IT Disaster Recovery Plan (Kenya)
Data Protection Act No. 24 of 2019
IT Disaster Recovery Plan
IT DISASTER RECOVERY PLAN Organisation: [Organisation Name] Physical Address: [Organisation Address] ODPC Registration No.: [Odp Registration No] Plan Version: [Plan Version] Approval Date: [Plan Approval Date] Next Review Date: [Next Review Date] Prepared in compliance with: — Data Protection Act No. 24 of 2019, section 41 — Data Protection (General) Regulations 2021, Regulation 26 — Computer Misuse and Cybercrimes Act No. 5 of 2018 — Central Bank of Kenya Prudential Guideline CBK/PG/21 (where applicable) — ICT Authority of Kenya IT Security Standards
1. Purpose, Scope and Objectives
1.1 PURPOSE This IT Disaster Recovery Plan ("DRP") of [Organisation Name] establishes the procedures, responsibilities, and resources required to restore critical IT systems and personal data following a disruptive incident, in compliance with section 41 of the Data Protection Act No. 24 of 2019 and applicable Central Bank of Kenya prudential guidelines. 1.2 SCOPE This DRP covers the following critical IT systems and data repositories: [Critical Systems] The plan applies to all staff, contractors, and third-party service providers who operate, maintain, or support covered systems. 1.3 RECOVERY OBJECTIVES Recovery Time Objective (RTO): [Rto Hours] hours (Maximum acceptable downtime from disaster declaration to system restoration) Recovery Point Objective (RPO): [Rpo Hours] hours (Maximum acceptable data loss — backup must be no older than this) These objectives are reviewed annually and tested at least [Testing Frequency].
2. Disaster Recovery Team and Responsibilities
2.1 DISASTER DECLARATION AUTHORITY A disaster may be declared by: [Disaster Declaration Authority] Upon declaration, the IT Disaster Recovery Team is immediately activated. 2.2 DISASTER RECOVERY TEAM ┌─────────────────────────────────────────────────────────────────┐ │ Role │ Responsibilities │ ├─────────────────────────────┼───────────────────────────────────┤ │ IT Manager / CTO │ Overall DR coordination │ │ [It Manager] │ Technical recovery leadership │ ├─────────────────────────────┼───────────────────────────────────┤ │ Data Protection Officer │ ODPC notification (72-hr rule) │ │ [Data Protection Officer] │ Data subject communications │ │ [Dpo Email] │ Regulatory compliance oversight │ ├─────────────────────────────┼───────────────────────────────────┤ │ System Administrators │ System restore and verification │ ├─────────────────────────────┼───────────────────────────────────┤ │ Security Officer │ Forensic evidence preservation │ │ │ Liaison with KE-CIRT/CC and DCI │ ├─────────────────────────────┼───────────────────────────────────┤ │ Communications Lead │ Staff, client, and media comms │ └─────────────────────────────┴───────────────────────────────────┘
3. Incident Response Procedures
3.1 IMMEDIATE RESPONSE (0–2 HOURS) Step 1: CONTAIN — Isolate affected systems from the network immediately to prevent spread while preserving forensic evidence as required by the Computer Misuse and Cybercrimes Act No. 5 of 2018 section 36. Step 2: ASSESS — Determine the nature and extent of the incident (cyberattack, hardware failure, natural disaster, human error). Step 3: DECLARE — The [Disaster Declaration Authority] formally declares a disaster and activates this DRP. Step 4: NOTIFY EXTERNALLY — Contact the following within the first 2 hours: [Incident Notification Contacts] 3.2 REGULATORY NOTIFICATION If personal data has been compromised, the Data Protection Officer ([Data Protection Officer], [Dpo Email]) must notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach as required by section 43 of the Data Protection Act No. 24 of 2019. Notification must include: nature of breach; categories and number of data subjects affected; categories and number of records affected; likely consequences; and measures taken to address the breach. 3.3 RECOVERY INITIATION Following containment and notification, the IT Manager ([It Manager]) initiates the technical recovery sequence targeting RTO of [Rto Hours] hours and RPO of [Rpo Hours] hours.
