Data Protection Officer

Under KDPA s.24, every data controller that processes personal data systematically as part of its core activities must appoint a DPO. For a deposit-taking microfinance this is non-negotiable. This page covers the appointment process, registration with ODPC, the independence guarantees, and the DPO's day-to-day duties inside the Suite.

Privacy + incidents
Privacy controls + cyber incident register.

Appointing the DPO

  1. Board passes a resolution naming the DPO
  2. DPO signs an independence statement + appointment letter (template in /kdpa_pack/05_dpo_appointment_letter.md)
  3. Register the DPO with ODPC via www.odpc.go.ke → Data Controller Registration
  4. Update the institution's privacy notice with DPO contact (dpo@)
  5. Publish DPO name + contact in the annual report and on the website

Day-to-day duties

  • Receives + triages DSARs and erasure requests within the 30-day SLA
  • Reviews + approves entries in the weekly retention queue
  • Signs off on every cyber/data-breach notification before it goes to ODPC
  • Owns the Records of Processing Activities (ROPA)
  • Owns the processor register + DPAs
  • Conducts DPIAs for new processing activities
  • Trains staff annually on KDPA + leads tabletop exercises
  • Liaises with ODPC inspectors during audits

Independence guarantees

KDPA + ODPC regulations require the DPO to be functionally independent. Inside the Suite this is implemented as:

  • Reports directly to the Board (or to the Audit Committee), not to the CEO
  • Cannot be terminated for performing DPO duties
  • Has a separate compensation review process
  • Has access to all systems regardless of other RBAC settings
  • Cannot have conflicting role (cannot also be CIO, Head of HR, or Head of Marketing)
  • Has a budget line for external counsel and tooling

Worked scenarios

Scenario — Florence's typical Friday

Setting: Last day of the working week; the DPO clears her queue.

CharacterRole
Florence AchiengDPO of a 14k-member MFI

Timeline

  1. 08:30: Reviews overnight retention flag cron output: 47 candidates.
  2. 09:00: Three DSAR self-service downloads completed overnight; logs reviewed for anomalies.
  3. 09:30: Handles one formal DSAR (member walked into branch yesterday).
  4. 10:00: Reviews + signs off a cyber-incident notification draft — phishing email reported by Compliance. (ODPC notification sent within 72h window)
  5. 11:00: Approves 35 retention candidates → marked for Sunday's purge cron.
  6. 14:00: Conducts the quarterly staff KDPA refresher session (45 min).
  7. 16:00: Writes the monthly board report — DSAR SLA hit rate, retention purge volume, breach count.

Outcome — Queue clear; board updated; staff trained. KDPA discipline maintained.

Reference

Monthly DPO board report — required KPIs

KPISourceTarget
DSARs receivedsupport cases type=dsarTrack all
DSAR SLA hit ratecase duration ≤ 30 days≥ 95%
Erasure requests receivedsupport cases type=erasureTrack all
Erasure SLA hit ratecase duration ≤ 30 days≥ 90%
Breaches notifiedmfi.cyber.incident0 ideally; all notified within 72h
Retention purgesmfi.privacy.purge.logTrack per category
Staff trainedhr.training.attendance100% of internal users annually
DPIAs conductedmfi.privacy.dpia1 per new processing activity

Troubleshooting

SymptomLikely causeFix
DPO leaves the institution mid-quarterResignation / role changeBoard resolution naming acting DPO within 30 days; notify ODPC of change within 14 days.
DPO and CIO is the same personSmall institution conflating rolesKDPA forbids the conflation. Appoint a non-IT DPO or engage an external DPO-as-a-service.
ODPC audit finds no documented DPIA processDPIA never adoptedAdopt the template in /policy_pack/08_dpia_template.md; backfill DPIAs for last 12 months of major changes.
DPO has no access to a system needed for an investigationStandard RBAC blocking the DPOAdd DPO to a 'mfi_dpo_emergency_access' group with read access to all member-personal-data tables, logged in chatter.

See also

Was this page helpful?