another country where
- The data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data.
- The data subject has given explicit consent to the proposed transfer, after having been informed of the possible risks of the transfer such as the absence of appropriate security.
- Safeguards.
- The transfer is necessary for performance of a contract.

Key Challenges in brief:

Penalties for non compliance

Infringement of provisions of the Kenya Data Protection Act (DPA) will attract a penalty of not more than KES 5 million or, in the case of an undertaking, not more than 1% of its annual turnover of the preceding financial year, whichever is lower. Individuals will be liable to a fine not exceeding three million shillings or to an imprisonment term not exceeding ten years, or to both.

Increased territorial scope

DPA will apply to all companies processing the personal data of data subjects residing in Kenya, regardless of the company’s location.

Explicit and retractable consent from data subjects

Must be provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Data Subject Rights

Data subjects can request confirmation whether or not their personal data is being processed, where and for what purpose. Additionally, data subjects can request to be forgotten, which entails the removal of all the data related to the data subject.

Data Breach Notification

Notify the Data Commissioner within seventy-two hours of becoming aware of a breach and to the data subject in writing within a reasonably practical period.

Privacy By Design

Now a legal requirement for the consideration and inclusion of data protection from the onset of the designing of systems, rather than a retrospective addition.

Data Inventory

Organizations must maintain a record of processing activities under its responsibility or, in short, they must keep an inventory of all personal data processed. The inventory must include multiple types of information, such as the purpose of the processing.

Mandatory Data Protection Officers

Depending on the type of personal data and intensity of processing activities, an organization may be required to appoint a Data Protection Officer to facilitate the need to demonstrate compliance to the Act.

Solutions

Data discovery, inventory and mapping

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Third party Privacy Intelligence (monitors third party sharing)

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Data Minimization

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Right to be Forgotten (RTBF) with Assured Deletion

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Enable Data subject rights with cost savings and compliance in totality

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Key Obligations & Consequences

Applicability of the Law

Purpose of the Act

The Act seeks to

Give effect to Article 31(c) and (d) of the Constitution that contain the right to privacy;.
Establishment of the Office of the Data Commissioner.
Regulate the processing of personal data.
Provide for the rights of data ‘subjects’
Obligations of data ‘controllers’ (Person who determines the purpose and means of processing of personal data) and ‘processors’ (Person who processes personal data on behalf of the data controller).

Data Protection Principles

Registration of Data Controllers and Processors

Transfer of Personal Data Outside Kenya

Every data controller or data processor is required to ensure the storage, on a server or data centre located in Kenya, of at least one serving copy of personal data to which the Act applies.
Cross-border processing of sensitive personal data is prohibited and only allowed when certain conditions are met or under certain circumstances specified in the Act (Part IV – 48 – 50).
A data controller or data processor may transfer personal data to another country where
- The data controller or data processor has given proof to the Data Commissioner on the appropriate safeguards with respect to the security and protection of the personal data.
- The data subject has given explicit consent to the proposed transfer, after having been informed of the possible risks of the transfer such as the absence of appropriate security.
- Safeguards.
- The transfer is necessary for performance of a contract.

Key Challenges in brief:

Penalties for non compliance

Increased territorial scope

DPA will apply to all companies processing the personal data of data subjects residing in Kenya, regardless of the company’s location.

Explicit and retractable consent from data subjects

Must be provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Entitles a data subject to ask a business operator to stop using personal data when a business operator handling personal information does not need to use personal data any more, the personal data is leaked or the data subject's right or interest may be undermined.
Entitles a data subject to ask a business operator handling personal information to disclose a record of the provision of its personal data to any third party.
Entitles a data subject to designate a method by which personal data retained by a business operator should be disclosed to the data subject.
Consideration and implementation of preventive measures.
Notifications to any person (to whom the personal information belongs) affected by the data breach etc.
Prompt public announcement of the facts of the data breach, etc. and preventive measures to be taken
Prompt notifications to the PPC about the facts of the data breach, etc. and preventive measures to be taken except for where the data breach, etc. has caused no actual, or only minor, harm (e.g., wrong transmissions of facsimiles or emails that do not include personal data other than names of senders and receivers).

Solutions

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.