When lenders chase unpaid loans, speed often feels more important than process.

But recent decisions by regulators such as the Office of the Data Protection Commissioner (ODPC) show that cutting corners in loan recovery can quietly cost lenders millions in fines, penalties, and reputational damage.

The biggest problem here is how the data is being handled by the lenders.

In today’s digital economy, personal data is as valuable as cash. How a lender uses, stores, and shares a borrower’s information is tightly regulated.

In Kenya, the Data Protection Act, 2019 sets clear rules: personal and financial data can only be used for specific, lawful reasons such as customer consent, fulfilling a contract, or meeting a legal obligation.

Anything outside these grounds is illegal and can attract legal action against the lending firms.

Where lenders go wrong

One of the most common mistakes happens during loan recovery. When repayment delays occur, some lenders panic and begin sharing a borrower’s private information with third parties in an effort to apply pressure.

This may include sending payslips, bank statements, ID documents, or employment letters to workplaces, colleagues, guarantors, or even general customer service email addresses at banks. Often, these email accounts are accessed by multiple people who are not authorised to handle sensitive personal data.

Under the law, this is a serious violation, and the Act defines processing very broadly. It includes transmitting, sharing, emailing, or making personal data available in any form. This means that even sending a document by email counts as data processing and must meet legal standards.

Sharing financial details without clear consent or legal authority automatically becomes unlawful processing.

Why consent matters

Many lenders assume that once a customer has taken a loan, they are free to use the customer’s information as they see fit. That assumption is wrong.

Consent must be specific and clear. It does not mean “use my data however you want.” If a lender wants to share information with third parties, such as employers or guarantors, this must be explicitly provided for in the contract or supported by another lawful basis under the Act.

Verbal discussions about repayment do not give lenders the right to circulate private documents.

 Another costly mistake lenders make is ignoring regulatory notices.

When a complaint is filed, regulators usually ask lenders to explain their actions, provide contracts, and justify the legal basis for data sharing. Some institutions fail to respond, either through oversight or poor internal systems.

When a lender does not respond, regulators may proceed on the assumption that the allegations are true.

The result is an uncontested finding of wrongdoing, which can lead to enforcement action, penalties, and compliance orders.

The hidden cost

Beyond fines, the damage runs deeper. Data protection violations erode customer trust, attract negative publicity, and expose lenders to civil claims.

For institutions operating on thin margins, these losses can quietly add up to millions.

 Loan recovery is not just about collecting money. It is about doing so lawfully, carefully, and responsibly.

Strong data protection policies, clear consent clauses, controlled access to customer data, and prompt responses to regulators are no longer optional.

They are essential safeguards against costly mistakes that lenders can no longer afford to ignore.