Commentary on the Draft Data Protection (Conduct of Compliance Audit) Regulations, 2024 

Conducting regular audits has been identified as one of the best strategies for ensuring compliance with data protection laws. It is therefore important that data protection audits are done within a legal framework which is clear and predictable to everyone. 

A data protection audit is a systematic and independent examination of data processing activities of a data controller or data processor to assess compliance with data protection laws. 

While the Data Protection Act, 2019 and the regulations under it empower the Office of Data Protection Commissioner (ODPC) to conduct periodic data protection audits on the systems and processes of data controllers and data processors, the law does not presently provide any guidelines on how data protection audits should be conducted. In December 2024, the ODPC in a noble move aimed at addressing the legal gaps and enhance its enforcement capacity published the Draft Data Protection (Conduct of Compliance Audit) Regulations, 2024 (the “Regulations”) for public participation.

Formulation of the Regulations shall be a big step forward in ensuring that data protection audits have a legal framework which clearly sets out the role of the ODPC, data controllers, data processors and data protection auditors in data protection audits, lays a foundation on the quality of data protection audits by providing the manner in which the audits should be conducted and provides guidance on accreditation of data protection auditors.

Currently, data controllers and data processors have the liberty to determine how to conduct their internal data protection audits. Since there is no established legal criteria or practice on the proper standards and depth of the audits, the quality of audit reports varies from one entity to another.

Should the Regulations be passed in the current form, data controllers and data processors shall be required to ensure that privately initiated audits meet the prescribed legal requirements for the audits to have the same weight as an audit conducted or overseen by the ODPC. The Regulations proposes that for a privately conducted audit to be recognized it shall, among others, be conducted by an accredited auditor, comply with all relevant standards, procedures, and methodologies as required for data protection audits, be comprehensive and accompanied by a detailed report documenting the audit process, findings and recommendations, and be submitted to the ODPC for review and recognition.

The Regulations further provides that a person wishing to be accredited as a data protection auditor shall pay an accreditation fee of Ksh. 150,000 and that the accreditation shall be valid for a period of three years from the date of issuance. This is in addition to an application fee of Ksh. 5,000. The proposed renewal fee is Ksh. 100,000.

The proposal for the ODPC to be given powers to outsource data protection audits to external auditors shall compliment the capacity of the ODPC and is likely to be a big boost to ODPC’s enforcement efforts.

Data protection audits can be initiated by the ODPC or by the data controller or data processor.  Should the Regulations be passed, the ODPC shall have powers to initiate audits in various instances. This includes upon receiving complaints from individuals regarding an entity's data protection practices, as part of a broader regulatory investigation or enforcement action, based on a risk assessment, complaint, or other information indicating potential non-compliance, or in response to a perceived or real privacy risk, data breach notification, significant changes in data processing activities, a petition or the initiative of the ODPC. 

The outcome of an audit done by the ODPC may include recommendations for improvement to the data controller or data processors, issuance of an enforcement notice or penalty notice requiring the data controller or data processor to take specific corrective actions or initiating of further investigation or enforcement proceedings in cases of serious non-compliance.

A data controller or data processor may voluntarily undertake a data protection audit to proactively assess their data protection posture and compliance with the law or as part of a corrective measure following a data breach or other data protection compliance concerns.

In many countries, data protection regulators are given powers to conduct compliance audits on data controllers and data processors, where they deem necessary. Various countries are in different stages of formulating a specific legal framework on conducting of legal audit.

Regular review of an entity’s data processing activities is encouraged for compliance reasons, even where the law does not make conducting of an audit mandatory. In some instances, this is achieved by conducting a Data Protection Impact Assessment, which is a requirement under Kenyan law where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, and other internal reviews. We are keenly following the developments in the data protection space.

Please reach out to us should you require any support or guidance in this area.