There is a conversation I find myself having with increasing frequency. A programme officer, a grants manager, or an executive director reaches out, sometimes in a mild panic because a donor has raised data-handling questions during due diligence, or because a data subject has made a complaint to the Office of the Data Protection Commissioner (ODPC). The same thing is repeated almost every time: “We didn’t think this applied to us.”
It does. And the cost of that assumption is no longer theoretical.
Kenya’s Data Protection Act (DPA) is unambiguous. If your organisation collects, stores, uses, or shares personal data, which every civil society organisation (CSO) does, you are a data controller or data processor under the law. That obligation does not shrink because your mission is noble, your budget is thin, or your team is small.
The Visible Costs: Penalties and Enforcement
Let us start with what most people think of when they hear “non-compliance”: fines. Under the DPA, an organisation found in violation may be liable to a financial penalty of up to five million Kenya shillings, or one percent of its annual gross turnover, whichever is lower. For a mid-sized CSO managing donor grants worth tens of millions, one percent of turnover is not a rounding error. It is a budget line that wipes out a programme.
The ODPC has demonstrated, through its published enforcement determinations, that it will act. Investigations have been opened, determinations issued, and enforcement orders handed down. Regulators are now more active and involved. For CSOs that have treated data protection as a future agenda item, the future is here.
Beyond financial penalties, consider the operational disruption that accompanies an investigation. Responding to a formal ODPC inquiry requires legal support, internal audits, document retrieval, and staff time, all resources diverted from programme delivery. A three-month investigation process does not just cost money; it costs momentum.
The Hidden Costs: What Doesn’t Show on the Balance Sheet
Here is where the real damage accumulates quietly, and often irreversibly.
Donor trust and grant eligibility. International donors, particularly those from the European Union (EU) and the United Kingdom, are applying data protection compliance requirements as a condition of funding. EU’s General Data Protection Regulation (GDPR)-aligned donors routinely embed data handling clauses in grant agreements and conduct due diligence that explicitly examines whether recipient organisations have registered with the ODPC, maintain a Record of Processing Activities, and have a functioning privacy governance structure. Failure on these counts does not just risk a grant renewal. It can disqualify an organisation from an initial application entirely. I have seen this happen. A CSO loses not just one grant, but its positioning in a competitive funding landscape where compliance is increasingly a proxy for institutional maturity.
Beneficiary trust and programme integrity. CSOs work with some of the most vulnerable populations in society, survivors of gender-based violence, persons with disabilities, refugees, people living with HIV, and children in conflict with the law. These individuals share deeply sensitive personal data in conditions of trust. A data breach or even a credible allegation of mishandling does not just expose an organisation to legal liability. It severs the relationship between an organisation and the communities it exists to serve. Programme participation drops. Community liaisons disengage. Years of relationship-building evaporate. You cannot quantify that in shillings, but you can feel it in every empty seat at the next community dialogue.
Reputational damage in a small ecosystem. Kenya’s civil society sector is, in many ways, a village. People talk. A complaint to the ODPC, a public enforcement determination, or even a disgruntled former staff member posting about poor data practices can circulate quickly. Unlike a fine, which is paid and resolved, reputational harm lingers. It affects partnerships, coalition invitations, media relationships, and the informal credibility that organisations depend on to convene difficult conversations.
Staff and volunteer exposure. The DPA imposes personal liability in certain circumstances. Executives and officers who act unlawfully or who fail to act where action was required are not automatically insulated by the corporate veil of their organisation. This is not widely appreciated, and it should be.
CSO Data Handling Must Change
For too long, compliance has been framed as an expense. A grudging line item. Something to attend to eventually. That framing is not just outdated, it is dangerous.
The actual question for any CSO leadership team is this: Can you afford a five-million-shilling penalty? Can you afford to lose a flagship donor? Can you afford to lose the trust of the communities your organisation was built to protect?
The answer, in almost every case, is no.
Data protection compliance is not the price of doing business. It is the foundation of doing it credibly. The organisations that understand this earliest will not just avoid sanctions; they will build the institutional resilience that defines the next generation of Kenyan civil society leadership.
The cost of non-compliance is real. The question is whether you find out before or after it is charged.
By Dr. Mugambi Laibuta | Chairperson, Data Privacy and Governance Society of Kenya