4. Backup and Recovery Architecture
4.1 BACKUP STRATEGY Primary DR / Backup Site: [Backup Location] Backup Schedule: — Full backup: Weekly (retained for 90 days) — Incremental backup: Daily (retained for 30 days) — Transaction log backup: Hourly (retained for 7 days) All backup media and cloud storage must be encrypted using AES-256 encryption. Encryption keys must be stored separately from backup data. 4.2 RECOVERY SEQUENCE Priority 1 (restore within RTO [Rto Hours] hours): — Authentication and identity management systems — Core business applications — Customer-facing systems processing personal data Priority 2 (restore within 2× RTO): — Internal communication systems — Reporting and analytics platforms Priority 3 (restore within 72 hours): — Non-critical internal tools and archives 4.3 DATA INTEGRITY VERIFICATION Following restoration, the IT team must verify data integrity by comparing restored data against the last known-good backup checksum before returning systems to production.
5. Testing, Review and Compliance
5.1 TESTING PROGRAMME This DRP shall be tested [Testing Frequency] through one or more of the following methods: — Full failover test (actual switchover to DR site) — Simulation test (parallel recovery without production impact) — Tabletop exercise (walkthrough of procedures with DR team) All test results, gaps identified, and remediation actions must be documented and retained for a minimum of three years as evidence of compliance with the Data Protection Act No. 24 of 2019 and the Central Bank of Kenya prudential guidelines. 5.2 PLAN REVIEW This DRP shall be reviewed and updated: — Annually by the next review date: [Next Review Date] — After any significant change to IT infrastructure — After any actual disaster or near-miss incident — When regulatory requirements change 5.3 APPROVAL This IT Disaster Recovery Plan version [Plan Version] is approved by: Name: _________________________ Title: [Disaster Declaration Authority] Signature: _________________________ Date: [Plan Approval Date] Organisation: [Organisation Name] ODPC Registration No.: [Odp Registration No]
Approving Authority (CEO / CIO)
________________
Signature
Data Protection Officer
________________
Signature
IT Manager / CTO
________________
Signature
What Is a IT Disaster Recovery Plan (Kenya)?
An IT Disaster Recovery Plan in Kenya documents the it disaster recovery plan in a form the parties and authorities can rely on.
The Data Protection (General) Regulations, 2021 published under Legal Notice No. 217 of 2021 elaborate on section 41 by requiring data controllers to conduct regular testing and evaluation of the effectiveness of technical and organisational measures, including disaster recovery procedures. Regulation 26 of the Data Protection (General) Regulations requires data processors to implement technical measures including data backup, recovery systems, and documented recovery procedures as contractual obligations enforceable by the data controller.
Beyond data protection law, the Kenya Information and Communications Act (Cap. 411A) as amended, administered by the Communications Authority of Kenya (CA), requires licensed telecommunications service providers and internet service providers to maintain business continuity and disaster recovery capabilities as conditions of their operating licences under the Kenya Information and Communications (Licensing) Regulations 2010. The Central Bank of Kenya Prudential Guideline on Business Continuity Management (CBK/PG/21) requires all banks and financial institutions licensed under the Banking Act (Cap. 488) to maintain tested IT disaster recovery plans with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
The ICT Authority of Kenya — established under the ICT Authority Act No. 27 of 2013 — has published the Kenya National ICT Master Plan and IT security standards that provide technical guidance on disaster recovery architecture for government agencies and public sector entities procuring ICT services under the Public Procurement and Asset Disposal Act No. 33 of 2015. The National Computer and Cybercrime Coordination Committee (NC4) established under the Computer Misuse and Cybercrimes Act No. 5 of 2018 coordinates national-level responses to cybersecurity incidents that may trigger organisational-level disaster recovery activation.
