Financial institutions in Kenya, including SACCOs, microfinance banks, and pension schemes, handle some of the most sensitive information in the country. Member savings, loan records, national ID numbers, next of kin details, and payroll data all pass through their systems every day. If this data is lost, leaked, or misused, the damage goes beyond a fine. It can destroy the trust that members and regulators have placed in an institution.
This is why data security and compliance can no longer be treated as an IT afterthought. They need to be built into the core systems that run the business, including the ERP and CRM platforms used for finance, membership records, and reporting. This article looks at how Microsoft Dynamics 365 supports data security and compliance, what Kenyan financial institutions are legally required to do, and practical steps to close the gap between the two.
Why This Topic Matters Now
Kenya's financial sector has become a frequent target of cybercrime and data misuse. Banks, SACCOs, and digital lenders have all faced scrutiny from regulators over how they collect, store, and share customer data. At the same time, members and clients are more aware of their data rights than they were five years ago. They ask questions. They complain. Some take institutions to court.
On top of this, regulators are watching more closely. The Office of the Data Protection Commissioner (ODPC) has moved from simply publishing guidance to actively issuing enforcement notices, penalty notices, and compensation orders against non-compliant organizations. The Central Bank of Kenya (CBK) and the Sacco Societies Regulatory Authority (SASRA) also expect regulated entities to demonstrate strong internal controls over data and systems.
For a SACCO, pension scheme administrator, or microfinance institution, this means data protection is now a board-level concern, not just a task for the IT department.

The Legal Framework Kenyan Financial Institutions Must Follow
The Data Protection Act, 2019
The Data Protection Act, 2019 (DPA) is Kenya's main data protection law. It applies to almost every organization that collects or processes personal data, and financial institutions are named directly as a sector that must comply, regardless of size.
Key obligations under the DPA include:
- Registration with the ODPC. Financial institutions are required to register as data controllers or data processors, regardless of turnover or employee count, because they are named as a sensitive sector.
- Lawful basis for processing. Every piece of personal data collected must have a clear legal reason behind it, such as consent, a contractual requirement, or a legal obligation.
- Data subject rights. Members and clients have the right to access their data, correct it, restrict its use, request deletion in some cases, and object to certain types of processing.
- Breach notification. If personal data is compromised, the institution must notify the ODPC and affected individuals within a short window after discovering the breach.
- Cross-border data transfer rules. Personal data cannot simply be moved outside Kenya unless there are proper safeguards in place, such as contractual clauses or confirmation that the receiving country offers adequate protection.
Non-compliance carries real financial consequences. Penalties can reach several million shillings or a percentage of annual turnover, in addition to reputational damage and possible suspension of data processing activities.
Sector-Specific Requirements
The DPA does not stand alone. It sits alongside sector rules from bodies such as the CBK and SASRA, which have their own expectations around IT governance, business continuity, and internal controls for regulated financial entities. In practice, this means a SACCO or microfinance institution must satisfy both the general data protection law and the specific requirements of its financial sector regulator at the same time.
This is one reason why a generic accounting system, or a patchwork of spreadsheets and disconnected software, becomes a serious liability. These tools were never designed with regulatory audit trails, access controls, or breach detection in mind.
How Dynamics 365 Supports Data Security
Microsoft Dynamics 365, including Business Central, is built on Microsoft's cloud infrastructure, which invests heavily in security because it serves regulated industries worldwide, including banks and government agencies. Below are the main security capabilities that are directly relevant to financial institutions in Kenya.
Role-Based Access Control
Not everyone in an organization needs to see everything. Dynamics 365 allows an institution to define exactly what each user can view, edit, or approve based on their job function. A loan officer, for example, can be restricted to loan records, while payroll data remains visible only to HR and finance staff. This directly supports the DPA's expectation that access to personal data is limited to what is necessary for a specific purpose.
Encryption of Data
Data in Dynamics 365 is encrypted both while it is stored and while it is moving between systems. This means that even if data were intercepted or a storage device were compromised, the information would not be readable without the proper encryption keys. This addresses one of the core technical safeguards regulators expect institutions to have in place.
Multi-Factor Authentication
Passwords alone are no longer considered sufficient protection. Dynamics 365 integrates with Microsoft Entra ID (formerly Azure Active Directory) to support multi-factor authentication, requiring a second form of verification, such as a code sent to a mobile device, before granting access. This significantly reduces the risk of unauthorized access from stolen or guessed passwords.
Audit Trails and Activity Logging
Every meaningful action in Dynamics 365, such as a record being changed, a payment being approved, or a report being exported, can be logged and traced back to a specific user and time. This is critical for regulatory audits, internal investigations, and demonstrating accountability when the ODPC, CBK, or SASRA asks how a particular piece of data was handled.
Data Residency and Regional Cloud Options
Cross-border data transfer is one of the more complex parts of the DPA to navigate. Microsoft publishes clear information on where data is stored and processed across its global data centers, which allows institutions to make informed decisions and put the right contractual safeguards in place when data does need to move across borders.
