Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Uganda: Data Protection and Privacy Regulations passed and in force

OneTrust DataGuidance confirmed, on 19 May 2021, with Ritah Nakalema, Senior Associate at Engoru, Mutebi Advocates, that the Data Protection and Privacy Regulations, 2021 were approved and published in the Official Gazette on 12 March 2021.

In particular, the regulations provide for the establishment of a dedicated and independent data protection authority, the Personal Data Protection Office within the National Information Technology Authority - Uganda ('NITA-U'). Further to this, Nakalema highlighted, "The Personal Data Protection Office [...] is responsible for personal data protection under NITA-U and is in charge of the overall implementation of the Data Protection and Privacy Act, 2019, providing for administrative, civil or criminal sanctions and penalties among others. The Office will be fully functional upon appointment of the officers and the board."

Additionally, the regulations impose an obligation on data collectors, data controllers, and data processors to register with the Office, setting out detailed provisions as to the application procedure, and, among other notable provisions, establish the obligation to conduct a Data Protection Impact Assessment when data processing poses a high risk to natural persons, provide for additional data subject rights such as the right to correct and delete personal data, and establish additional protection for minors.

Furthermore, the regulations provide that the Office will in the future publish generally accepted information security practices and specific industry professional rules and regulations applicable to the security of personal data, including both administrative and technical measures, which all data collectors, processors, and controllers must comply with.

Nakalema further clarified, "The Regulations [...] are now presently in force. The Regulations do not have a specified commencement date and under the Acts of Parliament Act of Uganda, where a law is made without a commencement date, the same is said to have come into force one month from the date of gazette."

You can read the regulations here.