Corporate Governance 2026

KENYA Law and Practice Contributed by: Sammy Ndolo, Brian Muchiri, Nicholas Owino and Valere Nyaboke, Cliffe Dekker Hofmeyr

Data Protection Disclosure Under the Data Protection Act, data controllers must provide certain information to data subjects at the point of data collection (or as soon as reasonably practicable thereafter). Where AI systems process personal data, this includes disclosure of the exist - ence of automated decision-making and the logic involved, to the extent that such disclosure does not adversely affect trade secrets or intellectual property. AI Bill Disclosure Requirements (If Enacted) If the AI Bill is enacted, it will impose specific trans - parency and disclosure obligations. Providers and deployers of AI systems will be required to disclose to users and affected persons: • the nature, purpose and limitations of the AI sys - tem; • the extent to which decisions or outputs are generated by automated processes, including any human intervention; and • measures taken to identify, mitigate and monitor biases and to ensure fairness. The failure to properly disclose may result in an enforcement action by the ODPC, administrative penalties, compensation claims by data subjects and reputational damage to companies. Providers of high-risk AI systems will also be required to submit annual compliance reports to the AI Com - missioner, with non-confidential information made publicly available.

tional damage can lead to significant financial loss, shareholder actions and increased regulatory scrutiny. Boards may be exposed where reputational harm results from inadequate oversight or failure to man - age foreseeable AI risks. Under the Companies Act, directors owe duties to promote the company’s suc - cess, including safeguarding its reputation. Failure to establish robust AI governance frameworks may therefore constitute a breach of duty where fore - seeable reputational harm materialises. 8.4 Key Disclosure Requirements for AI Use Capital Markets Disclosure Kenya does not currently have AI-specific disclosure requirements. However, under the Capital Markets Act and the POLD Regulations, listed companies must disclose all material risks affecting the company and its prospects in annual reports and prospectuses. Where AI systems are integral to a company’s opera - tions or present significant risks, such matters must be addressed in financial statements and manage - ment commentary. In addition, material events must be disclosed prompt - ly. AI-related incidents that may trigger disclosure obli - gations include: • data breaches involving personal data or confiden - tial information; • AI system failures materially affecting operations or financial performance; • cyberattacks or security incidents; and • regulatory investigations or enforcement actions.

423 CHAMBERS.COM

Powered by