The Data Protection Act, 2019 (the Act) which came into effect on 25 November 2019, is set to streamline data governance by among other things, establishing the office of the Data Protection Commissioner which shall be responsible for implementing the Act.

In this article, we address the role data mapping can play in facilitating compliance with the new legal requirements.

Tightening the Noose: Data Mapping

As data subjects have a right to be informed of the use to which their personal data is to be put, data processors and data controllers have a corresponding obligation to deal with such personal data for the specified, explicit and legitimate purposes for which it was collected.

Section 31 of the Act effectively requires data processors and data controllers to evaluate their processing activities to determine if such activities pose a high risk to the rights of a data subject, prior to their undertaking any data processing activities. 

In this regard, a data controller or data processor is required to undertake a data protection impact assessment which must set out (a) the description and purpose of the processing operations, (b) the necessity and proportionality of the processing, (c) the imminent risks to the rights and freedoms of the data subjects and (d) the remedial measures put in place to address such risks.

While the Data Commissioner is required to set guidelines for the carrying out of impact assessments, organisations processing personal data should make proper adjustments to their processes by undertaking internal audits and mapping out the categories of personal data they handle and process in their day to day operations.

Self-audits and data mapping are vital tools applied by organisations in determining their compliance with specific laws, the nature of the personal data it handles, how the personal data is stored, protected and how such personal data moves in and out of the organisation.  Such data mapping may be undertaken manually or by automated means.

Why is this important for businesses in Kenya?

Data mapping and self-auditing will help data controllers and data processors comply with Section 41 of the Act which requires every data controller and data processor implement appropriate technical and organisational measures for data processing.

Essentially, organisations that conduct data mapping and self-audits will be better positioned to avoid or address irregularities and non-compliance with the Act, noting that the Data Commissioner is entitled to conduct periodical systems and process audits in accordance with Section 23 of the Act.  Moreover, self-auditing further augments good data governance processes in line with international industry practice.

Identifying processing activities

In undertaking data mapping and audit activities, the data processor or data controller must foremost identify the processing activities they carry out.

Processing activities under the Data Protection Act cover a wide range of operations and comprise the collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use disclosure, dissemination, alignment, combination, restriction, erasure or destruction of personal data.

Carrying out visual data maps

One useful way of understanding an organisation’s interaction with personal data, is capturing and visualising the movement of personal data in its key processes. Visualisation will identify departments within an organisation that have a role to play in the processing activity.

Classifying these data points is instrumental in identifying sensitive personal data, cross border transfer of data, establishing whether consent to process the personal data was obtained and identifying areas where an impact assessment is necessary.

Below is a list of questions that may guide data processors and data controllers when undertaking a data mapping exercise:

  • What type of information relating to an identified or identifiable natural person (i.e. personal data) is collected? (is the data ‘personal data’ or is it ‘sensitive personal data’)
  • Are data subjects notified of their rights and is evidence of this recorded?
  • Has unequivocal consent been obtained from the data subject?
  • Is there a record of such consent?
  • Are the consequences of the withdrawal of consent clear?
  • In what form is the data collected or stored? (electronic or paper records)
  • How was the data collected? (directly or indirectly)
  • If data was collected indirectly, what is the justification for indirect collection and from what source was it obtained?
  • For what purpose is the organisation using the personal data?
  • Is there a legal basis for processing the personal data? (e.g. to perform a contract or comply with a law)
  • For how long will the personal data be stored?
  • Where will the personal data be stored?
  • What protective measures are in place to secure the stored personal data?
  • Will the personal data be transferred outside the country?    


The Act imposes onerous obligations on data processors and data controllers to prevent the misuse of personal data or the breach of privacy rights.  It is imperative that individual players understand their role and obligations in the data jigsaw and observe prudence when handling personal data.

For more information on how to tailor specific compliance checks for your organisation, please get in touch with Waringa Njonjo.


4th Floor, Wing B, Capitol Hill Square, Off Chyulu Road, Upper Hill, Nairobi, Kenya.
P.O. Box 8418 Nairobi 00200 / T: +254-208697960/+254-202596994 / M: +254 718 268 683

Dropping Zone: No 62, Embassy House