A well-structured IT Disaster Recovery Plan addresses three dimensions: prevention (hardening systems to reduce the likelihood of disasters); response (immediate actions to contain damage and preserve evidence under the Computer Misuse and Cybercrimes Act No. 5 of 2018); and recovery (systematic restoration of systems within agreed RTOs and RPOs). The plan must be tested at least annually through tabletop exercises, simulation tests, or full failover tests to remain effective and to satisfy regulatory requirements under the Central Bank of Kenya prudential guidelines and the ODPC framework.
When Do You Need a IT Disaster Recovery Plan (Kenya)?
An IT Disaster Recovery Plan is needed by every Kenyan organisation that relies on information technology systems for its operations and processes personal data subject to the Data Protection Act No. 24 of 2019.
Banks and financial institutions regulated by the Central Bank of Kenya under the Banking Act (Cap. 488) must maintain a tested IT Disaster Recovery Plan as a mandatory condition of their operating licence. The CBK Prudential Guideline CBK/PG/21 on Business Continuity Management requires banks to document RTOs and RPOs for all critical systems and to test recovery capabilities at least twice annually. Mobile money operators licensed under the National Payment System Act No. 39 of 2011 — such as those operating M-PESA infrastructure — face the same requirements.
Healthcare facilities processing patient health records — which constitute sensitive personal data under section 2 of the Data Protection Act No. 24 of 2019 — must implement disaster recovery procedures to protect medical records under both the Data Protection Act and the Health Act No. 21 of 2017 administered by the Ministry of Health.
Government agencies and county governments processing citizen data through eCitizen and Huduma Centres are required to maintain disaster recovery plans under the ICT Authority of Kenya standards and the Kenya National Cybersecurity Strategy 2022–2027 published by the Ministry of Information, Communications and Digital Economy.
E-commerce businesses and technology companies processing payment card data must comply with the PCI DSS (Payment Card Industry Data Security Standard) which requires a disaster recovery plan as part of Requirement 12.10. The Communications Authority of Kenya requires licensed ISPs and telecommunications operators to submit disaster recovery plans as part of their annual licence compliance reports.
Any organisation that has registered as a data controller or data processor with the Office of the Data Protection Commissioner under section 17 of the Data Protection Act No. 24 of 2019 should maintain a current, tested IT Disaster Recovery Plan as evidence of compliance with section 41 technical and organisational measures obligations.
Parties in Kenya should prepare a IT Disaster Recovery Plan (Kenya) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your IT Disaster Recovery Plan (Kenya)
A legally compliant and operationally effective IT Disaster Recovery Plan for Kenya must contain the following key elements aligned with the Data Protection Act No. 24 of 2019, the Data Protection (General) Regulations 2021, and the ICT Authority of Kenya technical standards.
**Plan Scope and Objectives:** A clear statement of the systems, applications, data repositories, and facilities covered by the plan; the Recovery Time Objective (RTO) — the maximum acceptable downtime for each critical system; and the Recovery Point Objective (RPO) — the maximum acceptable data loss measured in time.
**Risk Assessment and Business Impact Analysis:** An inventory of IT assets and their criticality ratings; a risk register identifying threats such as ransomware, insider threats, power failures, and natural disasters specific to the Kenyan operating environment; and a Business Impact Analysis (BIA) quantifying the financial, operational, regulatory, and reputational consequences of system unavailability.
**Disaster Declaration Criteria:** Defined thresholds and criteria for declaring a disaster and activating the DRP, including the authority responsible for disaster declaration — typically the Chief Information Officer or Chief Technology Officer — and escalation procedures to the Board Risk Committee required under the Central Bank of Kenya prudential guidelines.
**Incident Response and Notification:** Procedures for immediate response to a disaster event, including containment of damage, forensic evidence preservation under the Computer Misuse and Cybercrimes Act No. 5 of 2018, and notification to the Office of the Data Protection Commissioner within 72 hours of becoming aware of a personal data breach as required by section 43 of the Data Protection Act No. 24 of 2019.
