Most Kenyan Organisations Do Not Know Where Their Personal Data Is.
Kenyan organisations that believe they are KDPA-compliant have a policy document and a privacy notice. They do not have a data inventory. When an ODPC auditor asks ‘show me every location where you store personal data and demonstrate that you have appropriate controls for each location,’
The policy document will not answer the question. The audit trail that proves compliance is not in the policy — it is in the document and data management systems that either generate it automatically or don’t.
The December 2024 ODPC Conduct of Compliance Audit Regulations gave the Office of the Data Protection Commissioner formal powers to conduct data protection audits and accredit third-party auditors to conduct them on its behalf. The regulations are not a future commitment. They are the current operating environment for every organisation that processes personal data in Kenya. Penalties under the Kenya Data Protection Act reach KSh 5 million or 1% of annual gross turnover, whichever is higher. The audit infrastructure to enforce those penalties now exists.
What the ODPC Will Actually Ask For — and Why a Privacy Policy Does Not Answer It
An ODPC compliance audit is an evidence review. It is not a policy review. The distinction is precise and its implications are severe for the majority of Kenyan organisations that have invested in KDPA compliance at the document layer without investing in the operational layer that generates compliance evidence.
The audit will require evidence across five specific categories. The first and most fundamental is a data inventory: a complete, verified map of every system, process, and storage location where personal data is held. Not a description of the systems the organisation intended to use for personal data. Every system where personal data actually exists — including the ones that were never intended to hold it.
The second is legal basis documentation: for each category of personal data the inventory identifies, the organisation must demonstrate the lawful basis under which that data is being processed. Consent, legitimate interest, legal obligation, and contractual necessity each require different forms of documentation. An organisation that collected client KYC data without recording the specific legal basis at the point of collection cannot reconstruct that documentation retrospectively.
The third is access controls: documented evidence of who has access to personal data stores, on what basis they were granted that access, and when that access was last reviewed. In most Kenyan organisations, access rights to shared drives accumulate over years without formal review. Staff who left the organisation two years ago may still have active credentials to systems containing client data. An ODPC auditor asking for an access control log will surface this immediately.
The fourth is retention and deletion evidence: documented retention periods for each category of personal data and verifiable evidence that data past its retention period has been deleted or anonymised. Saying the organisation has a retention policy is not evidence. Evidence is a deletion log showing that client files from seven years ago were destroyed on a documented date by an authorised person.
The fifth is breach response: not a breach response policy document, but evidence that the process has been tested, that staff have been trained on it, and that the organisation can demonstrate a 24-hour notification capability to the ODPC in the event of a qualifying breach. The audit is not interested in what the organisation would do in theory. It is interested in what it can demonstrate it is capable of doing.
The uncomfortable truth about this evidence requirement is that the organisations least prepared for it are not necessarily the smallest or least resourced. They are the ones that assigned KDPA compliance to a lawyer who produced a privacy notice, published it on the website, and filed the matter as resolved. That work was never compliance. It was documentation of intent. The audit asks for documentation of reality.
Why most Kenyan firms fail the first ODPC audit question
The first question in an ODPC audit — where is all the personal data your organisation holds? — is the question that determines whether every subsequent answer is credible. An organisation that cannot answer it completely cannot demonstrate compliance with any other requirement, because compliance with retention periods, access controls, and legal basis documentation all depend on knowing what data exists and where.
A complete data inventory requires more than a list of enterprise systems. Personal data in Kenyan organisations flows through channels that were never designed to hold it and are never included in formal compliance documentation. Client names and ID numbers appear in email chains that were forwarded to personal Gmail accounts when staff worked from home during the pandemic and were never recalled. Employee salary information exists in WhatsApp group messages sent by an HR manager who found it faster than using the payroll system. Job applicant CVs are saved in a Dropbox folder that was created five years ago and is accessible to anyone who was ever given the link.
None of these locations appear in a standard privacy notice. All of them contain personal data. All of them are within scope of a KDPA compliance audit. An organisation that has never systematically walked each department and mapped every data flow — not just the formal systems, but the informal practices that have developed around them — does not know what it holds or where it holds it. It cannot give the ODPC an honest answer to the first question.
The data inventory exercise exposes a structural problem that goes beyond compliance. It reveals that most organisations have not made deliberate decisions about where personal data should be stored. They have accumulated personal data in whatever location was most convenient at the moment of collection. The compliance gap is the downstream consequence of an absence of data governance — not a single policy failure, but years of operational decisions made without a framework for where data belongs.
How Document Management System Contributes to ODPC Audit Readiness
A document management system creates the compliance infrastructure the ODPC audit requires — but only for the data that actually flows through it. This distinction matters because the most common failure mode in KDPA compliance technology is an organisation that implements a DMS, assumes it has solved the compliance problem, and then fails an audit because the majority of its personal data was never in the DMS to begin with.
