Data Protection Officer
Under KDPA s.24, every data controller that processes personal data systematically as part of its core activities must appoint a DPO. For a deposit-taking microfinance this is non-negotiable. This page covers the appointment process, registration with ODPC, the independence guarantees, and the DPO's day-to-day duties inside the Suite.

Appointing the DPO
- Board passes a resolution naming the DPO
- DPO signs an independence statement + appointment letter (template in
/kdpa_pack/05_dpo_appointment_letter.md) - Register the DPO with ODPC via
www.odpc.go.ke→ Data Controller Registration - Update the institution's privacy notice with DPO contact (
dpo@) - Publish DPO name + contact in the annual report and on the website
Day-to-day duties
- Receives + triages DSARs and erasure requests within the 30-day SLA
- Reviews + approves entries in the weekly retention queue
- Signs off on every cyber/data-breach notification before it goes to ODPC
- Owns the Records of Processing Activities (ROPA)
- Owns the processor register + DPAs
- Conducts DPIAs for new processing activities
- Trains staff annually on KDPA + leads tabletop exercises
- Liaises with ODPC inspectors during audits
Independence guarantees
KDPA + ODPC regulations require the DPO to be functionally independent. Inside the Suite this is implemented as:
- Reports directly to the Board (or to the Audit Committee), not to the CEO
- Cannot be terminated for performing DPO duties
- Has a separate compensation review process
- Has access to all systems regardless of other RBAC settings
- Cannot have conflicting role (cannot also be CIO, Head of HR, or Head of Marketing)
- Has a budget line for external counsel and tooling
Worked scenarios
Scenario — Florence's typical Friday
| Character | Role |
|---|---|
| Florence Achieng | DPO of a 14k-member MFI |
Timeline
- 08:30: Reviews overnight retention flag cron output: 47 candidates.
- 09:00: Three DSAR self-service downloads completed overnight; logs reviewed for anomalies.
- 09:30: Handles one formal DSAR (member walked into branch yesterday).
- 10:00: Reviews + signs off a cyber-incident notification draft — phishing email reported by Compliance. (ODPC notification sent within 72h window)
- 11:00: Approves 35 retention candidates → marked for Sunday's purge cron.
- 14:00: Conducts the quarterly staff KDPA refresher session (45 min).
- 16:00: Writes the monthly board report — DSAR SLA hit rate, retention purge volume, breach count.
Outcome — Queue clear; board updated; staff trained. KDPA discipline maintained.
Reference
Monthly DPO board report — required KPIs
| KPI | Source | Target |
|---|---|---|
| DSARs received | support cases type=dsar | Track all |
| DSAR SLA hit rate | case duration ≤ 30 days | ≥ 95% |
| Erasure requests received | support cases type=erasure | Track all |
| Erasure SLA hit rate | case duration ≤ 30 days | ≥ 90% |
| Breaches notified | mfi.cyber.incident | 0 ideally; all notified within 72h |
| Retention purges | mfi.privacy.purge.log | Track per category |
| Staff trained | hr.training.attendance | 100% of internal users annually |
| DPIAs conducted | mfi.privacy.dpia | 1 per new processing activity |
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
| DPO leaves the institution mid-quarter | Resignation / role change | Board resolution naming acting DPO within 30 days; notify ODPC of change within 14 days. |
| DPO and CIO is the same person | Small institution conflating roles | KDPA forbids the conflation. Appoint a non-IT DPO or engage an external DPO-as-a-service. |
| ODPC audit finds no documented DPIA process | DPIA never adopted | Adopt the template in /policy_pack/08_dpia_template.md; backfill DPIAs for last 12 months of major changes. |
| DPO has no access to a system needed for an investigation | Standard RBAC blocking the DPO | Add DPO to a 'mfi_dpo_emergency_access' group with read access to all member-personal-data tables, logged in chatter. |
See also
Was this page helpful?

