Kenya has one of the strongest data protection policies in Africa.
Its Data Protection Act (2019) tells companies how to collect and use customer data safely. It protects the country’s control over its data and gives people the right to say how their data is used. Customers can say yes or no, challenge, or stop the use of their data. Yet, Kenyan large corporations—which have been the major culprits—still have work to do to comply with the rules.
On Friday, NCBA, Kenya’s third-largest commercial bank by assets, was fined KES250,000 ($1,930) by the Office of the Data Protection Commissioner (ODPC), the country’s data protection regulator, for violating a customer’s privacy rights.
What happened? The bank had failed to delete an incorrect email address from its records, despite repeated requests, leading to sensitive financial statements being sent to the wrong person.
The complainant, Brian Githaiga, had asked the bank to remove a second email address linked to his account. The bank failed to act, and the unintended recipient—who had no ties to NCBA—continued receiving his transaction details. Even after she alerted the bank, the issue persisted.
This is risky because once your bank records land in the wrong inbox, you lose control over who sees your details. These statements often contain personal data like your address and phone number. In the wrong hands, you could become a target—even if you’ve always been careful.
This isn’t the first time NCBA has made that mistake.
In December 2024, the bank was fined KES700,000 ($4,405) for sending a Kenyan customer, Dr. Bernard Shiaunda Aete’s loan statements to his former wife. Despite his request to remove her contact as an alternate address, the bank failed to act.
Banks are expected to set the bar for financial safety, so it’s both surprising and careless for NCBA to drop the ball like this. Although $1,930 may be a small fine, it sends a strong message to others: protect your customers’ data—or pay for it.
