CIPIT’S Data Protection Course

CIPIT’S Data Protection Course

Only 36% of Kenyan businesses are aware of the privacy laws governing their activities, despite the Data Protection Act’s implementation in 2019. Additionally, according to a Zoho survey conducted earlier in 2021, while 77% of businesses indicated that they have well-documented policies in place to safeguard customer data, only 56% adhered to those policies strictly. Data protection is being discussed more frequently and at many levels. As long as a company, business, or organization handles data, it is necessary for them to understand their obligations and responsibilities, as well as the rights of consumers. Businesses, organizations, and consumers should all be aware of data processing principles, as well as the rights and protections provided by the law. Privacy is recognized as a fundamental right in the Constitution of Kenya 2010 and it serves as the foundation for data protection. The Data Protection Act of 2019 recognizes the importance of data protection and establishes data processing principles, protections for consumer rights, and data processor and data controller obligations.

In February 2022, CIPIT launched an online data protection course that instructs participants on data protection concepts based on Kenya’s Data Protection Act. The course targets SMEs, legal practitioners, law students, data journalists and members of the general public who are interested in better understanding data protection and its application.

We are excited at this opportunity to contribute to the data protection conversation. CIPIT has always been committed to providing unbiased and rigorous content in legal issues that affect citizens’ rights, and this course serves to emphasize that commitment,” said Dr. Isaac Rutenberg, Director, CIPIT. Dr. Rutenberg added, “Kenya’s data landscape is changing very fast and we also have a very young and dynamic population. It follows therefore that the challenges of safeguarding the rights of Kenyans and their data can only keep growing.”

The course is divided into three core modules:

  • Module 1 covers the legal foundations for data protection and the Kenya Data Protection Act’s scope, data protection stakeholders and their relationships, data protection terminologies, and legal basis for data processing. The module facilitator is Mercy Mutemi.

  • Module 2 deals with compliance when it comes to data processing, namely, legal and technical compliance. It has been further divided into Modules 2a and 2b.

    • Module 2a elaborates on the legal issues raised in Module 1 with reference to the Data Protection Act. It then examines the actors and relationships involved in data protection and compliance safeguards required by the Data Protection Act. The module facilitator is Stephen Kiptinness.

    • Module 2b addresses the technical and organizational requirements of the Data Protection Act. The module delves into the technical, organizational, and compliance safeguards required by data protection law, with a particular emphasis on technical compliance, the process by which data protection principles are translated into technical and system practices. It contains a checklist to assist data protection practitioners in an organization. The module facilitator is John Ombagi.

  • Module 3 discusses governance, management, and the data protection officer’s role and responsibilities. It discusses the necessary organizational structures and the importance of a data protection officer, as well as policies and procedures within departments responsible for data processing, such as human resources, information technology, and finance, as well as relationships with external stakeholders who interact with personal data.The module facilitator is John Ombagi.

Moreover, the course has the following additional resources:

  • A Data Protection Glossary which contains a list of data protection terms and their definitions to assist the learner in comprehending the course. The glossary, which covers the fundamentals, stakeholders, and mechanisms, is an invaluable resource throughout the course. This section is instructed by Grace Mutung’u.

  • Data Protection from a Global Perspective is a section that discusses data protection in other countries, such as the United Kingdom and the United States, as well as how businesses process data and how individuals can increase their awareness of their rights. The section is instructed by Dr. Isaac Rutenberg.

  • The Data Protection Impact Assessment videos are a three-part video series that demonstrates how to conduct a data protection impact assessment (DPIA) by using simplified step-by-step criteria and practical examples.

CIPIT’s goal is to equip the course participants with the necessary information and tools needed to apply data protection principles and knowledge in their day to day undertakings.

For more information, visit or

Leave a Comment

Your email address will not be published. Required fields are marked