Privacy (KDPA)
KDPA 2019 and the Data Protection Regulations 2021 make a deposit-taking microfinance a Data Controller. This section is the operator's guide to honouring every right the Act creates and meeting every obligation — including the 72-hour ODPC notification window when a breach happens.

At a glance — Six concrete obligations: capture consent at every channel; honour DSARs within 30 days; honour erasure within 30 days; retain only what's necessary; appoint a registered DPO; notify ODPC + affected subjects within 72 hours of a breach. This section's seven pages cover each in order.
Who must read this section
Every operator who can see, edit or extract personal data: branch managers, compliance officers, the DPO, IT admins, internal audit. Loan officers should at minimum read Consent capture and DSAR.
The Suite treats KDPA as a hard control — you cannot save a member record without ticking the consent box, and you cannot export bulk member data without a logged purpose.
Pages in this section
- Consent capture — every channel, every member, versioned
- Data Subject Access Requests — self-service in iBANK + 30-day formal SLA
- Right to erasure — anonymisation wizard preserving statutory ledger
- Retention schedule — per-category timelines with the daily cron
- Data Protection Officer — appointment, registration, independence
- Breach notification — CBK 24h + ODPC 72h auto-flow
Who watches what
| Regulator | What they inspect | Reporting window |
|---|---|---|
| ODPC (Office of the Data Protection Commissioner) | Consent log, DSAR SLA, retention proof, DPO appointment, ROPA, breach notifications | 72 hours for breach; 30 days for material change |
| CBK (Central Bank of Kenya) | Cyber-incident classification + 24h notification, BCP/DRP | 24 hours from detection |
| FRC (Financial Reporting Centre) | POCAMLA records (retain 7 years) | Annual |
| KRA | Tax-record retention 7 years | Annual |
| FATF / GOAML | STR/CTR XML exports | Per occurrence |
See also
Was this page helpful?

