As a Kenyan law firm, we offer specialized legal services in cybersecurity, data privacy, and information governance, helping organizations meet their legal obligations and manage digital risks. Our services are grounded in the Data Protection Act, 2019, the Computer Misuse and Cybercrimes Act, 2018, sector-specific regulations, and global best practices such as the General Data Protection Regulation (GDPR) and ISO/IEC 27001 standards.
Data Mapping and Impact Assessments (DPIAs)
Helping organizations assess how they collect, use, store, share, and process personal data.
Conducting DPIAs for high-risk processing activities as required by the Data Protection Act.
Compliance Program Design
Advising on lawful bases for data processing, retention schedules, cross-border data transfers, and privacy-by-design approaches.
Policy Development
Drafting and reviewing:
Data Protection Policies
Privacy Notices
Consent Mechanisms
Data Retention and Deletion Policies
Employee Data Handling Guidelines
DPO as a Service
Acting as external Data Protection Officers for organizations without in-house capacity.
Training and Capacity Building
Training internal DPOs and compliance teams on legal obligations, risk identification, and stakeholder engagement.
Controller/Processor Registration with ODPC
Assisting organizations in registering with the Office of the Data Protection Commissioner (ODPC).
Review of Processing Agreements
Drafting or reviewing data processing agreements between controllers and processors to ensure compliance with legal obligations.
Cyber Risk Assessments
Legal audits of cybersecurity frameworks to identify legal risks in data storage, access control, incident response, and third-party access.
Cybersecurity Policies
Drafting and advising on:
Information Security Policies
Acceptable Use Policies
BYOD (Bring Your Own Device) Policies
Incident Response and Business Continuity Plans
Breach Notification and Regulatory Support
Advising on breach containment, investigation, and mandatory notification to the ODPC and affected data subjects.
Liaising with Law Enforcement and Regulators
Coordinating legal response during cyberattacks, ransomware incidents, or system intrusions in compliance with the Computer Misuse and Cybercrimes Act.
Crisis Management Advisory
Supporting clients with legal communication strategies and managing reputational and legal fallout.
Enforcement and Investigations
Representing clients during ODPC investigations, audits, or enforcement proceedings.
Litigation and Dispute Resolution
Handling legal claims involving:
Data privacy violations
Identity theft or impersonation
Unauthorized system access or data breaches
Employee misuse of data or IT resources
Vendor Due Diligence and Contracts
Advising on third-party IT service agreements, cloud services contracts, and outsourcing arrangements to ensure data protection and cybersecurity compliance.
Cross-Border Data Transfer Advisory
Structuring legal safeguards (e.g. Standard Contractual Clauses, Binding Corporate Rules) for international data transfers in line with Kenyan and global law.
Internal Compliance Support
Advising employers on processing of employee data, surveillance, biometric data use, and remote work privacy obligations.
HR Data Policies
Drafting employment contract clauses, workplace privacy notices, and data confidentiality agreements.
Healthcare
Advising hospitals and clinics on patient data confidentiality, electronic health records (EHRs), and consent requirements.
Financial Services and Fintechs
Assisting banks, mobile lenders, and fintechs with KYC data compliance, fraud detection systems, and ODPC registration.
Education and EdTech
Legal advisory for schools and educational platforms on student data protection, parental consent, and digital learning risks.
Telecommunications and ICT
Ensuring telecom operators comply with data retention, SIM registration, lawful intercept, and data subject rights.
Data Protection and Cybersecurity Training
Providing in-house workshops for management, IT teams, legal departments, and staff on:
Data handling best practices
Cybersecurity awareness
Breach response and legal risks
Board Briefings and Strategic Advisory
High-level updates on regulatory changes, enforcement trends, and reputational risks.
Policy Engagement
Supporting clients in consultations and submissions on proposed ODPC guidelines, regulations, or cybersecurity legislation.