Data privacy is redefining customer trust in Kenya's financial sector

For decades, confidentiality has been the foundation of trust in Kenya’s financial sector.

Banks, Saccos, insurers, and investment firms have long assured customers that their financial affairs would remain private, shielded from prying eyes and improper disclosure.

That promise was not merely ethical; it was central to why people trusted financial institutions with their money in the first place.

But today, the nature of that trust is being tested. Modern financial institutions no longer simply hold customer information.

They use it constantly. Every transaction is analysed, spending patterns are tracked, risks are assessed, and decisions are increasingly automated, made by systems rather than people.

In this environment, the traditional understanding of confidentiality, focused primarily on secrecy and non-disclosure, has evolved into something broader and more demanding: data protection.

What matters just as much is how data is collected, used, shared, and controlled.

In Kenya, this shift became clearer with the enactment of the Data Protection Act of 2019. While the law did not overturn the long-standing duty of confidentiality, it significantly changed how trust works in practice. 

It moved the conversation beyond secrecy and placed the customer at the centre of how personal information is handled.

At its core, the relationship between a customer and a financial institution is contractual and built on trust. When a customer opens a bank account, joins a Sacco, purchases insurance, or invests, they expect their personal and financial details to be used responsibly and protected from misuse.

Financial institutions have always had to balance these confidentiality expectations with lawful disclosures, including those required to combat money laundering and fraud.

What has changed is who holds the power. Under Kenya’s data protection framework, privacy is no longer merely an implied duty owed by institutions.  

It is a right that customers can actively enforce. Financial institutions are now explicitly recognised as data controllers and data processors, bearing clear responsibilities across the entire data lifecycle. This means the real question is no longer simply whether data has been leaked, but whether it is being collected lawfully, used transparently, retained proportionately, and processed fairly.

This shift is most evident in the rights now granted to customers as data subjects. Kenyan law gives individuals the right to be informed about how their personal data is used, to access data held about them, and to challenge inaccuracies.

Customers may object to certain forms of processing, demand correction of false or misleading information, and even request deletion where data no longer serves a lawful purpose.

These are not abstract ideals; they are practical tools that allow individuals to interrogate and influence how financial institutions operate.

But these rights are not theoretical. They speak directly to everyday experiences, such as being denied credit without explanation, receiving endless marketing messages from unknown sources, or discovering that their picture has been shared across platforms without consent.

Perhaps the most important development concerns automated decision-making. Increasingly, algorithms determine who qualifies for loans,  how much insurance costs, or whether a transaction is flagged as suspicious.

Data protection law affirms the right of individuals not to be subjected to decisions based solely on automated processing.

Customers should not be reduced to data points, especially when automated decisions have real economic consequences.

Equally important is the right to limit how personal information is used.  Where data accuracy is disputed, processing is unlawful, or the purpose for collection has expired, customers can insist on limits to how their information is used.

This places responsibility on financial institutions not only to collect data but also to manage it responsibly, observe statutory timelines, and communicate transparently when restrictions are lifted. Taken together, these developments mark a turning point. Confidentiality was about keeping secrets. Data privacy is about accountability. It requires financial institutions to explain themselves, justify their decisions, and respect the autonomy of the people they serve.

For Kenya’s financial services sector, this is not just another compliance requirement. It is a structural change in how trust is built and maintained in a digital economy.

Institutions that treat data privacy as part of their commitment to customers will strengthen customer confidence and credibility. Those that approach it as a box-ticking exercise risk falling out of step with the law and losing public trust.

Ultimately, data protection is not a barrier to innovation or growth. It is an opportunity to demonstrate accountability, fairness, transparency and respect in an increasingly data-driven world. When people feel in control of their information, trust deepens. And in finance, trust remains the most valuable currency.

- The writer is the Group Data Protection Officer at Old Mutual East Africa