Kenya Data Protection Act 2019 Guide

/ Boardtac Solutions / By

Navigating Kenya’s Data Protection Act, 2019: A Comprehensive Guide for Organizations

Kenya Data Protection Act 2019 Guide. Data has become one of the most valuable assets for organizations worldwide. With this value, however, comes immense responsibility. Kenya recognized this reality when it enacted the Data Protection Act, 2019 (Act No. 24 of 2019) . This landmark legislation gives effect to Article 31(c) and (d) of the Constitution, which enshrines the right to privacy for every Kenyan citizen.

The Act establishes a comprehensive legal and institutional framework for regulating the processing of personal data. It creates the Office of the Data Protection Commissioner. It provides data subjects with enforceable rights and imposes clear obligations on data controllers and processors. For organizations operating in Kenya, understanding and complying with this Act is not merely a legal obligation. Instead, it is a fundamental aspect of building trust with customers, employees, and stakeholders.

The Foundation: Why Kenya Enacted the Data Protection Act

Before the enactment of this legislation, Kenya lacked a comprehensive legal framework for data protection. The Constitution of Kenya, 2010, under Article 31, guaranteed every person the right to privacy. This right includes the privacy of their communications and the protection of information relating to their family or private affairs. Nevertheless, there was no specific law to operationalize this constitutional right.

The Data Protection Act, 2019, fills this gap. Section 3 outlines the object and purpose of the Act:

  • To regulate the processing of personal data.
  • To ensure that the processing of personal data is guided by the principles set out in the Act.
  • To protect the privacy of individuals.
  • To establish the legal and institutional mechanism to protect personal data.
  • To provide data subjects with rights and remedies to protect their personal data from unlawful processing.

The Act applies to any data controller or processor established or ordinarily resident in Kenya. Furthermore, it also applies to those not established in Kenya but processing the personal data of data subjects located in Kenya.

Part I: Preliminary Provisions – Understanding Key Definitions

The Act begins by establishing a clear vocabulary. Section 2 provides definitions that are essential for understanding the entire legislation. Some of the most critical definitions include:

TermDefinition
Personal DataAny information relating to an identified or identifiable natural person.
Data ControllerA natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purpose and means of processing personal data.
Data ProcessorA natural or legal person, public authority, agency, or other body which processes personal data on behalf of the data controller.
Data SubjectAn identified or identifiable natural person who is the subject of personal data.
ConsentAny manifestation of express, unequivocal, free, specific, and informed indication of the data subject’s wishes by a statement or by a clear affirmative action.
Sensitive Personal DataData revealing a natural person’s race, health status, ethnic social origin, conscience, belief, genetic data, biometric data, property details, marital status, family details, sex, or sexual orientation.
Personal Data BreachA breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

Understanding these definitions is the first step toward compliance. An organization must know whether it acts as a data controller or processor. Additionally, it must recognize what constitutes personal data, especially sensitive personal data, which attracts stricter protections.

Part II: The Office of the Data Protection Commissioner – The Guardian of Privacy

Part II of the Act (Sections 5-17) establishes the Office of the Data Protection Commissioner. This is a body corporate with perpetual succession. The Constitution designates it as a State Office.

The President appoints the Data Commissioner with the approval of the National Assembly. For the appointment process, the Public Service Commission shortlists and interviews qualified applicants. The Commissioner serves a single term of six years.

Functions and Powers of the Office

Section 8 outlines the functions of the Office. These include:

  • Overseeing the implementation and enforcement of the Act.
  • Establishing and maintaining a register of data controllers and data processors.
  • Exercising oversight on data processing operations.
  • Receiving and investigating complaints from data subjects.
  • Conducting inspections of public and private entities.
  • Promoting international cooperation on data protection matters.

Section 9 grants the Data Commissioner significant powers to fulfill these functions. For instance, the Commissioner can conduct investigations and issue summons to witnesses. Similarly, the Commissioner can require explanations from persons subject to the Act. Moreover, the Commissioner can impose administrative fines for non-compliance.

The Commissioner also has the power to delegate certain functions to other regulators established by Acts of Parliament.

Part III: Registration – Mandatory for Controllers and Processors

Part III of the Act (Sections 18-24) introduces the mandatory registration of data controllers and data processors. Section 18 states that no person shall act as a data controller or data processor unless registered with the Data Commissioner.

The Commissioner prescribes thresholds for mandatory registration. These thresholds consider several factors:

  • The nature of the industry.
  • The volumes of data processed.
  • Whether sensitive personal data is being processed.

Section 19 details the application process. Applicants must provide particulars including a description of the personal data to be processed, the purpose of processing, the category of data subjects, and the security measures in place.

Section 21 requires the Data Commissioner to keep and maintain a register of registered data controllers and processors. Importantly, this register is a public document available for inspection.

The Role of the Data Protection Officer

Section 24 introduces the concept of the Data Protection Officer (DPO). A data controller or data processor may designate a DPO under specific circumstances:

  • Where the processing is carried out by a public body.
  • Where the core activities consist of processing operations that require regular and systematic monitoring of data subjects.
  • Where the core activities consist of processing sensitive personal data.

The DPO advises the data controller or processor on compliance. Additionally, the DPO facilitates capacity building and cooperates with the Data Commissioner. Notably, a group of entities may appoint a single DPO provided that officer is accessible by each entity.

Part IV: Principles and Obligations – The Heart of Data Protection

Part IV of the Act (Sections 25-43) establishes the core principles and obligations that govern the processing of personal data. This is arguably the most important section of the Act for organizations to understand.

The Principles of Data Protection (Section 25)

Every data controller or data processor must ensure that personal data meets several standards:

  1. The data must undergo processing lawfully, fairly, and in a transparent manner in relation to any data subject.
  2. Collection must occur for explicit, specified, and legitimate purposes. Further processing must remain compatible with those purposes.
  3. The data must be adequate, relevant, and limited to what is necessary for the purposes.
  4. The data must be accurate and, where necessary, kept up to date. Reasonable steps must ensure the erasure or rectification of inaccurate data without delay.
  5. Retention must not exceed the period necessary for the purposes.
  6. Transfer outside Kenya requires proof of adequate data protection safeguards or consent from the data subject.

Rights of a Data Subject (Section 26)

The Act grants data subjects several enforceable rights. These rights include:

  • The right to be informed of the use to which their personal data is to be put.
  • The right to access their personal data in the custody of a data controller or processor.
  • The right to object to the processing of all or part of their personal data.
  • The right to correction of false or misleading data.
  • The right to deletion of false or misleading data about them.

Lawful Processing (Section 30)

A data controller or data processor may only process personal data under specific conditions. These conditions include:

  • The data subject consents to the processing.
  • The processing is necessary for the performance of a contract.
  • The processing is necessary for compliance with a legal obligation.
  • The processing is necessary to protect the vital interests of the data subject.
  • The processing is necessary for the performance of a task carried out in the public interest.

Conditions of Consent (Section 32)

Consent must be express, unequivocal, free, specific, and informed. The data controller bears the burden of proof for establishing consent. Data subjects have the right to withdraw consent at any time. Importantly, withdrawal does not affect the lawfulness of processing based on prior consent.

Data Protection Impact Assessment (Section 31)

Where a processing operation is likely to result in a high risk to the rights and freedoms of a data subject, a data controller or processor must carry out a data protection impact assessment prior to processing. This assessment must include a systematic description of the processing operations, an assessment of necessity and proportionality, and an assessment of risks to data subjects.

Notification of Breach (Section 43)

When an unauthorized person accesses or acquires personal data, and a real risk of harm to the data subject exists, the data controller must take immediate action. Specifically, the controller must notify the Data Commissioner without delay, within 72 hours of becoming aware of the breach. Additionally, the controller must communicate to the data subject in writing within a reasonably practical period.

If a data processor becomes aware of a breach, it must notify the data controller without delay. Where reasonably practicable, this notification must occur within 48 hours.

Part V: Sensitive Personal Data – Heightened Protections

Part V of the Act (Sections 44-47) addresses the processing of sensitive personal data. Section 44 states that no category of sensitive personal data shall undergo processing unless the principles of data protection apply.

Section 45 provides permitted grounds for processing sensitive personal data. These grounds include:

  • The processing occurs in the course of legitimate activities by a not-for-profit body with political, philosophical, religious, or trade union aims.
  • The processing relates to personal data manifestly made public by the data subject.
  • The processing is necessary for the establishment, exercise, or defense of a legal claim.
  • The processing is necessary to protect the vital interests of the data subject or another person.

Section 46 specifically addresses health data. Personal data relating to health may only undergo processing by or under the responsibility of a healthcare provider or by a person subject to professional secrecy obligations.

Part VI: Transfer of Personal Data Outside Kenya

Part VI of the Act (Sections 48-50) regulates the transfer of personal data outside Kenya. Section 48 provides that a data controller or processor may transfer personal data to another country only under specific conditions:

  • The data controller or processor provides proof to the Data Commissioner of appropriate safeguards with respect to security and protection of the personal data.
  • The transfer is necessary for the performance of a contract.
  • The transfer is necessary for any matter of public interest.
  • The transfer is necessary for the establishment, exercise, or defense of a legal claim.
  • The transfer is necessary to protect the vital interests of the data subject.

Section 50 grants the Cabinet Secretary the power to prescribe certain types of processing. Based on strategic interests of the state or protection of revenue, the Cabinet Secretary may require that such processing only occurs through a server or data center located in Kenya.

Part VII: Exemptions

Part VII of the Act (Sections 51-55) provides for exemptions from certain provisions of the Act. These exemptions include:

  • General exemptions (Section 51): Processing by an individual in the course of a purely personal or household activity is exempt. Similarly, processing necessary for national security or public interest is exempt.
  • Journalism, literature, and art (Section 52): The principles of processing personal data do not apply where processing is undertaken for publication of literary or artistic material. This exemption applies only where the data controller reasonably believes publication would be in the public interest.
  • Research, history, and statistics (Section 53): Further processing of personal data is compatible with the purpose of collection if used for historical, statistical, or research purposes. Crucially, this exemption applies only where the data will not be published in an identifiable form.

Part VIII: Enforcement Provisions – Powers of the Commissioner

Part VIII of the Act (Sections 56-66) grants the Data Commissioner robust enforcement powers.

Complaints and Investigations (Sections 56-57)

A data subject who is aggrieved by a decision of any person under the Act may lodge a complaint with the Data Commissioner. Subsequently, the Commissioner must investigate and conclude complaints within 90 days.

The Commissioner may order any person to attend for oral examination, produce relevant documents, or furnish a written statement under oath.

Enforcement Notices (Section 58)

Where the Commissioner is satisfied that a person has failed to comply with any provision of the Act, the Commissioner may serve an enforcement notice. This notice specifies the contravention, the measures to be taken, and the period within which those measures must be implemented.

Failure to comply with an enforcement notice is an offence. Upon conviction, a person faces a fine not exceeding five million shillings or imprisonment for a term not exceeding two years, or both.

Penalty Notices and Administrative Fines (Sections 62-63)

The Commissioner may issue a penalty notice requiring a person to pay an amount specified in the notice. In determining the amount, the Commissioner considers several factors:

  • The nature, gravity, and duration of the failure.
  • The intentional or negligent character of the failure.
  • Any action taken to mitigate damage or distress.
  • The degree of cooperation with the Commissioner.
  • Any previous failures by the data controller or processor.

The maximum penalty is up to five million shillings, or in the case of an undertaking, up to one percent of its annual turnover of the preceding financial year, whichever is lower.

Right of Appeal (Section 64)

A person against whom any administrative action is taken by the Data Commissioner may appeal to the High Court.

Compensation to a Data Subject (Section 65)

A person who suffers damage by reason of a contravention of the Act is entitled to compensation from the data controller or the data processor.

Part IX: Financial Provisions

Part IX of the Act (Sections 67-70) outlines the financial framework for the Office of the Data Protection Commissioner. The Office receives funding from monies allocated by the National Assembly, grants, gifts, and donations. Moreover, the Commissioner prepares annual estimates of revenue and expenditure. These estimates then go to the Cabinet Secretary for tabling in the National Assembly.

The annual accounts undergo preparation, audit, and reporting in accordance with the Constitution and the Public Finance Management Act. Meanwhile, the Commissioner submits an annual report to the Cabinet Secretary. Subsequently, the Cabinet Secretary presents this report to the National Assembly.

Part X: Delegated Powers – Regulations

Part X (Section 71) empowers the Cabinet Secretary to make regulations for giving effect to the Act. These regulations may cover:

  • Requirements imposed on data controllers and processors.
  • Mechanisms for conducting certification programs.
  • Information to be provided to data subjects.
  • The levying of fees and taking of charges.
  • Measures to safeguard a data subject’s rights.
  • Processing of data through a server or data center in Kenya.

Part XI: Miscellaneous Provisions – Offences and Penalties

Part XI (Sections 72-74) establishes offences and general penalties.

Unlawful Disclosure (Section 72)

A data controller who discloses personal data in a manner incompatible with the purpose for which it was collected commits an offence. Similarly, a data processor who discloses personal data without the prior authority of the data controller commits an offence.

A person who obtains access to personal data without prior authority commits an offence. Likewise, a person who offers to sell personal data obtained in breach of the Act commits an offence.

General Penalty (Section 73)

A person who commits an offence for which no specific penalty is provided is liable on conviction. The Court may impose a fine not exceeding three million shillings or imprisonment for a term not exceeding ten years, or both.

Additionally, the Court may order the forfeiture of any equipment or article used in the commission of the offence.

How Boardtac Solutions Helps Organizations Achieve Compliance

Navigating the complexities of the Data Protection Act, 2019, can be daunting for organizations. The Act imposes significant obligations. Non-compliance carries severe penalties, including hefty fines and reputational damage.

Boardtac Solutions is a technology company dedicated to helping organizations achieve and maintain data protection compliance. We offer a comprehensive suite of services designed to address every aspect of the Act.

1. Data Protection Impact Assessments (DPIA)

Section 31 of the Act requires organizations to carry out a data protection impact assessment where processing is likely to result in a high risk to the rights and freedoms of data subjects. Boardtac Solutions conducts thorough DPIAs for our clients. We identify risks, assess necessity and proportionality, and recommend measures to mitigate identified risks. Ultimately, our assessments provide a clear roadmap for compliant processing.

2. Data Mapping and Inventory

Compliance begins with understanding what personal data an organization holds, where it comes from, and how it flows through the organization. Boardtac Solutions helps clients create comprehensive data maps and inventories. We identify all personal data processing activities. We classify data, including sensitive personal data. We document the purpose of processing, the legal basis, and the retention periods. This foundational work is essential for demonstrating compliance.

3. Privacy Policy Development and Review

Section 29 requires data controllers to notify data subjects of various matters before collecting personal data. Boardtac Solutions helps organizations develop and review privacy policies and notices. We ensure these documents are clear, comprehensive, and compliant with the Act. Furthermore, we help organizations communicate effectively with data subjects about their rights and how their data will be used.

4. Consent Management Solutions

Section 32 places the burden of proof for consent on the data controller. Organizations must demonstrate that consent was freely given, specific, informed, and unambiguous. Boardtac Solutions implements consent management platforms that capture, record, and manage consent in a verifiable manner. These platforms allow data subjects to withdraw consent easily. Moreover, they enable organizations to demonstrate compliance when challenged.

5. Data Protection Officer (DPO) Services

Section 24 requires certain organizations to designate a Data Protection Officer. However, not all organizations have the internal expertise or resources to appoint a qualified DPO. Boardtac Solutions offers outsourced DPO services. We provide experienced data protection professionals who advise on compliance, facilitate capacity building, and serve as the point of contact for the Data Commissioner.

6. Data Subject Rights Management

Section 26 grants data subjects several rights, including the right to access, rectification, erasure, and data portability. Organizations must have mechanisms in place to respond to these requests within specified timeframes. Boardtac Solutions implements systems that automate the management of data subject requests. Consequently, we help organizations respond efficiently and demonstrate compliance.

7. Breach Notification and Response

Section 43 imposes strict timelines for breach notification. Data controllers must notify the Data Commissioner within 72 hours of becoming aware of a breach. They must also communicate to affected data subjects within a reasonably practical period. Boardtac Solutions helps organizations develop incident response plans. We provide breach notification templates and procedures. We assist with the notification process to ensure compliance with the strict timelines.

8. Data Protection by Design and Default

Section 41 requires data controllers to implement appropriate technical and organizational measures to integrate data protection principles into processing activities. This includes measures such as pseudonymisation and encryption. Boardtac Solutions provides technical solutions that embed data protection into systems from the ground up. We help organizations implement encryption, access controls, and other technical safeguards.

9. Training and Capacity Building

Compliance requires a culture of data protection within an organization. Boardtac Solutions provides comprehensive training programs for staff at all levels. We train employees on their obligations under the Act. We educate them on handling personal data safely. We build awareness of data subject rights and breach reporting procedures.

10. Compliance Audits and Gap Assessments

Section 23 empowers the Data Commissioner to carry out periodical audits of data controllers and processors. Organizations must be prepared for these audits. Boardtac Solutions conducts compliance audits and gap assessments. We evaluate existing practices against the requirements of the Act. We identify gaps and recommend remedial actions. Ultimately, we help organizations prepare for regulatory inspections.

The Cost of Non-Compliance

The Data Protection Act, 2019, is not merely advisory. It carries significant penalties for non-compliance. Section 63 provides for administrative fines of up to five million shillings or, in the case of an undertaking, up to one percent of its annual turnover, whichever is lower.

Section 73 provides for criminal penalties. A person convicted of an offence under the Act may face a fine not exceeding three million shillings or imprisonment for a term not exceeding ten years, or both.

Beyond these legal penalties, non-compliance carries significant reputational risk. Data subjects who suffer damage are entitled to compensation under Section 65. Loss of customer trust can have long-lasting effects on an organization’s brand and bottom line.

Data Protection in Action: How Boardtac Solutions Safeguards Your Data Across Every Service.

At Boardtac Solutions, we understand this responsibility deeply. As a security systems and IT solutions company in Kenya, we offer end-to-end services ranging from CCTV installation to network infrastructure and IT support. Across every service we provide, we embed data protection principles into our design, implementation, and maintenance processes.

Our Commitment to Data Protection

1. Security Systems Services

Security systems inherently collect and process personal data. CCTV cameras capture images of individuals. Biometric systems store fingerprint or facial recognition data. Access control systems record who enters and exits a facility. Boardtac Solutions takes specific measures to protect this sensitive information.

CCTV Systems

Our Services:

How We Maintain Data Protection:

When we install CCTV systems, we prioritize data minimization and purpose limitation. We work with clients to determine exactly which areas require surveillance. We avoid installing cameras in private spaces such as restrooms or changing rooms. This ensures we collect only necessary data.

For remote viewing systems, we implement strict access controls. Only authorized personnel receive access credentials. We use encrypted connections for all remote viewing. For cloud-based systems, we select providers that offer robust security certifications. We also ensure that data storage locations comply with local data protection requirements.

During maintenance and repair, we handle recorded footage with strict confidentiality. Our technicians sign confidentiality agreements. We never access or view footage without proper authorization.

Biometric & Access Control

Our Services:

How We Maintain Data Protection:

Biometric data is classified as sensitive personal data under the Data Protection Act. Boardtac Solutions treats this with the highest level of care.

When deploying biometric systems, we ensure that the data remains stored locally on the device whenever possible. We avoid storing biometric templates in centralized databases unless absolutely necessary. Where central storage is required, we implement strong encryption both at rest and in transit.

For access control systems, we configure role-based access permissions. We ensure that only authorized administrators can modify user credentials or access logs. We also help clients establish retention policies for access logs. These logs should not be kept longer than necessary for security or compliance purposes.

We also provide training to our clients on how to manage biometric data responsibly. We advise on obtaining proper consent from employees and visitors before collecting biometric information.

Alarm & Perimeter Security

Our Services:

  • Intruder alarm systems.
  • Electric fence installation and maintenance.
  • Motion sensors and panic systems.

How We Maintain Data Protection:

While alarm systems collect less personal data than CCTV or biometric systems, they still require data protection considerations. Many modern alarm systems send notifications to mobile devices. This involves transmitting information about who triggered the alarm and when.

Boardtac Solutions ensures that all alarm system communications use encrypted channels. We configure systems to minimize unnecessary data transmission. We also help clients establish protocols for handling alarm logs, ensuring they are retained only for legitimate security purposes.

Intercom & Video Door Systems

Our Services:

How We Maintain Data Protection:

Video intercom systems capture both audio and video of visitors. This constitutes personal data. Boardtac Solutions ensures that these systems use encrypted communication channels. We configure systems to allow residents to control who they communicate with and when.

