Since the enactment of the Data Protection Act (DPA) in 2019, Kenya has made significant progress in aligning with global standards on privacy and data governance. Large institutions and multinationals have embraced data protection compliance, but small and medium enterprises (SMEs) remain largely underprepared. From Nairobi’s Central Business District to Instagram shops and e-commerce platforms, SMEs handle sensitive personal data daily, including names, phone numbers, ID details, and even financial or health information. Yet many continue to operate without safeguards, informed consent, or awareness of their obligations under the law.

This article highlights common mistakes SMEs make with data protection and why ignoring compliance is no longer an option.

Common Privacy Compliance Pitfalls for SMEs

1. Believing that the law does not apply to SMEs

Many SMEs mistakenly believe that data protection laws only apply to large corporations or government institutions. Others assume that unless they handle highly sensitive data such as biometrics or operate in regulated sectors like banking or healthcare, they are exempt. In reality, the DPA and compliance with its general principles applies to any entity that collects or processes personal data, no matter its size. 

2. Reliance on token compliance: “we have a privacy policy, so we’re covered”

A common mistake is assuming that publishing a privacy policy on a website or e-commerce platform is sufficient. While a privacy policy is important, it represents only one component of a much broader compliance framework.

3. Delegating responsibility to tech platforms and vendors

Many SMEs use cloud based software such as customer relationship management tools, point of sale systems, email marketing services, payment gateways, and digital advertising platforms. They often assume that since these service providers are reputable, responsibility for compliance rests with them. This is a dangerous misconception. Under the DPA, the primary legal responsibility rests with the data controller, which is the SME itself.

4. Absence of internal policies and employee training

Most SMEs lack internal data protection policies and have not trained their employees on privacy practices. It is common to find employees:

• Collecting customer information informally through WhatsApp or handwritten notebooks;
• Leaving business systems logged in and unattended;
• Sharing client information over the phone without verification;
• Using personal devices to store company data without encryption.

These practices create a high risk of unauthorized access, data loss, or data breaches. 

5. Ignoring consumer rights and redress mechanisms

The DPA guarantees several rights to individuals, including the right to be informed, the right of access, the right to rectification and erasure, the right to object to processing, and the right not to be subjected to automated decision making. Most SMEs have no procedures in place to handle such requests. 

6. Assuming compliance is too costly

One of the biggest barriers to SME compliance is the perception that it is costly. While advanced compliance measures may involve costs, many foundational steps can be taken with minimal or no expense. The cost of non-compliance, including regulatory fines, loss of consumer trust, and reputational damage, is far greater than the cost of adopting basic measures. 

Practical Data Protection Steps for SMEs

To achieve meaningful compliance, SMEs should:

1. Map and manage data: know what personal data you collect, why you collect it, where it is stored, and who has access.
2. Establish lawful bases: collect only necessary data, obtain clear consent, and update records regularly for accuracy.
3. Set retention and deletion rules: do not keep data longer than needed and ensure secure disposal.
4. Empower customers: provide simple channels for access, correction, or deletion requests.
5. Vet vendors: sign data processing agreements, confirm their compliance, and ensure secure cross border transfers.
6. Adopt internal policies: create data protection guidelines, employee confidentiality agreements, and access control policies.
7. Secure systems: use strong passwords, two factor authentication and restrict the use of personal devices for storing business data unless properly secured.
8. Train employees: conduct regular privacy and security awareness sessions for all employees and departments.
9. Leverage free resources: use ODPC templates, sector guidelines, and affordable training to cut costs. Here is a link to ODPC templates

Why Data Protection Compliance Matters for SMEs

The ODPC has already fined businesses that mishandled personal data, and for SMEs such penalties can be financially crippling. But compliance is about more than just avoiding fines, it is about trust. In Kenya’s digital economy, trust is currency. Consumers are far more likely to buy from businesses that respect their data.

For SMEs, data protection is not optional; it is both a legal requirement and a competitive advantage. Superficial compliance may delay penalties, but genuine accountability builds resilience, reputation, and long term customer loyalty. Embracing privacy is therefore not just about legal survival, but about winning in a market where trust drives growth.