Introduction
As the new year begins, it is important for businesses to start on the right footing by ensuring they are compliant with key legal and regulatory obligations to avoid penalties, fines, and potential disputes, and promote good governance.
Here are some critical areas that employers should review to confirm that registrations, renewals, and internal systems are up to date.
1. Submission of Annual Employee Returns to the National Employment Authority (NEA)
Under Sections 76 – 79 of the Employment Act, employers with 25 or more employees are required to file annual employee returns every year. These returns must be submitted by 31st January of the following year. The returns should contain the full name, age, sex, occupation, date of employment, nationality, and educational level of each employee.
In December 2025, NEA issued a public notice that employers should submit their 2025 Annual Employee Returns by 31st January 2026. Failure to comply is an offence, and if found guilty, an employer shall be liable to a fine of up to one hundred thousand shillings (Kshs. 100,000) or to imprisonment for a term of up to six (6) months, or both.
As such, employers are advised to file their returns online through the NEA Integrated Management System at www.neaims.go.ke before the deadline.
2. Registration or Renewal as a Data Controller or a Data Processor under the Data Protection Act, 2019
All public and private organizations and individuals processing personal data are required to register with the Office of the Data Protection Commissioner (ODPC) as either Data Controllers or Data Processors, or both.
i) Distinction between Data Controllers and Data Processors
An organisation qualifies as a data controller where it determines, either alone or jointly with others, the purpose and means of processing personal data. Examples include employers, banks, telecommunications companies, insurance companies, hospitals, education institutions, etc.
On the other hand, an organisation is deemed a data processor where it processes personal data on behalf of a data controller. This does not include the employees of the data controller. Examples include cloud storage providers, background search agencies, payroll service providers, HRMIS system providers, etc.
Where the organization handles personal data as both a data controller and a data processor, it is required to submit two separate applications as the registration involves two separate fees.
ii) Are all organizations required to register?
No. An organization is exempt from registration if its annual turnover or revenue is below five million shillings (Kshs. 5M) and it employs less than ten (10) people. Therefore, if your organization exceeds this threshold, it must register with the ODPC.
However, if the organization meets at least one of the requirements, it does not qualify for exemption and must therefore register.
Further, businesses operating in certain sectors are not exempt from registration, regardless of size or turnover. These include, among others:
- Canvassing political support among the electorate.
- Operating Credit Bureaus.
- Crime prevention and prosecution of offenders, including private security service providers.
- Debt administration and factoring.
- Gambling, gaming, and betting operators.
- Provision of education.
- Health administration and provision of patient care.
- Hospitality industry firms.
- Insurance administration and undertakings.
- Faith-based or religious institutions.
- Retirement benefits administration.
- Property management, including the selling of land.
- Provision of financial services.
- Telecommunications network or service providers.
- Businesses that are wholly or mainly in direct marketing.
- Internet access provider.
- Transport services firms (including online passenger hailing applications)
- Public sector bodies.
- Businesses that process genetic data.
A Data Controller or Data Processor who fails to register or renew a certificate of registration and continues to process personal data risks a fine of up to three million shillings (Kshs. 3M) and/or imprisonment for a term of up to ten (10) years.
While not all organisations are required to register, registration is strongly encouraged as it serves as a critical first line of engagement with the ODPC in the event of a complaint or data breach and demonstrates an organisation’s commitment to lawful and responsible data handling. More importantly, it signals to employees, customers, and stakeholders that the organisation takes the right to privacy seriously and has put measures in place to protect personal data.
That said, registration does not determine the applicability of the law. Data controllers and data processors are bound by the obligations under the Data Protection Act regardless of whether they are registered or not, and failure to comply may still attract liability.
iii) When is the deadline for registration?
Registration commenced on 14th July 2022 following the commencement of the Data Protection (Registration of Data Controllers and Data Processors) Regulations, and is an ongoing obligation without a set timeline. Organizations should therefore take proactive steps to register rather than a reactive approach to register when a complaint is raised or when a data breach occurs.
iv) When are you required to renew the certificate of registration?
The certificate of registration is valid for two (2) years from the date of issue.
Therefore, an application for renewal should be made at least 30 days before expiry to avoid lapses that may expose the organisation to enforcement action.
3. Updating Payroll Systems ahead of the 2026 NSSF Contribution Increase
With effect from 1st February 2026, NSSF contributions will increase in line with the 4th phase of implementation of the NSSF Act, 2013. The maximum monthly contribution will rise from Kshs. 4,320/= to Kshs. 6,480/= owing to the increase in pensionable earning limits.
Employers must therefore update their payroll systems in good time to ensure accurate deductions and remittances to avoid miscalculations which carry the risk of penalties from the regulator and potential claims from employees for non-compliance.
4. Registration with the Directorate of Occupational Safety and Health Services (DOSHs)
According to the Work Injury Benefits Act and the Occupational Safety and Health Act, every employer in Kenya is required to register their workplace with DOSHs. An employer who operates more than one workplace or carries on different classes of business may be required by the Director to obtain separate registration for each workplace or class of business. Employers must therefore ensure that all operational sites are duly registered and that registration details remain accurate and up to date.
5. Obtaining and Maintaining a valid Work Injury Benefits (WIBA) Insurance Policy
Every employer is required to obtain and maintain a valid insurance policy to cover liabilities arising from work-related injuries or occupational diseases suffered by employees in the course of employment. Failure to do so is an offence which attracts a fine of up to one hundred thousand shillings (Kshs. 100,000) or imprisonment of up to three (3) months, or both.
6. Monitoring the Expiry of Fixed-Term Employment Contracts
Term contracts are valid for the duration specified in the contract and automatically lapse on the last date. However, if the organization fails to actively monitor contract timelines and allow employees to continue working beyond the expiry date, there is a risk of creating an implied contract with an indefinite duration. Such situations reinstate the organisation’s legal obligations to comply with the contractual and statutory termination processes should it later wish to end the relationship.
Therefore, companies should actively monitor fixed-term contracts and make deliberate decisions on renewal or exit before expiry to avoid unintended renewals and potential disputes.
7. Monitoring the Completion of Probationary Periods
Probationary periods serve as a critical evaluation window, typically lasting three (3) to six (6) months, to assess an employee’s performance and organizational fit. However, if a company fails to actively monitor these timelines and allows an employee to continue working beyond the probation period without a formal review or extension, the employee may be deemed confirmed into employment by operation of the law. Such confirmation alters the employment relationship, such as the applicable notice period, which shifts from the probationary notice of at least seven (7) days under the Employment Act to the relevant statutory or contractual notice requirements. In addition, the employee becomes entitled to full contractual benefits and enhanced statutory protections in the event of termination.
To avoid unintended confirmation and heightened legal exposure, employers should treat the probation end date as a firm decision-making point requiring a timely, documented outcome involving either confirmation, extension, or termination of employment, where any termination is carried out in accordance with statutory due process requirements.
Conclusion
Compliance requires deliberate planning and regular review. Beginning the year by addressing these key compliance areas enables employers to minimise legal risk, avoid regulatory penalties, and strengthen internal governance structures.
Employers are encouraged to take a proactive approach by conducting periodic compliance audits and addressing gaps early rather than reacting to enforcement action or disputes after the fact.
Contact Person & Contributor: Isabel Gakuo – Employment Law Associate
Email: igakuo@hrfleek.com
For more information, please reach out to:
HRFLEEK Services Limited
I&M Bank House, 3rd Floor, 2nd Ngong Avenue
Tel: 0117 646 059
Email: info@hrfleek.com