Data Protectors Podcast

The Data Protectors Podcast brings together Kenyan and European experts to explore different aspects of data protection compliance, share lessons learned, and identify opportunities created with the enactment of Kenya's Data Protection Act and the European Union's General Data Protection Regulation (GDPR).

Its objective is to help small businesses, data processors and collectors in Kenya to comply with these data protection regulations, raising awareness of how data protection laws affect their organisations and the data subjects from whom they collect data.

Episode 1: Principles of data protection

The first episode of the Data Protectors Podcast touches on data protection principles and how small businesses and organisations can integrate them into their operations.

Whereas SMEs, start-ups and small civil society organisations are slightly different in their business models, they all face similar challenges regarding data protection compliance. More often than not, these organisations are resource-starved, meaning that they lack the capacity to, among other things, invest in compliance or the capacity to hire skilled data protection officers to guide them through compliance.

Our speakers Liesa Borghaert and Mercy Mutindi delve into the seven data protection principles: (1) lawfulness, fairness, and transparency; (2) purpose limitation; (3) storage limitation; (4) data minimalisation; (5) accuracy; (6) integrity and confidentiality; and (7) accountability. Most importantly, they provide practical advice on how to incorporate these principles into organisations’ day-to-day operations.


  • Megan Kathure, Tech policy analyst


  • Mercy Mutindi, General Counsel & Director Compliance at Wasoko
  • Liesa Boghaert, Attorney-at-law at Timelex and GDPR expert

Listen here

Episode 2: Registration as a data controller or processor

The Data Protection Act 2019 introduced an obligation for certain entities that process personal data in Kenya to register with the Data Protection Commissioner (ODPC). Specifically, all data controllers and processors that have an annual turnover or annual revenue above Kenya Shillings five million (KES 5,000,000/=) and/or more than ten (10) employees must register with the ODPC. However, even smaller organizations with a turnover below 5 million shillings and less than 10 employees must register if they operate in certain sectors.

In the second episode of the Data Protectors Podcast, Rosemary Koech and Elaine Wangari explore who is required to register, why it is important to register and how exactly one can register with the Office of the Data Protection Commissioner.


  • Priya Shah, Director of Risk and Privacy Compliance at Carepay Ltd


  • Elaine Wangari, Data Protection Specialist at HTB Group London
  • Rosemary Koech, Co-organizer of Nairobi Legal Hackers and DPO at KCB Group

Listen here

Episode 3: The cost of compliance

Episodes 1 and 2 of the Data Protectors Podcast presented the data protection principles and the first component of compliance, which is registration. Episode 3 builds on these themes to further explore the costs of complying with the Data Protection Act.

In this episode, moderated by Susan Wajiku, lawyers Catherine Kariuki and Cynthia Chepkemoi detail what documentation small and medium-sized enterprises need to be compliant. They also explain how to get the relevant documents in a cost-effective manner. Finally, they provide useful guidance on how to get Data Protection Officers without breaking the bank.


  • Susan Wanjiku, Digital Ecosystem Advisor at GIZ-DTC Kenya


  • Catherine Kariuki-Mulika, TMT Partner at TripleOKLaw Advocates
  • Cynthia Chepkemoi, Data Protection Counsel

Listen here

More episodes coming soon

You can also listen to the Data Protectors Podcast on the following platforms:

This podcast is produced by KICTANET and GIZ/DTC Kenya, in collaboration with Nairobi Legal Hackers, as part of the AU-EU D4D Hub project