Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Uganda: Data Protection and Privacy Regulations passed and in force
OneTrust DataGuidance confirmed, on 19 May 2021, with Ritah Nakalema, Senior Associate at Engoru, Mutebi Advocates, that the Data Protection and Privacy Regulations, 2021 were approved and published in the Official Gazette on 12 March 2021.
In particular, the regulations provide for the establishment of a dedicated and independent data protection authority, the Personal Data Protection Office within the National Information Technology Authority - Uganda ('NITA-U'). Further to this, Nakalema highlighted, "The Personal Data Protection Office [...] is responsible for personal data protection under NITA-U and is in charge of the overall implementation of the Data Protection and Privacy Act, 2019, providing for administrative, civil or criminal sanctions and penalties among others. The Office will be fully functional upon appointment of the officers and the board."
Additionally, the regulations impose an obligation on data collectors, data controllers, and data processors to register with the Office, setting out detailed provisions as to the application procedure, and, among other notable provisions, establish the obligation to conduct a Data Protection Impact Assessment when data processing poses a high risk to natural persons, provide for additional data subject rights such as the right to correct and delete personal data, and establish additional protection for minors.
Furthermore, the regulations provide that the Office will in the future publish generally accepted information security practices and specific industry professional rules and regulations applicable to the security of personal data, including both administrative and technical measures, which all data collectors, processors, and controllers must comply with.
Nakalema further clarified, "The Regulations [...] are now presently in force. The Regulations do not have a specified commencement date and under the Acts of Parliament Act of Uganda, where a law is made without a commencement date, the same is said to have come into force one month from the date of gazette."
You can read the regulations here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
