Compliance Frameworks

Every Major Framework.
One Trusted Partner.

From Kenya Data Protection Act compliance to ISO 27001 certification and GDPR readiness — we guide African organisations through the full compliance journey, from initial gap assessment to ongoing maintenance.

🇰🇪 Kenya DPA ISO 27001 GDPR NIST CSF PCI DSS CIS Controls Readiness Assessment
🇰🇪 Kenya Data Protection Act 2019
Priority Framework
Kenya Data Protection Act Compliance

The Kenya Data Protection Act 2019 (DPA) establishes comprehensive data protection rights for Kenyan citizens and obligations for organisations that process personal data. Enacted in November 2019 and actively enforced by the Office of the Data Protection Commissioner (ODPC), compliance is no longer optional.

SecureZaidi specialises in helping Kenyan businesses achieve and maintain DPA compliance — from initial ODPC registration through to building lasting data protection governance.

Who it applies to: All organisations that collect, process, store, or transfer personal data about Kenyan residents — regardless of where the organisation is based.
Key obligations: ODPC registration, lawful basis for processing, data subject rights, data breach notification (72 hours), data protection officer appointment, cross-border transfer restrictions.
Enforcement: The ODPC has issued enforcement notices, conducted investigations, and imposed fines. Proactive compliance is essential — penalties reach KES 5 million or 3 years imprisonment.
Sensitive data: Special categories include health data, biometric data, financial data, and children's data — subject to additional controls and restrictions.
Get DPA Compliance Assessment
DPA Compliance Requirements
ODPC Obligations Checklist
Registration Deadline
Mandatory — All Organisations
Every data controller and processor must register with the ODPC. Operating without registration is a criminal offence.
Penalty — Administrative
Up to KES 5,000,000
Per violation. Multiple violations can be cumulative.
Penalty — Criminal
Up to 3 Years Imprisonment
For serious violations including unlawful processing of sensitive data.
Breach Notification
Within 72 Hours
Personal data breaches must be notified to the ODPC within 72 hours of becoming aware.
Data Retention
Purpose-Limited
Data must not be retained longer than necessary for the original purpose. Deletion policies are required.

How SecureZaidi Delivers DPA Compliance

A structured, phased approach that takes you from gap assessment to full compliance — with ongoing support to maintain it.

Phase 01
Gap Assessment
Comprehensive review of your current data practices against all Kenya DPA requirements — identifying gaps, risks, and prioritised remediation actions.
Phase 02
Data Mapping
Full mapping of all personal data flows — systems, processes, third parties, and cross-border transfers — to build a complete Record of Processing Activities.
Phase 03
Policy & Controls
Development of all required policies, notices, consent mechanisms, and technical controls — including staff training and ODPC registration support.
Phase 04
Ongoing Compliance
Annual compliance reviews, ODPC renewal support, breach response assistance, and quarterly check-ins to maintain compliance as your business evolves.
International Standard
ISO/IEC 27001:2022

ISO 27001 is the world's leading international standard for information security management. Achieving certification demonstrates to customers, partners, and regulators that your organisation has implemented a systematic approach to managing sensitive information — and that it has been independently verified.

For Kenyan and East African businesses seeking to win enterprise contracts, attract international investment, or demonstrate security maturity, ISO 27001 certification is increasingly a requirement rather than a differentiator.

01
Gap Analysis
Assessment of current controls against ISO 27001:2022 Annex A requirements. Typically identifies 40–70 gaps requiring remediation before certification.
02
ISMS Design & Implementation
Design and implementation of your Information Security Management System — policies, procedures, risk assessment methodology, and Annex A controls.
03
Internal Audit
SecureZaidi conducts a rigorous internal audit to identify any remaining gaps before the certification body audit — maximising first-time pass rates.
04
Certification Audit Support
On-site support during Stage 1 and Stage 2 audits with the certification body. Average time to certification with SecureZaidi: 6–9 months.
05
Surveillance & Recertification
Annual surveillance audit preparation and triennial recertification support — maintaining your ISMS currency and certification validity over time.
Start ISO 27001 Journey
ISO/IEC 27001:2022
Information Security Management Systems — Requirements
Controls
93 Annex A
Validity
3 Years
Avg. Timeline
6–12 Months
Audit Type
Third-Party
ISO 27001:2022 Themes
Organisational Controls (37)
People Controls (8)
Physical Controls (14)
Technological Controls (34)
New: Threat Intelligence, Cloud Security, ICT Readiness
SecureZaidi Success Rate
100%
First-time certification pass rate for clients supported through the full programme
GDPR
General Data Protection Regulation (EU) 2016/679
Max Fine
€20M or 4% Turnover
Applies To
EU/EEA Data
Breach Notice
72 Hours
Review Cycle
Annual
Who Needs GDPR in Africa
Companies processing EU/UK customer data
Businesses with UK or EU operations
African subsidiaries of European parents
SaaS platforms serving European markets
NGOs receiving EU funding with data obligations
GDPR compliance in Kenya is closely aligned with Kenya DPA requirements. Organisations can often achieve both simultaneously — maximising efficiency and reducing cost.
EU Data Protection
GDPR Compliance

The General Data Protection Regulation (GDPR) has extraterritorial reach — it applies to any organisation worldwide that processes personal data of EU or UK residents. For Kenyan businesses with international operations, European customers, or UK partnerships, GDPR compliance is a legal necessity.

