When Data Compliance Becomes a Crisis: A Reflection on Missed Steps and Costly Lessons

Most companies don't think of themselves as data companies. Yet nearly every modern business collects, stores, or processes personal data, whether through customer onboarding, employee records, digital marketing, or mobile applications. In today's digital economy, data is not just a byproduct of operations, it is the business.

At MEN Advocates LLP, we frequently encounter businesses especially startups and growth-stage companies that view data protection as a "later" concern. That is, until a breach occurs, a complaint is lodged, or a regulator comes calling.

This article is a reflection on what we know, what we see, and the systemic blind spots that make compliance more challenging than it should be.

What We Know

Every organisation that handles personal data in Kenya is required to comply with the Data Protection Act, 2019 and its subsidiary regulations including the Data Protection (General) Regulations, 2021, Data Protection (Registration of Data Controllers and Data Processors) Regulations, 2021, and others.

Compliance entails:

• Registering as a data controller or data processor with the Office of the Data Protection Commissioner (ODPC);
• Obtaining informed consent before collecting data;
• Developing and publishing a privacy policy;
• Implementing internal governance structures such as data protection officers or equivalent accountability mechanisms;
• Ensuring secure processing, storage, and access control protocols.

These obligations are not optional, nor are they limited to "big tech" companies. They apply to all sectors, including e-commerce, health, fintech, hospitality, and education.

What We See

We once advised a growing e-commerce company let's call it Zuri Mart, that had built a strong customer base and was preparing for regional expansion. Although it relied heavily on user data for marketing and personalisation, it had not registered with the ODPC, had no documented privacy policy, and had not implemented a system for obtaining valid consent.

Then came the disruption: a former employee filed a complaint alleging misuse of customer data. What followed was an ODPC inquiry, a reputational hit, and the eventual withdrawal of a major partner concerned about legal exposure. Although the violations were mostly administrative they turned out to tragic, they were easily preventable had there been even a basic compliance structure in place.

Mistakes Clients Make Before They Speak to Us

1. Assuming the law only targets large corporations – The ODPC has publicly stated that enforcement will extend to both public and private entities, regardless of size, particularly where vulnerable data subjects are affected.
2. Using boilerplate privacy policies – Many companies adopt templates from the internet, often based on GDPR or US law, which may not align with Kenyan requirements, such as the express consent standard.
3. Neglecting to document consent – Collecting user data without auditable consent mechanisms (especially for marketing) creates both legal and reputational risk.
4. Ignoring third-party risk – Companies that outsource data functions to cloud providers or processors often fail to conduct due diligence or put in place proper data processing agreements.

The above are not rare missteps they are widespread, and they almost always come to light too late.

Ethical Grey Zones

Not every questionable practice is clearly unlawful. We've seen employers monitor employee communications without disclosing surveillance policies. We've seen businesses collect customer data under the guise of giveaways, only to use it for unsolicited advertising. We've seen app developers silently integrate location tracking into otherwise benign services.

These acts fall into ethical grey zones—where the letter of the law may not yet have been tested, but the spirit of fairness and consent is clearly absent.

Systemic Challenges in the Compliance Landscape

Despite the clarity of the law, implementation remains a challenge for many organisations:

• Regulatory ambiguity: In some areas, such as automated decision-making or cross-border data transfer, guidance from the ODPC is still evolving.
• Limited enforcement precedent: While the ODPC has begun enforcement (e.g., issuing fines to digital lenders and schools), many businesses still perceive the risk as remote.
• Resource constraints: Startups and SMEs often lack the internal capacity both technical and legal to establish effective data governance frameworks.

These challenges contribute to a culture of reactive compliance, where legal structures are only considered once things go wrong.

What We Tell Our Clients

Data protection is not just a legal checkbox. It's a foundation for trust, longevity, and business legitimacy.

You don't need an elaborate compliance program to start. But you do need:

• A clear and lawful privacy policy;
• Mechanisms for obtaining and recording user consent;
• Contracts that define responsibilities with third-party service providers;
• An internal point person responsible for data issues, even if not formally titled a "Data Protection Officer."

We help our clients build scalable, context-specific compliance systems that grow with their business.

Closing Thought: The Cost of Doing Nothing

Compliance often feels like an expense with no immediate return. But failing to act invites far greater costs: enforcement action, reputational damage, customer churn, and lost investor confidence.

If your company handles personal data and most do it's time to treat compliance not as an afterthought, but as a core business function.

The legal framework exists. The risks are real. And the time to act is now.

MEN Advocates LLP
Bridging Innovation and Legal Excellence.