**Recovery Procedures:** Step-by-step technical procedures for restoring each critical system, including the sequence of recovery actions, responsible personnel, fallback systems, and verification checkpoints. Cloud backup and recovery procedures referencing the organisation's cloud service agreement and the data localisation considerations under the Data Protection (General) Regulations 2021.
**Roles and Responsibilities:** A Disaster Recovery Team structure with named individuals or roles, their contact details, and specific responsibilities during recovery operations. The team must include a Data Protection Officer registered under section 24 of the Data Protection Act No. 24 of 2019.
**Testing and Review:** A schedule for annual full disaster recovery tests, quarterly tabletop exercises, and post-incident reviews. Test results, gaps identified, and remediation actions must be documented and retained for at least three years as evidence of compliance with ODPC requirements.
**Vendor and Third-Party Contacts:** Contact details for critical IT vendors, cloud service providers, internet service providers, and the Computer Emergency Response Team of Kenya (KE-CIRT/CC) operated by the Communications Authority of Kenya.
Forms Legal provides this template to assist Kenyan organisations build compliant disaster recovery documentation. Engage a certified IT professional and an advocate enrolled with the Law Society of Kenya to tailor the plan to your organisation's specific regulatory obligations. The forms-legal.com IT Disaster Recovery Plan (Kenya) template covers the mandatory elements under Data Protection Act No. 24 of 2019.
Additional compliance elements for a IT Disaster Recovery Plan (Kenya) used in Kenya include: Under the Companies Act No. 17 of 2015, the Registrar of Companies at the Office of the Attorney General maintains the register of Kenyan companies. Section 3 of the Law of Contract Act (Cap. 23) governs contractual obligations. The Competition Authority of Kenya (CAK) enforces the Competition Act No. 12 of 2010. The Kenya Revenue Authority (KRA) administers corporate tax under the Income Tax Act (Cap. 470). The High Court of Kenya has unlimited original jurisdiction under Article 165 of the Constitution of Kenya 2010. Forms-legal.com provides this template as a starting point for Kenya-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). IT Disaster Recovery Plan (Kenya) (Kenya) [Legal document template]. Forms Legal. https://forms-legal.com/kenya/business/policies/it-disaster-recovery-plan-kenya
"IT Disaster Recovery Plan (Kenya) (Kenya)." Forms Legal, 2026, https://forms-legal.com/kenya/business/policies/it-disaster-recovery-plan-kenya.
@misc{formslegal-it-disaster-recovery-plan-kenya,
author = {{Forms Legal}},
title = {IT Disaster Recovery Plan (Kenya) (Kenya)},
year = {2026},
howpublished = {\url{https://forms-legal.com/kenya/business/policies/it-disaster-recovery-plan-kenya}},
note = {Free legal document template}
}Frequently Asked Questions
Yes, for organisations falling within the scope of specific regulatory regimes. The Data Protection Act No. 24 of 2019 section 41 requires all data controllers and data processors registered with the Office of the Data Protection Commissioner to implement technical and organisational measures including the ability to restore availability and access to personal data following an incident — which requires a documented recovery plan. The Central Bank of Kenya Prudential Guideline CBK/PG/21 mandates tested disaster recovery plans for all licensed banks and financial institutions. The Communications Authority of Kenya requires licensed telecommunications and internet service providers to maintain business continuity and disaster recovery capabilities. Even for organisations not directly subject to these specific regulations, the Computer Misuse and Cybercrimes Act No. 5 of 2018 and the general duty of care in Kenyan tort law create a practical obligation to have documented procedures for responding to cyber incidents.
