Products
By Use Cases By Roles
Data Command Center
View
Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Knowledge Center » Data Privacy Automation

Overview of Rwanda’s Data Protection Law

By Anas Baig

Published November 25, 2021 / Updated November 27, 2023

On 15th October 2021, a data protection law was officially gazetted in Rwanda, the Law on the Protection of Personal Data and Privacy (Data Privacy Law). This law establishes obligations for businesses to maintain records of users’ personal data, designate an individual data protection officer carrying out DPIAs, and set up breach notification.

The Data Privacy Law also outlines several data subject rights for organizations already in operation. However, there’s a transition period before enforcement; companies and individuals in Rwanda that personal process data of individuals living in the country have up to October 2023 to plan and comply.

Rwanda’s Data Privacy Law is an important step that begins the foundational blocks for a more robust data privacy framework.

Rwanda’s Data Privacy Law requires local and international organizations to process personal data securely. This is extremely important given that the country is experiencing a massive wave of progressive development that gives birth to modern services such as e-commerce and trade.

Rwanda’s Data Privacy Law comes into enactment after a comprehensive consultation process. During the consultation process, multiple additions and revisions were received from private companies in Rwanda. The most feedback and corrections received were from the financial sector, which deals with Rwandese citizens' sensitive personal data.

According to Article 23 of the Constitution of Rwanda ('the Constitution'), the citizens of Rwanda are guaranteed the right to privacy as their fundamental right. It states as follows:

'The private life, family, home or correspondence of a person shall not be subjected to arbitrary interference; his or her honor and good reputation shall be respected. A person’s home is inviolable. No search of or entry into a home may be carried out without the owner’s consent, except in the circumstances and accordance with procedures determined by law. Confidentiality of correspondence and communication shall not be subject to waiver except in the circumstances and accordance with procedures determined by law.'

The statement mentioned above underpins the basis of the data protection law.

While the draft did take into account Rwanda’s culture, international best practices such as the GDPR were given significant consideration. In addition, the draft was heavily influenced by the African Union Convention on Cyber Security and Personal Data (Malabo Convention) that stresses the importance of respecting and protecting the rights of individuals both online and offline.

Key Provisions

Let’s look into the key provisions of the law:

Application and Territorial Impact

As per Article 2, Rwanda’s Data Privacy Law applies to data controllers, processors, or third parties that are established or ordinarily residing in Rwanda (not just citizens) and processing personal data while in Rwanda. It also applies to those that are not established or resided in Rwanda but process personal data of data subjects located in Rwanda.

This indicates that the application of the law isn’t just restricted to entities within the country but also to firms operating globally and dealing with Rwandan residents.

A data controller can be a natural person, public or private corporate body, or legal entity that processes personal data and determines the means of their processing.

Regulatory Body

To ensure smooth implementation, the National Cyber Security Authority (NCSA), the supervisory authority as per the law, will soon publish a compliance guide to help data processors and data controllers start the process. Here’s how they plan to implement the law:

Create awareness: NCSA and other stakeholders will conduct sessions to educate the general public and the specific concerned sectors on the requirements for compliance.
Registration of data processors or data controllers: Organizations that process personal data or intend to be data controllers or data processors are required to register with the NCSA. This would allow the regulatory body to identify companies that handle personal data and hold them responsible in case of a data breach or violation of the law.

Data Protection Principles

The law requires data controllers and processors to ensure the fulfillment of the following data protection principles:

Personal data to be processed lawfully, fairly, and transparently.
Personal data to be collected only for explicit, specified, and legitimate purposes.
Personal data to be kept accurate and up-to-date.
Personal data to be retained no longer than is necessary for the purposes it is processed.
Personal data to be processed in compliance with the rights of data subjects.

Lawful Grounds of Processing

Data controllers must have a lawful basis for the processing of personal data. Where consent is used as a lawful basis of data processing, it is valid only when it is based on the data subject’s free decision after being informed of the consequences of his or her consent. Grounds for data processing are as follows:

Data subject’s consent.
Performance of a contract.
Compliance with a legal obligation.
Data subject’s vital interests.
Public interest.
Performance of public duties of a public entity.
Legitimate interests of the data controller.
Research purposes upon authorization by relevant institution.

Key Responsibilities of Data Controllers and Data Processors

Data controllers and processors have the following key responsibilities:

Implement data security measures.
Maintain a record of personal data processing operations.
Carry out data protection impact assessments where the processing is likely to result in a high risk to data subjects.

Data subjects’ rights

Rwanda’s Data Privacy Law provides control to data subjects over their personal data by providing them the following rights:

Right to information.
Right to access.
Right to object.
Right to personal data portability.
Right to not be subject to automated decision-making.
Right to restriction of processing.
Right to erasure.
Right to rectification.
Right to designate an heir to personal data.
Right to representation.

Breach notification

Rwanda’s Data Privacy Law requires data controllers to notify personal data breaches to the regulatory authority within 48 hours after becoming aware of the breach. Data processors are also required to notify data controllers.

Where a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, data controllers must communicate the breach to the data subject after becoming aware of it.

Cross Border Data Transfers

Personal data storage outside Rwanda is permitted only if the data controller or the data processor holds a valid registration certificate authorizing him or her to store personal data outside Rwanda. The supervisory authority issues such a certificate.

In addition, the law provides that cross-border data transfers are permitted under one of the following circumstances:

Authorization from the supervisory authority after providing proof of appropriate safeguards with respect to the protection of personal data,
Where the data subject has provided his/her consent,
Where a transfer is necessary for the performance of a contract, public interests grounds, the exercise of a legal claim, protection of vital interests of the data subject or of another person, legitimate interests of the controller, or for the performance of international instruments ratified by Rwanda.

Failure to comply with the law may result in administrative fines on data controllers, data processors, and third parties.

How Securiti Can Help

The world is witnessing a massive debate concerning the accessibility and transmission of personal data. This has led organizations to become more cyber aware and privacy-conscious of their online and offline processes that deal with users’ data.

As such, organizations have an obligation to secure their consumers' data, all while adapting to unmanned privacy and security operations for prompt response and action. As users tenfold, organizations need to incorporate robotic automation to operationalize compliance without discounting the global standards.

While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.

Securiti binds reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Rwanda’s data protection law and other privacy and security regulations worldwide. See how it works. Request a demo today.

Rwanda has a data protection law known as the Law on the Protection of Personal Data and Privacy (Data Privacy Law). It came into effect on 15th October 2021.

The data privacy policy in Rwanda, established by the Law on the Protection of Personal Data and Privacy (Data Privacy Law), aims to protect individuals' personal data by regulating its collection, processing, and use. It applies to data controllers, processors, or third parties that are established or ordinarily residing in Rwanda (not just citizens) and processing personal data while in Rwanda. It also applies to those not established or residing in Rwanda but processing the personal data of data subjects located in Rwanda.

The law requires data controllers and processors to ensure personal data is:

processed lawfully, fairly, and transparently;
collected only for explicit, specified, and legitimate purposes;
kept accurate and up-to-date;
retained no longer than is necessary for the purposes it is processed; and
processed in compliance with the rights of data subjects.

Authored by Anas Baig

Anas Baig is a Product Marketing Manager with a proven track record in the cybersecurity industry. He has been a prominent contributor to numerous esteemed publications, including Infosecurity Magazine, CSO Online, Tripwire, Security Affairs, Network Computing, Security Boulevard, and several other renowned cybersecurity blogs.His in-depth knowledge and extensive experience in the industry make him a trusted source for cutting-edge insights and information in the ever-evolving world of cybersecurity.

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.

Watch a demo

At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.