With well over 6 years into the operation of the Data Protection Act, 2019, and with the Office of the Data Protection Commissioner (ODPC) steadily asserting its enforcement mandate through a growing body of determinations, one message is becoming clear; organisations handling personal data must do more than adopt policies and issue assurances of compliance. They must demonstrate that their systems work in practice and that compliance is real, accessible, and effective from the perspective of the individual.

A recent decision by the ODPC issued on 15 February 2026 involving Wananchi Group (Kenya) Limited, trading as Zuku Fibre Kenya, illustrates the risks companies face where systems exist on paper but fail in operation. The ODPC found that by failing to provide a former customer with a workable avenue to object to continued processing of his personal data and seek for deletion of the data, the company breached the law on data protection. The ODPC awarded compensation to the former customer alongside other remedial orders.

Importantly, the finding did not turn solely on the continued sending of marketing messages. At its core, the decision condemned the absence of a functioning mechanism through which a data subject could exercise statutory rights to object to the processing of his personal data and to seek for deletion of misleading data. Compliance that exists only in policy documents, internal assurances, or untested procedures offers no defence where the persons affected cannot submit, track, or escalate a request in practice. In this case, invalid contact emails and refusal to cooperate with regulatory verification meant the Commissioner could not confirm whether any effective avenue existed at all.

The decision also highlights a persistent blind spot in corporate compliance: the treatment of former customers’ data. Once a relationship ends, customers often fall outside active management structures while remaining embedded in marketing and operational databases. Compliance and IT investments may prioritise onboarding and the management of live accounts, leaving offboarding, objection handling, and deletion processes underdeveloped or entirely neglected. Yet this post relationship phase is precisely where data subjects’ rights are most vulnerable to obstruction. Former customers are no longer incentivised to tolerate friction, and where the relationships end on unfavourable terms, they are more likely to escalate complaints or pursue regulatory redress. Organisations that fail to address this risk are effectively leaving a pathway open to enforcement action.

Furthermore, the decision offers a valuable lesson to organisations and companies alike, that published privacy policies, on their own, are insufficient. Simply listing an email address or an online portal for handling data subject rights requests creates a false sense of compliance if those channels are not functional. There is therefore a need to go a step further and operationalise these policies by ensuring that the stated channels, processes, and escalation mechanisms actually work and are accessible to data subjects in practice.

The case may also highlight one instance which personal criminal liability against a director is contemplated under the Data Protection Act. The ODPC reported that Wananchi Group denied investigators access to its premises and records despite a search warrant, prompting a recommendation that the company’s directors be prosecuted for obstructing the Data Commissioner. This signals a clear shift: data protection enforcement is not confined to administrative penalties, and senior management may face personal consequences for frustrating regulatory investigations.

The real question for organisations is no longer whether they have a data privacy policy, but whether their systems can withstand scrutiny. The ODPC is clearly testing how compliance operates in practice, not how it is drafted. Companies that fail to align their operational processes with their legal obligations may find that the gap between policy and reality is where liability arises.

This article was published in the Business Daily on 13 April 2026 and can be accessed here.