Privacy (KDPA)

KDPA 2019 and the Data Protection Regulations 2021 make a deposit-taking microfinance a Data Controller. This section is the operator's guide to honouring every right the Act creates and meeting every obligation — including the 72-hour ODPC notification window when a breach happens.

Privacy + incidents
Privacy controls + cyber incident register.
At a glance — Six concrete obligations: capture consent at every channel; honour DSARs within 30 days; honour erasure within 30 days; retain only what's necessary; appoint a registered DPO; notify ODPC + affected subjects within 72 hours of a breach. This section's seven pages cover each in order.

Who must read this section

Every operator who can see, edit or extract personal data: branch managers, compliance officers, the DPO, IT admins, internal audit. Loan officers should at minimum read Consent capture and DSAR.

The Suite treats KDPA as a hard control — you cannot save a member record without ticking the consent box, and you cannot export bulk member data without a logged purpose.

Pages in this section

  1. Consent capture — every channel, every member, versioned
  2. Data Subject Access Requests — self-service in iBANK + 30-day formal SLA
  3. Right to erasure — anonymisation wizard preserving statutory ledger
  4. Retention schedule — per-category timelines with the daily cron
  5. Data Protection Officer — appointment, registration, independence
  6. Breach notification — CBK 24h + ODPC 72h auto-flow

Who watches what

RegulatorWhat they inspectReporting window
ODPC (Office of the Data Protection Commissioner)Consent log, DSAR SLA, retention proof, DPO appointment, ROPA, breach notifications72 hours for breach; 30 days for material change
CBK (Central Bank of Kenya)Cyber-incident classification + 24h notification, BCP/DRP24 hours from detection
FRC (Financial Reporting Centre)POCAMLA records (retain 7 years)Annual
KRATax-record retention 7 yearsAnnual
FATF / GOAMLSTR/CTR XML exportsPer occurrence

See also

Was this page helpful?