Is it legal to transfer UK personal data to Kenya?

Yes. The ICO's International Data Transfer Agreement (IDTA) authorises transfers to countries without an adequacy decision, provided a Transfer Risk Assessment is completed and supplementary measures are in place.

Does Kenya have its own data protection law?

Yes. The Data Protection Act 2019 is modelled on the EU GDPR. It establishes the Office of the Data Protection Commissioner (ODPC) as the regulator.

What is the difference between the IDTA and Standard Contractual Clauses?

The IDTA is the UK-specific transfer mechanism published by the ICO. SCCs are the EU equivalent. For UK-origin data, Treba uses the IDTA. For EU-origin data, SCCs are used.

Where is client data stored?

Client data is processed inside the client's own infrastructure via VDI or VPN. No personal data is stored on Treba's local devices.

Can Treba handle HIPAA-regulated health data?

Yes. For US-origin health data, Treba executes a Business Associate Agreement (BAA) and applies HIPAA-specific controls. For UK healthcare data, NHS IG Toolkit requirements are followed.

UK GDPR Article 46

UK GDPR & Data Protection

How UK data is protected when outsourcing to Kenya. Legal frameworks, transfer mechanisms, and sector-specific compliance for every engagement.

Start a Pilot See Physical Security

Overview

How Is UK Data Protected When Outsourcing to Kenya?

UK personal data transferred to Kenya for processing is governed by three overlapping legal frameworks: the UK GDPR (retained EU law), the Data Protection Act 2018, and Kenya's Data Protection Act 2019. The transfer mechanism is the International Data Transfer Agreement (IDTA) — the UK ICO's approved instrument for authorising cross-border data flows to countries without an adequacy decision. Treba executes the IDTA before any data flows begin. A client-specific Data Processing Agreement (DPA) defines the scope, purpose, and retention rules for every engagement. For EU-origin data, Standard Contractual Clauses (SCCs) are used in parallel.

Treba staff access client systems through encrypted VPN or VDI connections. No client data is stored on local machines, local servers, or Treba-owned infrastructure. The legal framework, technical controls, and operational procedures are configured per engagement and documented before any data access begins.

Key facts

The data protection facts behind every Treba engagement.

Everything UK compliance teams need to know before approving a Kenya transfer.

Transfer mechanism (UK)

International Data Transfer Agreement (IDTA) — ICO-approved under UK GDPR Article 46(2)(c)

Transfer mechanism (EU)

Standard Contractual Clauses (SCCs) — used when data originates from the EU

Kenya data law

Data Protection Act 2019 — administered by the Office of the Data Protection Commissioner (ODPC)

Data Processing Agreement

Executed per engagement before any data access begins

Access method

Encrypted VPN or Virtual Desktop Infrastructure (VDI) — no local data storage

Endpoint controls

USB ports disabled. No personal devices. Clean desk policy enforced.

Network security

Client-specific network segmentation. Multi-factor authentication. Annual penetration testing.

Staff vetting

DCI Certificate of Good Conduct. NDA per engagement and per staff member.

Training

UK GDPR and sector-specific compliance modules completed before client data access

Breach response

72-hour notification to client and relevant authorities per UK GDPR Article 33

Audit rights

Client audit rights included in DPA. Annual compliance reviews conducted by Treba.

Physical security

Biometric office access. CCTV monitoring. Secure Westlands, Nairobi facility.

The most common question

Kenya Doesn't Have Adequacy. How Can We Legally Send Data There?

This is the most common question from UK compliance teams evaluating Kenya outsourcing. It has a clear legal answer.

Kenya does not have a UK adequacy decision. The UK GDPR provides an approved mechanism for this exact scenario: the International Data Transfer Agreement (IDTA), issued by the ICO under Article 46(2)(c). This is the same framework used by UK companies transferring personal data to India, the Philippines, South Africa, and the United States.

Treba executes an IDTA per engagement, supplemented by a Data Processing Agreement (DPA) and technical controls that ensure data never leaves the encrypted environment. The IDTA documents the transfer, the safeguards in place, and the rights of data subjects \u2014 as required by the ICO.

For engagements where client data originates from the EU rather than the UK, Treba executes Standard Contractual Clauses (SCCs) issued by the European Commission \u2014 either instead of or in addition to the IDTA, depending on the data flow.

Connection architecture

How Data Actually Moves Between the UK and Nairobi

No data is downloaded, copied, or stored locally. Treba staff work inside the client's own environment.

