Herman Tambo Law
Clear Law. Fair Fees. Fast.

Data Protection that’s practical.

Kenya Data Protection Act compliance for SMEs, schools and growing teams. Audits, policies, vendor contracts, DPIAs, and incident response. Digital-first.

Run a quick compliance check
Current audit turnaround: < 3 days

Best for

SMEs & schools

Outcome

Less risk, more trust

Delivery

Digital-first

Step 1: Diagnostic

Data Protection Readiness

Select what you already have. We’ll show the next best steps (in order).

Note

This diagnostic is for orientation only. Compliance depends on your specific processing activities, systems, vendors and risk profile.

What we do

Compliance
That Runs

Best outcome

Low risk + high trust

Audit & Gap Fix

A fast review of how you collect, store, share and secure personal data. Then a practical fix plan.

  • Data mapping + risk hotspots
  • Priority fixes, in order
  • Practical documentation

Policies & Notices

Clear internal rules and external notices that match how you actually operate.

  • Privacy notice (web/app/school)
  • Data protection policy
  • Staff training guide

Vendors & Contracts

Tight DP clauses in vendor agreements and clear accountability when systems fail.

  • Data Processing Agreements (DPAs)
  • Security + breach clauses
  • Cross-border handling checks

When things go wrong

Incident response without panic

Evidence discipline, stakeholder comms, vendor coordination, regulator-facing responses.

Contact

If you suspect a breach: preserve logs, restrict access changes, and document your timeline.

Clarity

Data Protection FAQs

Do SMEs and schools in Kenya need to comply?
Yes. If you collect or use personal data (students, parents, staff, customers, vendors), you should implement appropriate measures under Kenya’s Data Protection Act.
What is the fastest way to become compliant?
Start with a practical audit, then a compliance pack: privacy notice, internal policy, key vendor DPAs, and a breach response playbook.
Do we need a Data Protection Officer (DPO)?
Some organisations should designate a DPO or responsible person depending on scale, risk and processing activities. We help you assess the best fit and implement the role without overcomplicating operations.
Can you help with incidents and ODPC requests?
Yes. We support incident triage, documentation, customer communications strategy, vendor coordination, and responses to regulator or third-party requests.