Data Protection

Pathway: Education

Prerequisite: Leadership

Data protection course that deals with relevant laws in Kenya

#Data_protection#Relevant_Law

1. Analyze and interpret Kenya’s Data Protection Act, 2019 and subsidiary regulations (including the Data Protection (General) Regulations, 2021 and Registration of Data Controllers and Data Processors Regulations, 2021) to determine organizational obligations, roles, lawful bases, and data subject rights across typical processing scenarios.

Learning Targets:

1. Differentiate personal data from sensitive personal data under Kenyan law and identify associated compliance implications.

2. Classify organizational roles (controller, joint controller, processor) for case scenarios and assign statutory responsibilities accordingly.

3. Determine and document an appropriate lawful basis for specific processing purposes and assess purpose compatibility.

4. Map applicable data subject rights and statutory response timelines to common requests (access, correction, erasure, portability, objection, restriction).

5. Identify when registration with the Office of the Data Protection Commissioner (ODPC) is required and compile the necessary registration inputs.

Modules

1. Kenyan Data Protection Law Foundations

1. 1. Scope, Definitions, and Legal Structure of the DPA, 2019

Learning Outcomes:

1. Differentiate personal data, sensitive personal data, and anonymized data under Kenyan law and cite compliance implications for each category

2. Map the material and territorial scope of the DPA, 2019 to common organizational scenarios including public, private, and non-profit entities

3. Analyze the interaction between the DPA, the General Regulations 2021, and Registration Regulations 2021 to delineate enforceable obligations

4. Classify lawful processing principles (lawfulness, fairness, transparency, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability) and align them to operational controls

5. Interpret ODPC powers, enforcement mechanisms, and penalties to assess regulatory risk exposure for hypothetical cases

6. Evaluate applicability of exemptions and limitations (e.g., national security, journalism, research) and document conditions for valid reliance

7. Construct a compliance checklist that ties statutory definitions and principles to concrete organizational policies and procedures

Data Protection

Pathway: Education

Prerequisite: Leadership

Data protection course that deals with relevant laws in Kenya

#Data_protection#Relevant_Law

1. Analyze and interpret Kenya’s Data Protection Act, 2019 and subsidiary regulations (including the Data Protection (General) Regulations, 2021 and Registration of Data Controllers and Data Processors Regulations, 2021) to determine organizational obligations, roles, lawful bases, and data subject rights across typical processing scenarios.

Learning Targets:

1. Differentiate personal data from sensitive personal data under Kenyan law and identify associated compliance implications.

2. Classify organizational roles (controller, joint controller, processor) for case scenarios and assign statutory responsibilities accordingly.

3. Determine and document an appropriate lawful basis for specific processing purposes and assess purpose compatibility.

4. Map applicable data subject rights and statutory response timelines to common requests (access, correction, erasure, portability, objection, restriction).

5. Identify when registration with the Office of the Data Protection Commissioner (ODPC) is required and compile the necessary registration inputs.

Modules

1. Kenyan Data Protection Law Foundations

1. 1. Scope, Definitions, and Legal Structure of the DPA, 2019

Learning Outcomes:

1. Differentiate personal data, sensitive personal data, and anonymized data under Kenyan law and cite compliance implications for each category

2. Map the material and territorial scope of the DPA, 2019 to common organizational scenarios including public, private, and non-profit entities

3. Analyze the interaction between the DPA, the General Regulations 2021, and Registration Regulations 2021 to delineate enforceable obligations

5. Interpret ODPC powers, enforcement mechanisms, and penalties to assess regulatory risk exposure for hypothetical cases

6. Evaluate applicability of exemptions and limitations (e.g., national security, journalism, research) and document conditions for valid reliance

7. Construct a compliance checklist that ties statutory definitions and principles to concrete organizational policies and procedures

Data Protection

Pathway: Education

Prerequisite: Leadership

Learning Targets:

Modules

1. Kenyan Data Protection Law Foundations

1. 1. Scope, Definitions, and Legal Structure of the DPA, 2019

Learning Outcomes:

Data Protection

Pathway: Education

Prerequisite: Leadership

Learning Targets:

Modules

1. Kenyan Data Protection Law Foundations

1. 1. Scope, Definitions, and Legal Structure of the DPA, 2019

Learning Outcomes:

1. 2. Sensitive Personal Data and High-Risk Processing Triggers

Learning Outcomes:

2. Controller, Processor Roles and Lawful Bases

2. 1. Role Classification and Responsibilities Allocation

Learning Outcomes:

2. 2. Lawful Bases Selection and Purpose Limitation

Learning Outcomes:

3. Data Subject Rights and ODPC Registration

3. 1. Rights Mapping, Timelines, and Fulfilment Readiness

Learning Outcomes:

3. 2. ODPC Registration Requirements and Process

Learning Outcomes:

2. Design and institutionalize a data protection governance framework by building an ODPC-ready Record of Processing Activities (RoPA), end-to-end data maps, compliant privacy notices, and retention schedules using privacy management platforms or standardized templates.

Learning Targets:

Modules

1. Building an ODPC-Ready RoPA and Data Inventory

1. 1. RoPA Structure, Fields, and Quality Standards

Learning Outcomes:

1. 2. End-to-End Data Mapping and Flow Diagrams

Learning Outcomes:

2. Privacy Notices and Just-in-Time Disclosures

2. 1. Drafting Layered Privacy Notices

Learning Outcomes:

2. 2. Transparency Governance and Evidence Management

Learning Outcomes:

3. Retention, Disposal, and Governance Operating Model

3. 1. Retention Schedules and Deletion Workflows

Learning Outcomes:

3. 2. DPO Role, Governance Forums, and Reporting

Learning Outcomes:

3. Conduct Data Protection Impact Assessments (DPIAs) and embed privacy by design/default using ODPC guidance, risk matrices, and mitigation techniques such as minimization, pseudonymization, encryption, and access segregation.

Learning Targets:

Modules

1. DPIA Fundamentals and Scoping

1. 1. Trigger Identification and DPIA Planning

Learning Outcomes:

1. 2. Stakeholder Engagement and Information Gathering

Learning Outcomes:

2. Risk Analysis, Scoring, and Mitigation Design

2. 1. Risk Identification and Calibration

Learning Outcomes:

2. 2. Mitigation Selection and Prior Consultation Decision

Learning Outcomes:

3. DPIA Execution, Recordkeeping, and Continuous Review

3. 1. Execution, Documentation, and Approvals

Learning Outcomes:

3. 2. Operationalizing Privacy by Design/Default

Learning Outcomes:

4. Implement proportionate technical and organizational security controls for personal data using ISO/IEC 27001/27701–aligned practices, identity and access management (IAM), encryption, logging/SIEM, and data loss prevention (DLP) to reduce risk to acceptable levels.

Learning Targets:

Modules

1. Identity and Access Management (IAM) and Least Privilege

1. 1. RBAC, MFA, and Access Reviews

Learning Outcomes:

1. 2. Logging, Monitoring, and Anomaly Detection

Learning Outcomes:

2. Encryption, Key Management, and Data Protection Technologies

2. 1. Cryptographic Controls and Key Lifecycle

Learning Outcomes:

2. 2. DLP, Tokenization, and Secure Backups

Learning Outcomes:

3. Secure Development and Change Control for Personal Data

3. 1. Privacy-Aware SDLC Practices

Learning Outcomes: