Cyber Security, Privacy & Data Protection

We also offer legal advisory services in relation to privacy and data protection under the Kenyan Data Protection Act, 2019 as well as legal instruments like EU General Data Protection Regulation (GDPR), which is a benchmark for data protection. In addition, there are other legislations, which apply to data protection and privacy including the Consumer Protection Act, the Media Act and the Kenya Information and Communications Act.

The Kenyan Data Protection Act, which was enacted on 8th November 2019, applies to data controllers and processors established or resident in or outside Kenya in so far as they process personal data while in Kenya or of data subjects located in Kenya.

This law was enacted in accordance with the requirements of Article 31(c) and (d) of the Constitution of Kenya. Therefore, data protection and privacy have a constitutional underpinning.

At CM Advocates, our practice in cybersecurity, privacy and data protection focuses on internet sectors, e-Commerce and intellectual property, regulated industries (like telecom, financial, pharmaceutical, advertisement and gaming sectors) as well as public entities. We have expertise on contentious matters like data protection law-related claims of the individuals affected (such as employees’ information claims) and data breaches as well as non-contentious matters including data protection contracts, cybersecurity and data management advisory, data protection audits and compliance projects. In addition to assisting clients in their response to regulator investigations, we advise on class action lawsuits and other claims that arise out of privacy violations and security breaches. In collaboration with our other teams, we also counsel clients on crosscutting issues including on labour and employment, consumer protection, competition law and product-based liability.

We can advise our clients at each stage of the data lifecycle. At the first stage, we help our clients assess and reduce their privacy and security risks and comply with applicable laws. When developing new products and services or during marketing stage, we assist clients by advising on privacy and security at the outset to maximize the effectiveness of their offerings and avoid legal and regulatory pitfalls. We advise clients on complex issues associated with both personal and sensitive business data, including its collection, use, storage, disclosure, transfer and destruction. We guide and advise clients on legal compliance and business strategy relating to privacy and security risk management, cybersecurity and technology transactions.

Our areas of work include:

• Strategic regulatory compliance advice;
• Vendor management program development and implementation;
• Cybersecurity and privacy contract development and negotiation;
• Data protection programs development;
• Data protection, privacy and cybersecurity audits, compliance risk assessment and remediation;
• Cyber risk management and incident response;
• Privacy policies for organizations and their websites and mobile privacy issues;
• M&A and technology transactions;
• Data security, privacy and technology regulatory response and litigation;
• Regulatory investigations by sector-specific regulators;
• Cross-border data flow requirements and solutions.