Data Privacy and the Company Secretary

Written By Joyce Githinji

With data breaches inflicting significant legal, financial, and reputational damage, and stakeholders demanding greater transparency, Kenya’s Data Protection Act (2019) imposes clear obligations on companies. Clients often ask: “How can my business oversee data risk and stay compliant?” The answer lies with strong governance, and that’s where a knowledgeable Company Secretary adds strategic value.

1.      Why Data Privacy Is a Matter for Boards and Secretaries

Under the Data Protection Act, any company processing personal data, especially SMEs with 5 + employees or turnover over KES 5 million, must register with Kenya’s Office of the Data Protection Commissioner (ODPC) and implement robust privacy controls. Non-compliance can result in fines of up to KES 5 million or 1% of annual turnover, criminal sanctions, or reputational damage.

Boards are expected to oversee data-related risks by ensuring robust data governance frameworks are in place and regularly reviewed. Company Secretaries on the other hand, safeguard governance frameworks, support Data Protection Officers, and ensure alignment between risk protocols and strategic objectives.

2.      Core Responsibilities of a Company Secretary in Data Privacy Governance

a)      Setting the Governance Model

Secretaries help establish or oversee a privacy governance structure, such as appointing the Data Protection Officer (DPO), defining their reporting line, ideally to the board or audit committee, and creating privacy sub-committees to manage risk and reporting.

b)      Maintaining Statutory & Privacy Registers

They manage statutory company registers, ensuring personal data in document formats is stored in compliance with data minimization, pseudonymization, and controlled access policies. This ensures that registers, held at the registered office, do not accidentally expose personal information or breach privacy rules.

c)      Coordinating Board Oversight & Metrics

Company Secretaries prepare privacy compliance briefs, track key metrics, like breach incidents, Data Protection Impact Assessment(DPIA) completions, and staff training statistics. They then present them to help the board ask the right questions.

3.      Key Practices for Data Privacy and What the Secretary Ensures

  • ODPC Registration - Verify on-time registration by controllers/processors liable under thresholds.

  • DPIAs & Privacy Risk Assessments - Coordinate assessments for new systems or data-heavy processes.

  • Policy & Consent Management - Help draft privacy notices, opt-in forms, and consent logs to support lawful data collection.

  • Breach Response & Reporting - Ensure breach response plan, 72-hour ODPC notification, and data subject alerts are in place.

  • Staff Training & Culture - Organize privacy induction for directors, staff, and third parties.

  • Vendor & Cross-border Governance - Oversee data sharing agreements, limit unauthorized transfers, and vet processors.

 

4.      Strategic Benefits of Secretary-led Data Privacy Oversight

 a)      Risk reduction - Proper governance prevents administrative fines, legal exposure, or lengthy downtime after breaches.

b)      Investor & customer trust - Demonstrates proactive governance and ethical handling of personal data.

c)      Operational preparedness - Data breach protocols, audit trails, and training readiness help make swift action possible.

d)      Scalability and readiness - Supportive frameworks scale alongside business growth and emerging compliance standards.

5.      How Azali Supports Data Privacy Through Governance Leadership

At Azali Certified Public Secretaries LLP, we specialize in enabling businesses to navigate data privacy through governance controls, clarity, and compliance readiness:

  • Assist with ODPC registration and classification under the Act.

  • Design and manage privacy governance architecture, including DPO liaison and committee oversight.

  • Draft privacy policies, consent formats, processing logs, and DPIA templates.

  • Maintain secure record-keeping systems and statutory registers in privacy-compliant formats.

  • Facilitate board-ready dashboards and privacy metric reports.

  • Support data breaches response planning, policy development, and staff training.

 

Final Thoughts

In today’s digitally driven business environment, data privacy is not merely a legal requirement, it’s a strategic governance concern. A proactive Company Secretary bridges the gap between board-level oversight and data integrity, ensuring your company complies, mitigates privacy risk and upholds public trust.

Get in touch with Azali today, to align your data governance strategy with Kenyan legal standards and strengthen your organizational resilience.

admin@azali.co.ke | +254 (0) 707 456 140

 

Joyce Githinji
Next

Navigating Legal & Secretarial Jargon: A Plain‑Language Guide for Kenyan Businesses