We also ensure that any recorded footage from video intercom systems is stored securely. Access to recordings is restricted to authorized individuals only.

2. Networking & Internet Solutions.

Networking infrastructure forms the backbone of any organization’s data processing activities. Boardtac Solutions ensures that the networks we design and install provide robust protection for the data that flows through them.

Network Installation

Our Services:

How We Maintain Data Protection:

When we design and install networks, we incorporate security principles from the ground up. We use physical security measures to protect network infrastructure. Cables run through secure conduits. Network equipment resides in locked cabinets or rooms.

We segment networks to isolate sensitive systems from general access. For example, we ensure that CCTV and biometric systems operate on separate virtual LANs (VLANs) from guest Wi-Fi networks. This prevents unauthorized access to security systems through less secure network segments.

During network troubleshooting, we follow strict protocols. Our technicians access systems only with proper authorization. We never examine or extract data beyond what is necessary to resolve the issue.

Wi-Fi & Connectivity

Our Services:

How We Maintain Data Protection:

Wi-Fi networks are common entry points for unauthorized access. Boardtac Solutions implements strong security measures on all wireless networks we deploy.

We configure Wi-Fi networks using WPA3 encryption whenever possible. We create separate guest networks for visitors, ensuring they cannot access internal systems. We implement strong passwords and, where appropriate, certificate-based authentication.

For mobile signal boosters, we ensure that these devices do not interfere with existing security systems. We also verify that they meet regulatory requirements for telecommunications equipment.

Internet Solutions

Our Services:

How We Maintain Data Protection:

Internet connectivity is the gateway to an organization’s data. Boardtac Solutions ensures that our internet solutions include security measures to protect against external threats.

We configure routers with firewalls to block unauthorized access. We implement content filtering where required. We advise clients on the importance of securing their internet connections with strong passwords and regular firmware updates.

For Starlink installations, we ensure that the equipment is physically secured. We configure the network to prevent unauthorized access to the satellite terminal.

3. IT Support & Equipment Services.

0-3048×4064-0-0-{}-0-12#

IT support services involve direct access to client systems and data. Boardtac Solutions maintains strict protocols to ensure data protection during all support activities.

IT Equipment Supply & Support

Our Services:

  • Computers, laptops, printers
  • Routers, switches, UPS

How We Maintain Data Protection:

When we supply IT equipment, we ensure that devices come with secure configurations. We pre-configure operating systems with security settings enabled. We install antivirus software where required.

During equipment setup, we ensure that any default passwords are changed. We advise clients on secure password policies and user account management.

IT Maintenance

Our Services:

  • Computer repair and servicing
  • Server maintenance
  • Data backup solutions

How We Maintain Data Protection:

IT maintenance presents unique data protection challenges. Our technicians frequently access systems that contain sensitive data. Boardtac Solutions addresses these risks through strict operational protocols.

0-3048×4064-0-0-{}-0-12#

Before any maintenance work, we require written authorization from the client. We document all access to client systems. We work on devices in secure environments to prevent unauthorized viewing of data.

For server maintenance, we follow strict change management procedures. We ensure that backups are performed regularly and stored securely. We test backup integrity without exposing data to unauthorized access.

For data backup solutions, we help clients implement the 3-2-1 backup rule: three copies of data, on two different media, with one copy stored offsite. We ensure that backups are encrypted both at rest and during transmission.

4. Communication Systems

Communication systems process voice and video data, which often contain personal or confidential information. Boardtac Solutions ensures these systems maintain data protection throughout their operation.

Office Telephony

Our Services:

How We Maintain Data Protection:

VoIP systems transmit voice conversations over IP networks. These conversations may contain sensitive information. Boardtac Solutions ensures that our VoIP deployments use encryption for both signaling and media streams.

We configure VoIP systems with strong authentication requirements. We ensure that voicemail systems require secure passwords. We help clients establish call logging and recording policies that comply with data protection requirements.

Video Conferencing

Our Services:

How We Maintain Data Protection:

Video conferencing systems capture audio and video of participants. Boardtac Solutions ensures that these systems are configured with security as a priority.

