Kenya has one of the strongest data protection policies in Africa.Â
Its Data Protection Act (2019) tells companies how to collect and use customer data safely. It protects the countryâs control over its data and gives people the right to say how their data is used. Customers can say yes or no, challenge, or stop the use of their data. Yet, Kenyan large corporationsâwhich have been the major culpritsâstill have work to do to comply with the rules.
On Friday, NCBA, Kenyaâs third-largest commercial bank by assets, was fined KES250,000 ($1,930) by the Office of the Data Protection Commissioner (ODPC), the countryâs data protection regulator, for violating a customerâs privacy rights.Â
What happened? The bank had failed to delete an incorrect email address from its records, despite repeated requests, leading to sensitive financial statements being sent to the wrong person.
The complainant, Brian Githaiga, had asked the bank to remove a second email address linked to his account. The bank failed to act, and the unintended recipientâwho had no ties to NCBAâcontinued receiving his transaction details. Even after she alerted the bank, the issue persisted.
This is risky because once your bank records land in the wrong inbox, you lose control over who sees your details. These statements often contain personal data like your address and phone number. In the wrong hands, you could become a targetâeven if youâve always been careful.
This isnât the first time NCBA has made that mistake.Â
In December 2024, the bank was fined KES700,000 ($4,405) for sending a Kenyan customer, Dr. Bernard Shiaunda Aeteâs loan statements to his former wife. Despite his request to remove her contact as an alternate address, the bank failed to act.
Banks are expected to set the bar for financial safety, so itâs both surprising and careless for NCBA to drop the ball like this. Although $1,930 may be a small fine, it sends a strong message to others: protect your customersâ dataâor pay for it.