Uganda: PDPO releases report on DPO training
The Personal Data Protection Office ('PDPO') published, on 6 February 2023, its Data Protection Officer Training Needs Assessment Report, dated November 2022. In particular, the report explains that the PDPO conducted an assessment survey among the 510 data protection officers ('DPOs'), designated by the registered entities as of 13 October 2022, in order to establish the gaps in skills required by DPOs to perform tasks related to ensuring compliance under the Data Protection and Privacy Act 2019 ('the Act'). More specifically, the assessment sought to, among other things, identify the level of involvement of DPOs in governance of data protection and privacy activities, establish whether DPOs develop and implement data protection and privacy awareness programs, and establish the DPOs' knowledge and understanding of audit/assessment, breach and complaints management procedures.
Moreover, the report highlights that almost all the assessed DPOs did not have any certification in data protection, that most of them had limited knowledge regarding how to develop and implement a privacy management programme and that the majority had not been involved in conducting Data Protection Impact Assessments ('DPIA'). In light of the above, the PDPO encouraged DPOs to obtain certifications in data protection and recommended them to train and focus on the following areas, among others:
- development and implementation of policies and procedures on data protection and privacy;
- information security;
- records management and retention and privacy notices;
- development and implementation of an awareness and training program;
- management and resolution of personal data security breaches and complaints;
- how to conduct data protection and privacy audits and DPIAs;
- Privacy by Design and Default; and
- overview of cross-border data transfer mechanisms.
Lastly, the report adds that the PDPO should develop and publish guidance notes related to, firstly, the designation of a DPO highlighting skills needed to perform the role and, secondly, cross-border data transfer mechanisms under the Act.
You can read the report here.