We use equipment that supports encrypted communication protocols. We ensure that meeting rooms are equipped with privacy indicators so participants know when cameras and microphones are active.

We advise clients on secure meeting practices, such as using meeting passwords, waiting rooms, and not recording meetings without consent.

5. Business & Office Solutions

Business solutions often involve processing customer or employee data. Boardtac Solutions ensures that the systems we deploy protect this data appropriately.

POS (Point of Sale) Systems

Our Services:

  • POS system installation and configuration
  • Payment terminal setup

How We Maintain Data Protection:

POS systems process payment information, which is highly sensitive. Boardtac Solutions ensures that our POS deployments comply with Payment Card Industry Data Security Standard (PCI DSS) requirements.

We segment POS systems from other networks to prevent unauthorized access. We ensure that payment terminals are physically secure. We configure systems to minimize storage of cardholder data.

IT System Relocation

Our Services:

  • IT equipment relocation
  • Server room moves

How We Maintain Data Protection:

Relocating IT systems carries significant data protection risks. Equipment can be damaged, lost, or accessed by unauthorized individuals during moves.

Boardtac Solutions follows strict protocols for IT relocations. We create detailed inventories of all equipment before moving. We handle devices with care to prevent damage. We ensure that data is securely backed up before any move. We transport equipment in secure vehicles with chain of custody documentation.

Cable Tracing & Troubleshooting

Our Services:

  • Cable identification and tracing
  • Network fault diagnosis

How We Maintain Data Protection:

Cable tracing and troubleshooting often requires accessing infrastructure that carries data. Boardtac Solutions ensures that our technicians follow strict protocols to prevent service disruption or data exposure.

We use specialized equipment to trace cables without interrupting service. We document all work performed. We restore any infrastructure we disturb to its original secure state.

IT Consultancy Services

Our Services:

  • IT strategy and planning.
  • Data protection advisory.
  • Technology assessments.

How We Maintain Data Protection:

Our consultancy services involve advising clients on how to manage their technology and data responsibly. We draw on our deep understanding of the Data Protection Act, 2019, to provide practical, actionable recommendations.

We help clients conduct data protection impact assessments. We advise on appropriate security measures for different types of data. We assist in developing data protection policies and procedures. We provide guidance on vendor selection and contract terms to ensure third-party compliance.

6. Additional Solutions

Solar Installation

Our Services:

  • Solar power systems for businesses and homes
  • Backup power solutions

How We Maintain Data Protection:

While solar installations do not directly process personal data, they often interface with monitoring systems that may collect usage data. Boardtac Solutions ensures that any monitoring systems we install use secure communication channels. We advise clients on privacy considerations for smart energy management systems.

Smart Systems Integration

Our Services:

  • Home and office automation
  • IoT device integration

How We Maintain Data Protection:

Smart systems integrate multiple devices that collect data about occupants. This includes lighting preferences, temperature settings, occupancy patterns, and more. Boardtac Solutions ensures that these systems are configured with privacy in mind.

We use systems that store data locally when possible. We implement strong authentication for remote access. We advise clients on the privacy implications of different smart system configurations.

Website & Email Setup

Our Services:

  • Business website development
  • Professional email setup
  • Digital presence management

How We Maintain Data Protection:

Websites and email systems process significant amounts of personal data. Boardtac Solutions ensures that the digital presence solutions we provide are secure and compliant.

We implement SSL/TLS encryption for all websites we create. We configure email systems with spam filtering and malware protection. We ensure that contact forms and other data collection mechanisms include privacy notices and consent mechanisms.

We advise clients on their obligations under the Data Protection Act, including the need for privacy policies and cookie consent mechanisms.

Our End-to-End Approach to Data Protection

What sets Boardtac Solutions apart is our end-to-end approach. We do not simply supply and install systems. We provide ongoing support to ensure data protection is maintained over time.

Supply

When we supply equipment, we select products that meet rigorous security standards. We work with reputable manufacturers who prioritize data protection in their product design. We ensure that all equipment is sourced through legitimate supply chains to prevent tampering or counterfeit components.

Installation

During installation, we configure systems with security as a default. We change default passwords. We enable encryption. We set up access controls. We document all configurations to support future maintenance and compliance activities.