An IT Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP) are complementary but distinct documents. The DRP focuses specifically on restoring IT infrastructure, systems, and data — it addresses technical recovery procedures, Recovery Time Objectives, Recovery Point Objectives, backup restoration, and system failover. The BCP is broader in scope: it addresses how the entire organisation continues to deliver critical business functions during and after a disruption, covering people, processes, facilities, and supply chains — not just IT systems. Under the Central Bank of Kenya Prudential Guideline CBK/PG/21, banks are required to maintain both a BCP and a DRP as separate but integrated documents. The DRP typically feeds into the BCP, as IT recovery is a prerequisite for restoring most business processes. Under the Data Protection Act No. 24 of 2019 section 41, the focus of the technical measures obligation is on personal data availability and integrity, which is primarily addressed in the DRP.
Section 43 of the Data Protection Act No. 24 of 2019 requires a data controller to notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects. The notification must include: the nature of the breach; the categories and approximate number of data subjects affected; the categories and approximate number of personal data records affected; the name and contact details of the Data Protection Officer; the likely consequences of the breach; and the measures taken or proposed to address the breach. If the breach is likely to result in a high risk to data subjects, the data controller must also notify the affected data subjects directly without undue delay. The IT Disaster Recovery Plan should incorporate a data breach notification procedure with defined timelines and responsibilities to ensure compliance with section 43 obligations.
The frequency of testing depends on the regulatory regime applicable to the organisation. Banks regulated by the Central Bank of Kenya under CBK/PG/21 must conduct full disaster recovery tests at least twice annually and maintain records of test results, gaps identified, and remediation actions taken. The Data Protection (General) Regulations 2021 Regulation 26 requires data controllers to regularly test and evaluate the effectiveness of technical and organisational measures — which the Office of the Data Protection Commissioner interprets as at least annual formal testing. Best practice under ISO 22301 (Business Continuity Management) and ISO 27001 (Information Security Management) — both of which the Kenya Bureau of Standards has adopted as national standards — recommends: annual full recovery tests involving actual failover to backup systems; quarterly tabletop exercises reviewing the plan and walking through recovery scenarios; and tests after every significant change to IT infrastructure. All test results should be documented and retained as evidence of compliance.
Immediately following discovery of a ransomware attack, a Kenyan organisation should activate its IT Disaster Recovery Plan and take the following steps: (1) Isolate affected systems from the network immediately to prevent spread, while preserving forensic evidence as required by the Computer Misuse and Cybercrimes Act No. 5 of 2018 section 36; (2) Report the incident to the Kenya Computer Incident Response Team Coordination Centre (KE-CIRT/CC) operated by the Communications Authority of Kenya, which provides free technical assistance; (3) Report to the Directorate of Criminal Investigations (DCI) Cybercrime Unit, which has jurisdiction under the Computer Misuse and Cybercrimes Act No. 5 of 2018; (4) Assess whether personal data has been compromised — if so, notify the Office of the Data Protection Commissioner within 72 hours under section 43 of the Data Protection Act No. 24 of 2019; (5) Initiate backup restoration procedures under the DRP without paying the ransom, as ransom payment does not guarantee data recovery and may violate anti-money laundering obligations under the Proceeds of Crime and Anti-Money Laundering Act (Cap. 59B); (6) Notify cyber insurance underwriters if the organisation holds a cyber risk policy.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Cybersecurity Policy (Kenya)
A Kenya Cybersecurity Policy setting out an organisation's rules for protecting information systems, networks, and data, compliant with the Computer Misuse and Cybercrimes Act No. 5 of 2018 and the Data Protection Act No. 24 of 2019.
Data Processing Agreement (Kenya)
A Kenya Data Processing Agreement between a data controller and data processor, compliant with the Data Protection Act No. 24 of 2019 s.45 and the Data Protection (General) Regulations 2021.
Business Continuity Plan (Kenya)
A Kenya Business Continuity Plan documenting procedures to maintain critical operations during disruptions, compliant with the Central Bank of Kenya prudential guidelines and the Data Protection Act No. 24 of 2019.