The Analyst’s Inbox: Rwanda’s New Data Protection Law
Every week, the OneTrust DataGuidance in-house team of Privacy Analysts tackle several new questions submitted through our Ask an Analyst feature. In our latest installment of the Analyst’s Inbox we provide insight into a major update to privacy regulations in Rwanda.
As more nations transition into technology-enabled economies, we’ll continue to see new privacy laws issued worldwide that deal with personal data protection. Rwanda’s first-ever comprehensive data protection law went into effect on October 15, 2021. Organizations have a two-year grace period to meet its provisions. This blog post will examine the key considerations for compliance.
What is the scope of Rwanda’s new data protection law?
The Republic of Rwanda’s new data protection law, Law No. 058/2021 of 13 October 2021 Relating to the Protection of Personal Data and Privacy, establishes rights and freedoms for individuals and regulates how personal data is collected, stored, and processed by organizations.
The law states that data handlers must provide an explicit, legitimate purpose for collecting, storing, and processing personal data.
The law applies to data controllers, data processors, or third parties who are:
- Established or reside in Rwanda and process personal data whilst in Rwanda; or Individuals and institutions located in Rwanda that process personal data (whether or not the individuals are Rwandan citizens or residents).
- Are neither established nor reside in Rwanda, but that process the personal data of data subjects located in Rwanda.
According to the law, data processing must be in sync with the reasons stated when collection occurred. This means the Rwandan privacy regulation prohibits the use of personal data in ways other than the originally requested purpose.
When processing personal data, the Republic of Rwanda provides for several legal bases. Obtaining consent is one of these. Otherwise, data controllers and processors must be able to prove they’re using personal data in one of the following ways:
- For the performance of a contract
- To fulfill a legal obligation
- To exercise vital interests of the data subject
- To act in the public interest
- To perform the duties of a public entity
- For the exercise of legitimate interests
- For authorized research purposes
Sensitive data will need to be handled with care. That’s why the law outlines additional justification criteria for processing sensitive data. Again, consent is one of those bases which organizations may rely on. Additional grounds include where the processing is necessary for the vital interest of the data subject, preventive or occupational medicine, public health, scientific or historical research, and public safety.
Organizations must maintain accurate, up-to-date records of personal data at all times.
The law identified the National Cyber Security Authority (NCSA) as the enforcement authority that will provide compliance oversight and enforcement.
What are the key elements of this new law my organization needs to be aware of?
Registration with the NCSA
Rwanda’s new data law requires data processors and controllers to register with the NCSA. The supervisory authority will facilitate an application process. The process will designate the identities of the data controller and/or processor, inquire about the categories of personal data collected, and establish the data’s purpose to the organization.
The NCSA will approve applications for organizations that meet requirements within 30 working days. The registration certificate will have an expiration date, but it hasn’t been indicated yet how long the validity period will last.
DSARs and Disclosures to Data Subjects
Rwanda’s new data protection law establishes a minimum standard of disclosures to data subjects whenever personal data collection occurs. This includes:
- The controller's contact details
- Purposes of the processing
- Recipients of the personal data
- Whether the provision of the personal data is voluntary or mandatory
- Data subject rights
- The existence of automated decision-making, including profiling
- Retention period
- Transfers of data outside Rwanda
- Other information that would make sure personal data is processed fairly
The law creates an obligation and establishes requirements for data subject access requests (DSARs). Teams must be prepared to fulfill all DSARs within 30 days. This includes informing any third parties in possession of the subject’s data of erasure and/or copy requests.
Data teams must be sure to keep accurate records of personal data processing operations. The enforcement authority also specified that teams must regularly perform data protection impact assessments (DPIAs) whenever processing activities run the risk of violating personal data rights.
Public or private corporations must designate a Data Privacy Officer (DPO).
The NCSA regulates the storage, retention, and transfer of personal data outside of Rwanda through its certificate program. Organizations will have to prove their transfer operations provide adequate safeguards to personal data to receive authorization.
The law also requires a written contract that governs relationships between data controllers and processors to ensure technical and business operations are mutually compliant.
Protocols for Data Breach Incidents
Upon learning of a data breach, controllers and processors have 48 hours to alert the NCSA and 72 hours to provide a report with all known details. If the investigation determines that individuals are at risk as a result of the incident, controllers must notify individuals in an expedited manner.
If a processor becomes aware of a data breach, they have 48 hours to notify the controller.
Fines and Consequences for Non-compliance
Individuals have the right to pursue compensation through the Rwandan court system if an organization violates their data rights. Claimants will have to prove damages as a result of the controller’s or processor’s actions.
The NCSA will levy fines on controllers, processors, and/or third parties for non-compliance. There are nine categories of administrative misconduct that carry fines between RWF 2,000,000 (approx. USD 2,000) and RWF 5,000,000 (approximately USD 5,000). For corporate bodies and legal entities, the limit is 1% of the previous year’s global revenue.
The law details major offenses in articles 56-61 of the law. Organizations must never:
- Access, collect, use, share, transfer, or disclose data in a way that is contrary to the law.
- Reidentify anonymized personal data without permission.
- Destroy, erase, or conceal personal data in an unauthorized way.
- Sell personal data without express approval.
- Mishandle sensitive personal data.
- Provide false information to the NCSA.
These major offenses carry fines up to 5% of the previous year’s global revenue.
Next Steps for Privacy Teams
The compliance period ends October 15, 2023. That time period provides global data and privacy teams two years to prepare. Stay tuned — the NCSA pledged to share an implementation calendar with compliance milestones to establish clear goals and assist with the transition.
Learn how OneTrust can help you prepare for the Rwanda data protection law by leveraging regulatory intelligence, automation, and flexible solutions into your privacy program.
Further resources for Rwanda's new data protection law:
- OneTrust DataGuidance News: Data protection law published in the Official Gazette
- OneTrust DataGuidance Insight: New personal data protection law - Key aspects
- OneTrust Solutions: Privacy Management Tools
More from The Analyst's Inbox series:
- OneTrust DataGuidance Blog: The Analyst's Inbox - Diversity Data and Background Checks
- OneTrust DataGuidance Blog: The Analyst's Inbox: China's PIPL
- OneTrust DataGuidance Blog: The Analyst's Inbox: TIAs & SCCs