Access Method

Encrypted VPN tunnel or Virtual Desktop Infrastructure (VDI) — configured per client requirements.

VPN Protocol

WireGuard or IPSec — AES-256 encryption. Split tunnelling disabled. All traffic routed through the secure connection.

Virtual Desktop (VDI)

Where required, staff work inside a cloud-hosted virtual desktop. No data touches the physical machine.

Authentication

Multi-factor authentication (MFA) enforced on all client system access. SSO integration where supported.

Endpoint Security

USB ports disabled. No personal devices permitted. Managed enterprise laptops with MDM. Clean desk policy enforced.

What This Means in Practice

A Treba staff member working on a UK client's financial data logs in via MFA-protected VPN, accesses the client's cloud-hosted accounting platform, and works inside that environment for the duration of the session. When the session ends, the connection closes. No files are downloaded. No data is cached locally. The client's IT team has full visibility of access logs, session duration, and activity \u2014 exactly as they would with a UK-based employee.

Architecture

Three Layers of Data Protection

Legal, technical, and operational controls working together \u2014 configured per engagement.

Legal Framework

IDTA executed per engagement (UK GDPR Article 46)
Data Processing Agreement (DPA) signed before data access
NDA per engagement and per staff member
Kenya Data Protection Act 2019 registration
IP assignment clauses under English law
Annual legal review and update

Technical Controls

Encrypted VPN or VDI — AES-256
No client data on local machines or servers
Network segmentation by client
Multi-factor authentication on all access
USB ports disabled on all workstations
Annual penetration testing

Operational Controls

UK GDPR training before client data access
Sector-specific compliance modules
Clean desk policy enforced daily
Activity logging and session monitoring
Documented incident response procedure
Quarterly compliance reviews

Sector compliance

Sector-Specific Compliance Layered on the Base Framework

The three-layer architecture above is the baseline. For regulated industries, Treba adds sector-specific training, controls, and documentation.

FCA

Financial Services & Fintech

Staff trained on FCA Conduct Rules, MLRO reporting, SAR documentation, and KYC/AML procedures. Data handling aligned to FCA outsourcing guidance (FG 16/5).

Financial & Legal Services Financial Services Industry

SRA

Legal & Professional Services

Paralegals trained on SRA Accounts Rules, conflict-of-interest protocols, legal professional privilege, and client data compartmentalisation.

Financial & Legal Services Professional Services Industry

CQC

Healthcare

Medical transcriptionists and coders trained on NHS data protocols, Caldicott Principles, ICD-10/CPT standards, and patient data confidentiality requirements.

Healthcare Services Healthcare Industry

ICO

Data-Intensive Operations

Data labelling, document processing, and annotation teams trained on data minimisation, purpose limitation, and retention policies per ICO guidance.

Data Management Services Technology Industry

Process

From agreement to enforcement in 7 steps

The data protection setup process for every Treba engagement.

Transfer Impact Assessment

Evaluate the data types, volumes, and risks specific to the engagement. Document the legal basis for transfer.

IDTA Execution

International Data Transfer Agreement signed per the ICO-approved template. Transfer safeguards documented.

DPA Signing

Data Processing Agreement executed — defining scope, retention periods, sub-processor obligations, and breach notification procedures.

Technical Configuration

VPN or VDI configured per client requirements. Network segmented. MFA enforced. Endpoint controls activated.

Staff Training & NDAs

UK GDPR and sector-specific compliance training completed. NDA executed per staff member. Clean desk policy briefed.

Go Live

Staff access client systems via the encrypted connection. Activity logging begins. First compliance checkpoint at 30 days.

Ongoing Audit & Review

Quarterly compliance reviews. Annual penetration testing. Annual IDTA and DPA review. Incident response drills conducted.

Economics

Data Protection Infrastructure Included in Every Engagement

Toggle items to see what you'd spend building this in-house. With Treba, every control is included — no add-ons.

6/6 selected

DIY Cost (mid-range)

£0

With Treba

£0 extra

Save £0

Start a Pilot

Junior Accountant (ACCA)

£40,860 → £10,800/yr

74%

Paralegal

£38,640 → £10,800/yr

72%

Data Annotator

£33,260 → £8,400/yr

75%

UK in-house costs are mid-range estimates. UK loaded cost = base salary + 13.8% employer NI + office/equipment + recruitment/compliance. See role-by-role pricing →

Talent spotlight