Multi-Jurisdiction GDPR & Data Protection Compliance Program - Kasha Global
Led the end-to-end GDPR alignment and statutory registration program across Kenya and Rwanda, designing governance frameworks and implementing enterprise-grade security controls that formalized regulatory compliance, strengthened audit readiness, and elevated investor and partner confidence.
Context & Business Challenge
As Kasha expanded across Rwanda, Kenya, and South Africa, the organization increasingly processed sensitive personal and health-related customer data. Despite strong commercial growth, the regulatory foundation had not kept pace.
Key risk factors included:
No formal registration with national data protection authorities
Rapid growth in personally identifiable and sensitive health data
Cross-border data transfers across multiple systems
Increasing investor and partner due diligence scrutiny
Absence of documented governance frameworks and structured security controls
Compliance was no longer optional - it was foundational to sustainable scale. Failure to align risked regulatory sanctions, operational disruption, loss of customer trust, and weakened investor confidence.
Objective & Success Criteria
The goal was to formalize regulatory alignment across jurisdictions and embed durable data protection governance within the organization.
Key objectives
Achieve formal registration with:
Office of the Data Protection Commissioner (Kenya)
National Cyber Security Authority (Rwanda)
Align IT operations and policies with GDPR principles
Implement security controls aligned with ISO 27001 standards
Establish governance structures for data protection and access management
Demonstrate compliance readiness to regulators, partners, and investors
Success was defined by
Successful certification and registration in both jurisdictions
Documented and enforced data protection policies
Implemented technical safeguards across systems and devices
Clear ownership of data protection responsibilities
Audit-ready evidence repository
My Role & Ownership
I led the program end-to-end as Program Owner with full accountability.
My responsibilities included:
Defining the compliance roadmap
Interpreting regulatory requirements across jurisdictions
Coordinating Legal, IT, Operations, and Executive stakeholders
Designing and implementing technical security controls
Drafting governance frameworks and policies
Preparing and submitting regulatory documentation
Leading internal system evaluations and certification processes
Program Strategy & Execution
Data Mapping & Regulatory Classification
I conducted structured data mapping to identify all flows of personally identifiable and sensitive data, classifying Kasha as both Data Controller and Data Processor where applicable.
Lawful bases for processing were defined in line with GDPR principles, and cross-border transfer implications were evaluated.
Security Controls Implementation
To operationalize compliance, we implemented layered security controls across infrastructure and endpoints:
Multi-Factor Authentication (MFA) across critical systems
Strong password enforcement policies
Role-Based Access Control (RBAC) under least-privilege principles
Full-disk encryption on endpoint devices
TLS encryption across all web applications
Centralized access management
Structured backup and recovery procedures
Remote device management controls
The approach emphasized enforceable controls rather than policy-only compliance.
Governance Framework Design
I drafted and institutionalized:
Data Protection Policy
Access Control Policy
Acceptable Use Policy
Incident Response Procedures
Security Incident Response Team (SIRT) structure
Comprehensive IT governance policy
Legal teams were engaged to align contractual clauses and third-party agreements with GDPR standards.
Regulatory Engagement & Certification
Prepared and submitted registration documentation to ODPC (Kenya) and NCSA (Rwanda)
Managed regulatory follow-ups and evidence submissions
Structured documentation repositories to maintain audit-readiness
The engagement required persistence, structured documentation, and careful interpretation of evolving regulatory guidance.
Technical & Compliance Scope
Security & Privacy Controls
MFA enforcement
Endpoint encryption
TLS encryption in transit
Centralized access control
Backup & disaster recovery planning
Device lifecycle governance
Governance Framework
GDPR-aligned privacy principles
ISO 27001-inspired control structures
Documented SOPs and audit logs
Incident escalation workflows
Compliance Coverage
Customer data
Employee data
Vendor and partner data
Cross-border data transfers
Results & Impact
Before
No formal regulatory registration
Fragmented security practices
No structured audit evidence
Heightened regulatory and investor risk
Limited internal awareness of data protection responsibilities
After
Formal certification and registration in Kenya and Rwanda
Hardened security posture across systems and devices
Clear governance ownership of data protection
Stronger trust from customers, partners, and investors
Reduced regulatory and operational risk
Audit-ready foundation for future market expansion
Strategic Impact: Data protection matured from reactive compliance to a competitive strength supporting cross-border scale and investor confidence.
Key Challenges & Approach
Regulatory Process Maturity (Kenya ODPC): Processes were evolving and response times slow.
Approach: persistent structured follow-ups, proactive documentation, and clear escalation paths.
Organizational Awareness Gaps: Non-technical teams lacked familiarity with GDPR implications.
Approach: targeted awareness sessions, simplified policy documentation, and clearly assigned accountability.
Cross-Jurisdiction Complexity: Regulatory interpretations differed across countries.
Approach: established a GDPR-aligned baseline framework with jurisdiction-specific overlays.
What I Would Do Differently
Initiate compliance alignment prior to market entry
Formalize a Data Protection Officer (DPO) role earlier
Automate compliance evidence collection and reporting
Implement continuous compliance monitoring tools
Engage regulators earlier during expansion planning