Lawyer bonyo mwongela while training #Legibra on #gdpr and data protection compliance.

Building A Website With Data Protection in Mind; What You Should Know

Over the weekend, we had the pleasure of hosting professionals from the legal industry; Lawyer Linda Bonyo, co-founder at Lawyers Hub Kenya and legaltech enthusiast, Mercy King’ori who blogs at Legalhub and works with CIPIT.  Both led us through an in-depth discussion on law and digital business.

Lawyer bonyo mwongela emphasises that data is king and customer privacy should be the central kingdom at #LegibraTalks

Lawyer bonyo mwongela emphasises that data is king and customer privacy should be the central kingdom at #LegibraTalks

The goal of the discussion was to inform and educate business owners, marketers, as well as developers of the risks and opportunities created by Kenyan laws like the Computer and Cyber Crimes law, Intellectual property laws and data protection bill.

discussion on law and online business

Mr. Mohamed, founder and director at Ladnan Hospital shares his feedback.

However, in this article we would like to focus on the upcoming Kenya data protection bill and what it means for your website. According to the bill presented by Gideon Moi, chairperson of the ICT committee, a business has the legal obligation to inform its users if they are collecting their data, how they plan to use the data collected and how long they will store the data. But that’s not all, the law also gives individuals the right to refuse to have their data collected and requires businesses to edit or delete an individuals data upon request.

Mercy King'ori, legaltech enthusiast explains the benefits of copyrighting your content

Mercy King’ori, legaltech enthusiast explains the benefits of copyrighting your content

Hefty Penalties

Fortunately, unlike the GDPR which threatens a penalty of 20 million Euros or 4 percent of annual global turnover, the Kenya Data protection bill imposes a fine not exceeding Ksh. 500,000 or two years of imprisonment , or both for any individual found guilty of mishandling personal data. The bill does not mention fines or penalties for corporations that are found guilty of the same.

Closer to your Website

Let’s first agree, that including data protection measures on your website should not be all about skirting the penalties associated with the Kenya Data Protection law, instead it’s about improving the experience and trust with your website visitors. After all, no visitors no business. That said, let’s get down to business. How do you develop and design a website with data protection and privacy in mind?


  1. Ensure all website contact forms ask for consent

For most businesses, a website serves as the first point of contact between the prospect and the company, because it is easier to check out the website than it is to get to the physical office.

If a prospect wants to do business with you, they will fill up an inquiry form, sign up for a newsletter or drop a message through a chat box. In either case, you will be collecting their data and storing it in your server which means the data protection law applies to you. Therefore, you need to get clear permission from the visitor that they agree with your privacy policy and that they have given you permission to contact them back in regards to their inquiry.

There are many ways to achieve this but the simplest way is to ensure that all your contact forms have a checkbox that is unticked by default. Additionally, you should inform the visitor how you will use the data e.g I confirm I have read & accept the PRIVACY POLICY and consent to my information being used to contact me regarding my enquiry.

data protection and your website

Data protection and your website

2. Blog Comments

If you have an engaging blog like Biko Zulu‘s where the audience practically competes to post comments, then you need to be aware that you collecting visitor data. Therefore,  you need to get consent to collect their data and inform them why you are collecting their data in the first place.

3. Collaborate with Partners

It’s not enough to get your website in order. you also need to check if your partners are compliant as well. Whether you are working with Facebook pixel, Google analytics, Mailchimp, salesforce or Safaricom Daraja API, it is your responsibility as website owner to check whether your partners have put measures in place to ensure data protection and privacy. Some of the questions you should think about when vetting your partners include whether they have the right tools to handle deletion requests and if they have certifications to prove compliance.

4. Website Policies: Privacy Policy & Cookie Policy

So far we have established that data protection laws requires you to get consent from visitors before collecting their data and processing it. However, you can’t ask your visitors for consent if they don’t know what they are consenting to, right? That’s why every request for consent on your website page should be linked to your privacy policy. Everything mentioned above should be included in that privacy policy, that means copy pasting other people’s policies won’t cut it.


5. Get an SSL Certificate for your Website

Having a secure website (the green padlock next to your url), is crucial for SEO, building trust with visitors, and now, data protection compliance. But what does an SSL certificate have to do with data protection?

An SSL  certificate has everything to do with data protection because the green padlock encrypts any information sent to you over the website like names, phone numbers and emails. With an SSL certificate, you can rest assured that even if your website gets hacked, the data is protected.

SSL Certificates for website data protection

SSL Certificates for website data protection


6. Update Your Website Regularly

Did you know that hackers often prey on websites with outdated software and old plugins? Therefore, it’s crucial to have a website care plan which helps you plan and follow up on your website maintenance. For a WordPress website, you only need to update your plugins, add extra layers of security and backup your pages.


In Nairobi, Kenya, it is commonplace that whenever you walk into a building , you provide your I.D details together with your contact information for security purposes. But how did you feel about it? Do you ever wonder what the management does with your information?

Similarly, your website visitors need to know why you are collecting their data and what you plan to do with it. Most importantly, they need to know that their data is protected.  So let’s build websites with data protection in mind to improve trust and user experience for our website visitors.


Have you started making changes to your website to comply with data protection regulation? Are you facing any challenges? Please let us know in the comment section below, we would love to help you 🙂

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.