Become an expert on PrivacyOps - Start NowStart Now
On 15th October 2021, a data protection law was officially gazetted in Rwanda, the Law on the Protection of Personal Data and Privacy (Data Privacy Law). This law establishes obligations for businesses to maintain records of users’ personal data, designate an individual data protection officer carrying out DPIAs, and set up breach notification.
The Data Privacy Law also outlines several data subject rights for organizations already in operation. However, there’s a transition period before enforcement; companies and individuals in Rwanda that personal process data of individuals living in the country have up to October 2023 to plan and comply.
Rwanda’s Data Privacy Law is an important step that begins the foundational blocks for a more robust data privacy framework.
Rwanda’s Data Privacy Law requires local and international organizations to process personal data securely. This is extremely important given that the country is experiencing a massive wave of progressive development that gives birth to modern services such as e-commerce and trade.
Rwanda’s Data Privacy Law comes into enactment after a comprehensive consultation process. During the consultation process, multiple additions and revisions were received from private companies in Rwanda. The most feedback and corrections received were from the financial sector, which deals with Rwandese citizens' sensitive personal data.
According to Article 23 of the Constitution of Rwanda ('the Constitution'), the citizens of Rwanda are guaranteed the right to privacy as their fundamental right. It states as follows:
'The private life, family, home or correspondence of a person shall not be subjected to arbitrary interference; his or her honor and good reputation shall be respected. A person’s home is inviolable. No search of or entry into a home may be carried out without the owner’s consent, except in the circumstances and accordance with procedures determined by law. Confidentiality of correspondence and communication shall not be subject to waiver except in the circumstances and accordance with procedures determined by law.'
The statement mentioned above underpins the basis of the data protection law.
While the draft did take into account Rwanda’s culture, international best practices such as the GDPR were given significant consideration. In addition, the draft was heavily influenced by the African Union Convention on Cyber Security and Personal Data (Malabo Convention) that stresses the importance of respecting and protecting the rights of individuals both online and offline.
Let’s look into the key provisions of the law:
As per Article 2, Rwanda’s Data Privacy Law applies to data controllers, processors, or third parties that are established or ordinarily residing in Rwanda (not just citizens) and processing personal data while in Rwanda. It also applies to those that are not established or resided in Rwanda but process personal data of data subjects located in Rwanda.
This indicates that the application of the law isn’t just restricted to entities within the country but also to firms operating globally and dealing with Rwandan residents.
A data controller can be a natural person, public or private corporate body, or legal entity that processes personal data and determines the means of their processing.
To ensure smooth implementation, the National Cyber Security Authority (NCSA), the supervisory authority as per the law, will soon publish a compliance guide to help data processors and data controllers start the process. Here’s how they plan to implement the law:
The law requires data controllers and processors to ensure the fulfillment of the following data protection principles:
Data controllers must have a lawful basis for the processing of personal data. Where consent is used as a lawful basis of data processing, it is valid only when it is based on the data subject’s free decision after being informed of the consequences of his or her consent. Grounds for data processing are as follows:
Data controllers and processors have the following key responsibilities:
Rwanda’s Data Privacy Law provides control to data subjects over their personal data by providing them the following rights:
Rwanda’s Data Privacy Law requires data controllers to notify personal data breaches to the regulatory authority within 48 hours after becoming aware of the breach. Data processors are also required to notify data controllers.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, data controllers must communicate the breach to the data subject after becoming aware of it.
Personal data storage outside Rwanda is permitted only if the data controller or the data processor holds a valid registration certificate authorizing him or her to store personal data outside Rwanda. The supervisory authority issues such a certificate.
In addition, the law provides that cross-border data transfers are permitted under one of the following circumstances:
Failure to comply with the law may result in administrative fines on data controllers, data processors, and third parties.
The world is witnessing a massive debate concerning the accessibility and transmission of personal data. This has led organizations to become more cyber aware and privacy-conscious of their online and offline processes that deal with users’ data.
As such, organizations have an obligation to secure their consumers' data, all while adapting to unmanned privacy and security operations for prompt response and action. As users tenfold, organizations need to incorporate robotic automation to operationalize compliance without discounting the global standards.
While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.
Securiti binds reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Rwanda’s data protection law and other privacy and security regulations worldwide. See how it works. Request a demo today.
See how easy it is to manage privacy compliance with robotic automation.