To print this article, all you need is to be registered or login on Mondaq.com.
It is now almost two years since Law No. 058/2021 of October 13,
2021, on the protection of personal data and privacy (the
“Data Protection Act” or
“DPA” or
“DPP“) came into force, subject to a
grace period of two years. This period ends on 15 October 2023,
leaving only four days to comply. The DPA sets out a comprehensive
framework for the protection of personal data, and this
comprehensive and far-reaching new law applies to all organisations
that collect or process personal data in Rwanda. This is especially
important for organisations that conduct business in Rwanda and
process the personal information of Rwandans, with significant
fines being imposed should they be found to be non-compliant.
Organisations that collect or process personal data in Rwanda
should take note of the following requirements and practical steps
in order to comply with the law:
- Registering as a data controller or data processor with the
National Cyber Security Authority (NCSA) - Designating a data protection officer (DPO)
- Implementing a privacy policy
- Conducting a Data Protection Impact Assessment (DPIA)
- Meeting all other requirements as may be prescribed by the
NCSA
Organisations can avoid severe penalties by ensuring full
compliance with the DPA. Instances of non-compliance include:
- Failure to designate a personal data protection officer
- Failure to register as a data controller or data processor or
operating without a registration certificate - Failure to maintain records of processed personal data
- Failure to notify a personal data breach
These instances of non-compliance can result in an
administrative fine of no less than RWF2000000 (approximately
USD2000) but not more than RWF5000000 (approximately USD5000) or 1%
of the global turnover of the preceding financial year.
In addition to financial penalties, non-compliance can result in
reputational damage and lead to a loss of customer trust.
Considering this looming deadline, it is crucial that businesses
take meaningful steps to comply with the requirements of the Data
Protection Act before the deadline. Organisations should consider
seeking legal advice to guide them towards full compliance with the
DPA before the grace period ends on 15 October 2023.
Reviewed by Eustache Ngoga, an Executive in Rwanda.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Rwanda
Credit: Source link