A well-implemented DMS delivers specific, auditable capabilities. It generates access logs that record who retrieved a document, when, and from which system — creating the evidentiary record that satisfies the ODPC’s access control requirement. It enforces retention policies automatically, flagging documents for review at their retention expiry and maintaining deletion records that satisfy the evidence requirement for data disposal. It maintains version histories that demonstrate when documents were created, modified, and by whom — relevant to any audit query about when data was first collected and under what authority.
What a DMS cannot do is extend these controls to data that bypasses it. An email attachment containing client KYC information that is saved to a local laptop sits outside the DMS’s audit trail entirely. A WhatsApp exchange in which a sales representative shares a client’s contact details with a colleague is outside the DMS’s scope by definition. A Dropbox folder created by a department head who wanted a faster way to share HR documents is not governed by the DMS’s retention policy.
The gap between what a DMS governs and what the ODPC audit scope covers is precisely the gap that the data inventory exercise must identify and the organisation’s data governance policy must close. The policy must specify what categories of personal data are required to flow through the DMS, prohibit storage of personal data in ungoverned locations, and establish enforcement mechanisms — not aspirational guidance — that ensure the policy is followed in practice. Technology without governance policy produces audit-ready documents. It does not produce audit-ready organisations.
A 90-Day ODPC Audit Readiness Programme
Audit readiness is a management project with a technology implementation layer. Most organisations that treat it as primarily a technology project deploy systems before they understand what the systems need to govern, and end up with well-configured DMS platforms that do not address the actual compliance gaps the audit will surface.
The first thirty days are a personal data inventory. This requires walking every department — finance, HR, legal, operations, sales, and customer service — and mapping every system and informal data store where personal data flows. The output is a complete register: what personal data is held, in which location, collected under what process, accessible to which staff, and retained for how long. This exercise should be conducted by someone with the authority to ask uncomfortable questions and the mandate to document honest answers. The inventory will be longer and more uncomfortable than most organisations expect.
Days thirty-one to sixty are gap analysis. Each item in the inventory is evaluated against KDPA requirements: is there a documented legal basis for this data? Are access controls appropriate and documented? Does a retention period exist and is there evidence it is being enforced? Does the data appear in the organisation’s privacy notice? The gap analysis produces a prioritised list of compliance failures — not hypothetical risks, but actual deviations from legal requirements identified in the organisation’s own data.
Days sixty-one to ninety are remediation prioritisation and initial implementation. Not all gaps can be closed in thirty days, and attempting to close all of them simultaneously produces paralysis rather than progress. The priority sequence is: first, any personal data being held without a legal basis — this is the highest regulatory risk and the easiest to address through deletion; second, unauthorised access points — shared drives and email repositories accessible to staff without a documented business need; third, the DMS implementation or extension to bring governed data flows within an auditable system; fourth, breach response testing to demonstrate the notification capability the ODPC requires.
This is three months of structured management work. It does not require a large technology budget in the first instance. It requires honesty about what the organisation actually holds, which is the prerequisite for every other step.
The Work That Creates Audit Readiness
Jansen Tech works with Kenyan organisations to conduct the data inventory and gap analysis process, design the governance framework that defines where personal data should flow and how it should be controlled, and implement the document management infrastructure that generates compliance evidence as a byproduct of daily operations. This is implementation work grounded in Kenya’s specific regulatory context — the ODPC’s audit framework, the KDPA’s requirements, and the operational reality of organisations that have years of ungoverned data accumulation to address. The organisations that navigate ODPC audits without a remediation crisis are those that built the evidence layer before the audit notification arrived.
The most common objection to proactive KDPA compliance investment is that the ODPC is unlikely to audit any specific organisation. This objection is becoming less credible as ODPC enforcement capacity increases and the accreditation of third-party auditors expands the volume of audits the office can conduct. But even if the probability of a specific audit were low, it is not the right frame. The cost of a remediation crisis — legal fees, operational disruption, reputational damage with clients and counterparties whose data was found to be ungoverned — is not a small probability times a large cost. It is an outcome that some organisations will experience, and the ones that experience it will not have been selected randomly. They will be the ones that received a complaint, experienced a breach, or were identified through a sector-wide enforcement sweep of the kind the ODPC has signalled interest in.
The organisations that will pass an ODPC audit without crisis are those that have built compliance as an operational discipline — where the data inventory is a living document, where the DMS generates audit evidence automatically, and where the breach response process has been tested rather than written. These organisations will not find the audit notification alarming. They will find it bureaucratic. The organisations still running KDPA compliance from a policy document will find it something else entirely.
The audit powers exist. The question is no longer whether compliance will be verified. It is whether the verification finds evidence or finds gaps.
