Our Products

Facilities Management People Management

Is your Visitor Management Process Compliant with the Kenya Data Protection Act?

After the enactment of the Kenya Data Protection Act (the DPA) in 2019, and the establishment of the Office of the Data Protection Commissioner in 2020, the relevant regulations necessary to give effect to many of the provisions contained in the DPA came into effect on 11th February 2022 while registration of data processors and data controllers commences on 14th July 2022. The legislation applies to all businesses that handle personal data in Kenya.

What is DPA Compliance?

The DPA Regulations sets out the rights of data subjects and obligations of data controllers, data processors and third parties who handle personal data. Overall, the DPA ushers in a robust legal and institutional mechanism for the protection of personal data, will have far-reaching implications on how personal data is handled.

Organizations will need to review their data management practices to assure compliance with the law.  One clearly overlooked process where a lot of personal data is collected is in the visitor management processes. A large number of organizations use manual methods of visitor registration (Visitor Books) books.  With the law and regulations coming to force, the use of visitor books creates non-compliance risks

With these risks and time consuming administrative practices paper sign in books should be a serious concern and using alternative visitor management practices would be highly recommended.

The Dangers of Not Complying with DPA

Compliance with DPA is vital, and the consequences of violating these regulations are significant. If you are found guilty of DPA non-compliance, you will fall under one of two different penalty tiers. The DPA gives the Office of the Data Commissioner the power to impose administrative fines for failure to comply with the DPA.

The Office of the Data Commissioner may impose a fine of up to KES. 5 million (approx. USD. 50,000) or, in the case of an undertaking, up to 1% of its annual turnover of the preceding financial year, whichever is lower. The fine is payable to the Office of the Data Commissioner.

Failure to comply with an order of the Office of the Data Commissioner is considered an offence under the DPA.

Section 65 of the DPA accords all data subjects the right to compensation from data processors or controllers for damage caused to them.

What Are the DPA Requirements for Visitor Management Systems?

If you’re still using outdated visitor management strategies, chances are, you could unknowingly breach the DPA regulations. Here are the requirements you need to know about your VMS.

Visitor Consent

Before collecting any data whatsoever, you must obtain permission from your visitors. “Consent must be freely given, specific, informed and unambiguous. In order to obtain freely given consent, it must be given on a voluntary basis.”

We recommend to clients using automated visitor registration systems to place prominently visible signage that communicates the use of electronic visitor registration as the default visitor registration processes.  The signage should also specific the purpose and the use of data being collected and reference to relevant legislative framework (DPA Regulations) that support them.  

The legal basis for collecting specific data include;

  • Physical security procedures  and Protocols (More legal provisions for this are included on the Kenya Private Security Ac 2019 )
  • Health and safety (e.g., potential office evacuations)
  • Any data that a business collects must fall within your mandate, and it can only be used for its intended purpose.


Consent alone will not guarantee that your organization is allowed to collect visitor data. It must also be clear how you plan to use the gathered information. Besides giving notice when you plan to collect data, that data must also not be used unethically.

Data Access and Security

When data is collected under DPA regulations, it can only be stored for as long as the information is needed. You must also make sure that data is only accessible to those who need it.

Traditional visitor management methods put organizations at a considerable risk of violating both of these stipulations. A visitor book for signing in and out could be stored for an excessive amount of time, thereby violating DPA regulations. Visitor data could also end up falling into the hands of individuals who should not see it. In both cases, a business could face substantial fines if not careful.

Digital visitor management solutions are an easy way to avoid these problems and guarantee data security. A VMS allows organizations to delete data as soon as it is no longer needed, encrypt and secure data so it can only be accessed by authorized individuals, and centralizes the storage of sensitive data. Extra layers of security can also be added, such as passwords.

Staying Compliant with DPA Regulations

DPA compliance is essential. Violating the regulations can cost your business—big time. If you’re using offline visitor management processes, chances are you’re not fully DPA compliant.

The easiest way to guarantee compliance is by using a VMS with built-in features. By creating agreements, allowing users to opt out of data collection, and using shield-encrypted software, businesses can ensure they stay on the ‘good side’ of official regulations.

If you want to learn more about how SOJA VMS can help your organization remain DPA compliant, contact us today to get you started. We will be happy to further discuss with our customer and walk together in the journey towards full compliance with the Act.