Maintenance

Our maintenance services include regular security updates. We ensure that firmware and software remain current. We monitor for potential vulnerabilities. We perform periodic reviews of system configurations to ensure they remain aligned with data protection requirements.

Support

Our support services include incident response. When issues arise, we respond promptly to minimize data protection risks. We document all incidents and provide recommendations to prevent recurrence.

Building a Culture of Data Protection

Beyond our technical measures, Boardtac Solutions invests in building a culture of data protection within our organization and among our clients.

Staff Training

All Boardtac Solutions staff receive training on data protection principles. Our technicians understand their obligations when handling client data. Our consultants stay current on data protection regulations and best practices.

Client Education

We believe in empowering our clients to maintain data protection independently. We provide training and documentation for every system we install. We explain the data protection implications of different configuration choices. We help clients understand their responsibilities under the Data Protection Act.

Continuous Improvement

Data protection is not a static goal. Threats evolve. Regulations change. Technologies advance. Boardtac Solutions commits to continuous improvement in our data protection practices. We regularly review our processes. We update our methods to reflect new threats and best practices.

Conclusion: Your Partner in Data Protection

The Data Protection Act, 2019, establishes clear requirements for organizations handling personal data. Compliance requires not only policies and procedures but also technology solutions that embed data protection by design.

At Boardtac Solutions, we are committed to being your partner in this journey. Across every service we offer—from CCTV installation to network infrastructure, from IT support to smart systems integration—we embed data protection principles into everything we do.

We do not simply install systems and walk away. We provide ongoing support to ensure that your data remains protected over time. We educate your staff on best practices. We advise you on compliance requirements. We stand behind our work with a commitment to security and privacy.

When you choose Boardtac Solutions, you choose a partner who understands that data protection is not a feature. It is a responsibility. We take that responsibility seriously.

About Boardtac Solutions

Boardtac Solutions is a security systems and IT solutions company in Kenya, offering end-to-end services for homes, businesses, and institutions. We specialize in:

  • Security Systems (CCTV, Biometric Access Control, Alarms, Intercom)
  • Networking & Internet Solutions (Structured Cabling, Wi-Fi, Starlink)
  • IT Support & Equipment Services (Hardware Supply, Maintenance, Backup)
  • Communication Systems (VoIP, Video Conferencing)
  • Business & Office Solutions (POS, IT Relocation, Consultancy)
  • Additional Solutions (Solar, Smart Systems, Digital Presence)

Our strength lies in our end-to-end approach: supply, installation, maintenance, and support. We are your one-stop provider for security and IT infrastructure.

Contact Us Today

Ready to enhance your security and IT infrastructure while maintaining data protection compliance? Reach out to our team.

Let us build a secure, compliant, and connected future together.

Related Posts

CCTV Companies in Kenya.

CCTV Companies in Kenya.

Leave a Comment / Boardtac Solutions, cctv baba ndogo, CCTV Camera Nairobi, CCTV Camera Packages, cctv cameras, CCTV Cameras for Sale in Kenya, CCTV Cameras Price in Kenya, CCTV Companies Nairobi, CCTV consultant, cctv dvr, CCTV gigiri, cctv githurai, cctv hard disk, CCTV Installation, CCTV Installation Nairobi, cctv installation near me, CCTV Installation Services in Nairobi, cctv kahawa sukari, cctv kahawa west, cctv kamakis, CCTV karen, cctv kasarani, CCTV Kenya, CCTV maintenance, cctv marurui, CCTV Muthaiga, CCTV near me, cctv pangani, CCTV parklands, cctv price, cctv prices, CCTV Repair, cctv repair near me, cctv roasters, cctv roysambu, cctv ruiru, CCTV runda, cctv storage, CCTV Suppliers Kenya, CCTV Westland, cheapest cctv, construction site cctv, Cost of Installing CCTV Cameras in Kenya, Dahua CCTV Installer, Dahua CCTV Nairobi, Dahua CCTV repair, Dome cctv, farm cctv cameras, hidden cctv, Hikvision CCTV Installer, Hikvision CCTV repair, subscription free cctv cameras, Tiandy CCTV Kenya, Uniview CCTV Kenya, When looking for reliable CCTV installation companies in Kenya, Where to Buy CCTV Cameras in Nairobi, wireless cctv cameras / By
error: Content is protected !!
Hi, Let's Chat!