The good news: Kenya's DPA was modelled closely on GDPR principles. Organisations pursuing Kenya DPA compliance can achieve most GDPR requirements simultaneously — with SecureZaidi coordinating an integrated approach.

01
GDPR Applicability Assessment
Determine whether GDPR applies to your organisation — and to what scope — based on your data processing activities, customer base, and operational footprint.
02
Lawful Basis & Consent Framework
Identify the correct lawful basis for each processing activity. Design GDPR-compliant consent mechanisms, legitimate interest assessments, and contractual clauses.
03
Cross-Border Transfer Mechanisms
Implement appropriate safeguards for transfers of EU personal data to Kenya — Standard Contractual Clauses, adequacy assessment, and binding corporate rules.
04
Integrated DPA + GDPR Programme
Where both frameworks apply, we coordinate a unified compliance programme that satisfies both simultaneously — avoiding duplication and reducing total cost.
Assess GDPR Obligations
US Cybersecurity Framework
NIST Cybersecurity
Framework 2.0

The NIST Cybersecurity Framework (CSF) is the most widely adopted cybersecurity framework globally — used by organisations of all sizes across every industry to understand, assess, and improve their cybersecurity posture. The 2024 update (CSF 2.0) added a sixth function: Govern.

NIST CSF 2.0 is particularly valuable as a maturity assessment and risk management tool — providing a clear, structured language for communicating cyber risk to boards and leadership, and a roadmap for systematic improvement.

GV
Govern
Establish and monitor the organisation's cybersecurity risk management strategy, expectations, and policy — including roles, responsibilities, and oversight mechanisms.
ID
Identify
Understand the organisation's cybersecurity risk to systems, people, assets, data, and capabilities — asset management, risk assessment, and supply chain risk.
PR
Protect
Implement appropriate safeguards — identity management, access control, awareness training, data security, and protective technology.
DE
Detect
Implement appropriate activities to identify the occurrence of cybersecurity events — anomalies, continuous monitoring, and detection processes.
RS / RC
Respond & Recover
Plan and implement response and recovery activities — communications, analysis, mitigation, improvements, and restoration of normal operations.
Book Maturity Assessment
NIST CSF 2.0
NIST Cybersecurity Framework 2024
Functions
6 Core Functions
Tiers
4 Maturity Tiers
Type
Framework / Advisory
Certification
No (Assessment-Based)
Maturity Tier Scale
Tier 1
Partial
Tier 2
Risk Informed
Tier 3
Repeatable
Tier 4
Adaptive
Additional Frameworks

More Compliance Frameworks
We Support

Beyond our core framework specialisations, SecureZaidi supports compliance with a wide range of additional standards — particularly relevant for sector-specific requirements.

PCI DSS v4.0
Payment Card Industry Data Security Standard
Essential for any organisation that processes, stores, or transmits card payment data. Required by Visa, Mastercard, and all major card brands for merchants and service providers in Kenya.
CIS Controls v8
Center for Internet Security Critical Security Controls
18 prioritised security actions that provide a clear, practical roadmap for reducing the most common attack vectors. Particularly effective for SMEs seeking a structured approach without the overhead of ISO 27001.
Cyber Essentials (UK)
UK Government Cybersecurity Certification
Required for UK government contracts. For Kenyan businesses with UK operations or clients, Cyber Essentials demonstrates baseline security hygiene across five core control areas.
HIPAA
Health Insurance Portability & Accountability Act
Required for healthcare organisations and their business associates handling US patient health information. Relevant for African health tech companies with US operations or partnerships.
CBK Cybersecurity Guidelines
Central Bank of Kenya — Financial Sector
Kenya's Central Bank has issued mandatory cybersecurity guidelines for regulated financial institutions — banks, SACCOs, microfinance, and payment service providers. We help financial sector clients achieve and maintain CBK compliance.
SOC 2 Type II
Service Organization Controls — Trust Service Criteria
Required by many US and international enterprise customers when procuring cloud services and SaaS platforms. We help African technology companies achieve SOC 2 certification to unlock international sales opportunities.
Compliance Readiness

Not Sure Where to Start?

Our compliance readiness assessment helps you understand which frameworks apply to your business, where you currently stand, and the most efficient path to compliance.

Free 30-Minute Assessment Call
Book a no-obligation call with our compliance team. We'll review your business, identify applicable frameworks, and give you an honest assessment of your starting point — at no cost.
Book Free Call →
Comprehensive Gap Assessment
A thorough assessment against your chosen framework(s) — identifying all gaps, estimating remediation effort, and producing a prioritised action plan with timeline and resource estimates.
Get Gap Assessment →
End-to-End Compliance Programme
Full support from initial gap assessment through implementation, certification/registration, and ongoing maintenance — with SecureZaidi as your trusted compliance partner throughout.
Start Programme →
Book Your Compliance Assessment