Built-In Threat Protection
Microsoft applies continuous threat monitoring across its cloud services, watching for unusual sign-in patterns, malware, and other indicators of compromise. For a small or mid-sized SACCO without a dedicated cybersecurity team, this brings a level of protection that would otherwise be very expensive to build in-house.

Where Technology Alone Is Not Enough
It is worth being honest about something here: software cannot make an institution compliant on its own. Dynamics 365 provides strong tools, but compliance also depends on how an institution configures the system, trains its staff, and manages its internal processes. Some gaps we frequently see include:
- Overly broad user permissions. Systems are sometimes configured with more access than staff actually need, simply because it is faster to set up.
- No formal Data Protection Officer. Many SACCOs and NGOs have not yet appointed a DPO or a designated data protection lead, even though this is expected under the DPA.
- Weak onboarding and offboarding processes. Former employees sometimes retain system access long after they have left, creating unnecessary risk.
- Lack of documented data flows. Institutions often cannot clearly explain, on paper, what personal data they collect, where it is stored, and who has access to it.
- Manual, disconnected reporting. When financial data lives in multiple disconnected spreadsheets or legacy systems, it becomes very difficult to prove who accessed what and when.
These gaps are not usually the result of negligence. They are the natural result of growing quickly without dedicated compliance resources. The good news is that most of them can be closed through better system configuration and a few internal policy changes, without needing to overhaul the entire organization.
Practical Steps for Kenyan Financial Institutions
1. Map Your Data
Before anything else, understand what personal data you collect, why you collect it, where it is stored, and who can access it. This becomes the foundation for both DPA compliance and a well-configured ERP system.
2. Configure Role-Based Access Properly
Work with your implementation partner to define user roles carefully within Dynamics 365, so that access matches job responsibilities rather than convenience.
3. Turn On Multi-Factor Authentication
This is one of the simplest and most effective steps an institution can take to reduce the risk of unauthorized access, and it should be enabled for every user without exception.
4. Appoint a Data Protection Lead
Even a part-time designated lead can help an institution stay on top of DPA obligations, coordinate breach response, and act as the point of contact for the ODPC if needed.
5. Review Audit Logs Regularly
Do not wait for an incident to check activity logs. Periodic review helps catch unusual behavior early and demonstrates ongoing diligence to regulators.
6. Train Staff on Data Handling
Most data breaches are not caused by sophisticated hackers. They are caused by simple human error, such as sending a report to the wrong recipient or using weak passwords. Regular, practical training closes this gap.
7. Document Everything
Keep records of your data protection policies, DPIAs (Data Protection Impact Assessments) where relevant, breach response procedures, and system configuration decisions. Documentation is often what separates a manageable regulatory conversation from a costly one.
Frequently Asked Questions
Does the Data Protection Act apply to small SACCOs and microfinance institutions?
Yes. Financial services is named directly as a sector that must register with the ODPC regardless of turnover or number of employees. Size does not exempt an institution from the DPA.
Can we keep using Excel and manual registers alongside Dynamics 365?
It is common for institutions to run parts of their operations on spreadsheets during a transition. However, spreadsheets do not provide access controls, encryption, or audit trails, so any personal data that lives outside the ERP system remains a compliance risk. The safest approach is to migrate sensitive records into the core system as quickly as possible.
Who is responsible for compliance, IT or management?
Both. IT teams and implementation partners are responsible for configuring systems correctly. Management and the board are responsible for setting policy, appointing a data protection lead, approving budgets for security measures, and holding staff accountable. Compliance fails when either side assumes it is solely the other's job.
How long does it take to bring an existing ERP system up to acceptable security standards?
This depends on the size of the institution and how the system is currently configured. A focused review of user roles, authentication settings, and audit logging can often be completed in a few weeks. Larger changes, such as full data mapping and policy development, typically take longer and should be treated as an ongoing program rather than a one-time project.
Conclusion
Data security and compliance are not optional extras for SACCOs, microfinance institutions, and pension schemes in Kenya. They are now a core part of doing business, shaped by both the Data Protection Act, 2019 and sector-specific regulatory expectations. Microsoft Dynamics 365 provides a strong technical foundation, with role-based access control, encryption, multi-factor authentication, audit trails, and built-in threat protection. But technology is only part of the answer. It must be paired with clear internal policies, trained staff, and ongoing attention from leadership.
Institutions that get this right protect more than just data. They protect the trust of the members and clients who depend on them.
Contact Us:
Office Number 718, 7th Floor, KU PLAZA, Haile Sallassie Avenue, Nairobi CBD
Postal Address: P.O Box 25063-00100, Nairobi, Kenya
Phone: +254743313103
E-mail: Info@fanisitech.com
Website: www.fanisitech.com
Latest Comments
No comments yet for this post. Be the first to comment
Comment on the blog "Data Security and Compliance in Dynamics 365 for …"