Is it legal to transfer UK personal data to Kenya?

Yes. The ICO's International Data Transfer Agreement (IDTA) authorises transfers to countries without an adequacy decision, provided a Transfer Risk Assessment is completed and supplementary measures are in place.

Does Kenya have its own data protection law?

Yes. The Data Protection Act 2019 is modelled on the EU GDPR. It establishes the Office of the Data Protection Commissioner (ODPC) as the regulator.

What is the difference between the IDTA and Standard Contractual Clauses?

The IDTA is the UK-specific transfer mechanism published by the ICO. SCCs are the EU equivalent. For UK-origin data, Treba uses the IDTA. For EU-origin data, SCCs are used.

Where is client data stored?

Client data is processed inside the client's own infrastructure via VDI or VPN. No personal data is stored on Treba's local devices.

Can Treba handle HIPAA-regulated health data?

Yes. For US-origin health data, Treba executes a Business Associate Agreement (BAA) and applies HIPAA-specific controls. For UK healthcare data, NHS IG Toolkit requirements are followed.

UK GDPR Article 46

UK GDPR & Data Protection

How UK data is protected when outsourcing to Kenya. Legal frameworks, transfer mechanisms, and sector-specific compliance for every engagement.

Start a Pilot See Physical Security

Overview

How Is UK Data Protected When Outsourcing to Kenya?

UK personal data transferred to Kenya for processing is governed by three overlapping legal frameworks: the UK GDPR (retained EU law), the Data Protection Act 2018, and Kenya's Data Protection Act 2019.

The transfer mechanism is the International Data Transfer Agreement (IDTA) — the UK ICO's approved instrument for authorising cross-border data flows to countries without an adequacy decision. Treba executes the IDTA before any data flows begin. A client-specific Data Processing Agreement (DPA) defines the scope, purpose, and retention rules for every engagement. For EU-origin data, Standard Contractual Clauses (SCCs) are used in parallel.

Treba staff access client systems through encrypted VPN or VDI connections. No client data is stored on local machines, local servers, or Treba-owned infrastructure. The legal framework, technical controls, and operational procedures are configured per engagement and documented before any data access begins.

The most common question

Kenya doesn't have adequacy.
Here's how we legally send data there.

The UK GDPR provides an approved mechanism for this exact scenario: the International Data Transfer Agreement (IDTA), issued by the ICO under Article 46(2)(c). Treba executes one per engagement, supplemented by a DPA and technical controls that ensure data never leaves the encrypted environment. For EU-origin data, Standard Contractual Clauses (SCCs) are used in parallel.

Legal basis

Article 46(2)(c)

UK GDPR · ICO-issued IDTA

Same framework

India · PH · US

+ South Africa

Start a Pilot

Per-engagement documents

IDTA
ICO-approved transfer mechanism
Signed
DPA
Scope, retention, sub-processors
Signed
TIA
Transfer Impact Assessment
Completed

Before any data accessArticle 46(2)(c)

Connection architecture

How Data Actually Moves Between the UK and Nairobi

No data is downloaded, copied, or stored locally. Treba staff work inside the client's own environment.

Access Method

Encrypted VPN tunnel or Virtual Desktop Infrastructure (VDI) — configured per client requirements.

VPN Protocol

WireGuard or IPSec — AES-256 encryption. Split tunnelling disabled. All traffic routed through the secure connection.

Virtual Desktop (VDI)

Where required, staff work inside a cloud-hosted virtual desktop. No data touches the physical machine.

Authentication

Multi-factor authentication (MFA) enforced on all client system access. SSO integration where supported.

Endpoint Security

USB ports disabled. No personal devices permitted. Managed enterprise laptops with MDM. Clean desk policy enforced.

Architecture

Three Layers of Data Protection

Legal, technical, and operational controls working together — configured per engagement.

01Layer 01 · Legal

Legal Framework

What's in place

Contracts and registrations, in force per engagement.

IDTA per engagement
DPA signed pre-access
NDAs per engagement & staff
Kenya DPA 2019 registered
IP assignment · English law
Annual legal review

02Layer 02 · Technical

Technical Controls

What's in place

Encrypted, segmented, and logged access.

AES-256 VPN / VDI
No local data storage
Client-segmented network
MFA on all access
USB ports disabled
Annual penetration testing

03Layer 03 · Operational

Operational Controls

What's in place

Trained staff, monitored sessions, quarterly reviews.

UK GDPR pre-access training
Sector-specific modules
Clean-desk enforced daily
Activity & session logging
Documented IR procedure
Quarterly compliance reviews

Sector compliance

Sector-Specific Compliance Layered on the Base Framework

The three-layer architecture above is the baseline. For regulated industries, Treba adds sector-specific training, controls, and documentation.

FCA

Financial Services & Fintech

Staff trained on FCA Conduct Rules, MLRO reporting, SAR documentation, and KYC/AML procedures. Data handling aligned to FCA outsourcing guidance (FG 16/5).

Financial & Legal Services Financial Services Industry

SRA

Legal & Professional Services

Paralegals trained on SRA Accounts Rules, conflict-of-interest protocols, legal professional privilege, and client data compartmentalisation.

Financial & Legal Services Professional Services Industry

CQC

Healthcare

Medical transcriptionists and coders trained on NHS data protocols, Caldicott Principles, ICD-10/CPT standards, and patient data confidentiality requirements.

Healthcare Services Healthcare Industry

ICO

Data-Intensive Operations

Data labelling, document processing, and annotation teams trained on data minimisation, purpose limitation, and retention policies per ICO guidance.

Data Management Services Technology Industry

How it works

From agreement to enforcement in 7 steps

The data protection setup process for every Treba engagement.

Start a Pilot

Step 01
Step 1: Transfer Impact Assessment
Evaluate the data types, volumes, and risks specific to the engagement. Document the legal basis for transfer.
Step 02
Step 2: IDTA Execution
International Data Transfer Agreement signed per the ICO-approved template. Transfer safeguards documented.
Step 03
Step 3: DPA Signing
Data Processing Agreement executed — defining scope, retention periods, sub-processor obligations, and breach notification procedures.
Step 04
Step 4: Technical Configuration
VPN or VDI configured per client requirements. Network segmented. MFA enforced. Endpoint controls activated.
Step 05
Step 5: Staff Training & NDAs
UK GDPR and sector-specific compliance training completed. NDA executed per staff member. Clean desk policy briefed.
Step 06
Step 6: Go Live
Staff access client systems via the encrypted connection. Activity logging begins. First compliance checkpoint at 30 days.
Step 07
Step 7: Ongoing Audit & Review
Quarterly compliance reviews. Annual penetration testing. Annual IDTA and DPA review. Incident response drills conducted.

Economics

Data Protection Infrastructure Included in Every Engagement

Toggle items to see what you'd spend building this in-house. With Treba, every control is included — no add-ons.

6/6 selected

DIY Cost (mid-range)

£0

With Treba

£0 extra

Save £0

Start a Pilot

Junior Accountant (ACCA)

£40,860 → £10,800/yr

74%

Paralegal

£38,640 → £10,800/yr

72%

Data Annotator

£33,260 → £8,400/yr

75%

UK in-house costs are mid-range estimates. UK loaded cost = base salary + 13.8% employer NI + office/equipment + recruitment/compliance. See role-by-role pricing →

Talent spotlight