Overview of Rwanda’s Data Protection Law

On 15th October 2021, a data protection law was officially gazetted in Rwanda, the Law on the Protection of Personal Data and Privacy (Data Privacy Law). This law establishes obligations for businesses to maintain records of users’ personal data, designate an individual data protection officer carrying out DPIAs, and set up breach notification.

The Data Privacy Law also outlines several data subject rights for organizations already in operation. However, there’s a transition period before enforcement; companies and individuals in Rwanda that personal process data of individuals living in the country have up to October 2023 to plan and comply.

Rwanda’s Data Privacy Law is an important step that begins the foundational blocks for a more robust data privacy framework.

Rwanda’s Data Privacy Law requires local and international organizations to process personal data securely. This is extremely important given that the country is experiencing a massive wave of progressive development that gives birth to modern services such as e-commerce and trade.

Rwanda’s Data Privacy Law comes into enactment after a comprehensive consultation process. During the consultation process, multiple additions and revisions were received from private companies in Rwanda. The most feedback and corrections received were from the financial sector, which deals with Rwandese citizens' sensitive personal data.

According to Article 23 of the Constitution of Rwanda ('the Constitution'), the citizens of Rwanda are guaranteed the right to privacy as their fundamental right. It states as follows:

'The private life, family, home or correspondence of a person shall not be subjected to arbitrary interference; his or her honor and good reputation shall be respected. A person’s home is inviolable. No search of or entry into a home may be carried out without the owner’s consent, except in the circumstances and accordance with procedures determined by law. Confidentiality of correspondence and communication shall not be subject to waiver except in the circumstances and accordance with procedures determined by law.'

The statement mentioned above underpins the basis of the data protection law.

While the draft did take into account Rwanda’s culture, international best practices such as the GDPR were given significant consideration. In addition, the draft was heavily influenced by the African Union Convention on Cyber Security and Personal Data (Malabo Convention) that stresses the importance of respecting and protecting the rights of individuals both online and offline.

Key Provisions

Let’s look into the key provisions of the law:

Application and Territorial Impact

As per Article 2, Rwanda’s Data Privacy Law applies to data controllers, processors, or third parties that are established or ordinarily residing in Rwanda (not just citizens) and processing personal data while in Rwanda. It also applies to those that are not established or resided in Rwanda but process personal data of data subjects located in Rwanda.

This indicates that the application of the law isn’t just restricted to entities within the country but also to firms operating globally and dealing with Rwandan residents.

A data controller can be a natural person, public or private corporate body, or legal entity that processes personal data and determines the means of their processing.

Regulatory Body

To ensure smooth implementation, the National Cyber Security Authority (NCSA), the supervisory authority as per the law, will soon publish a compliance guide to help data processors and data controllers start the process. Here’s how they plan to implement the law:

1. Create awareness: NCSA and other stakeholders will conduct sessions to educate the general public and the specific concerned sectors on the requirements for compliance.
2. Registration of data processors or data controllers: Organizations that process personal data or intend to be data controllers or data processors are required to register with the NCSA. This would allow the regulatory body to identify companies that handle personal data and hold them responsible in case of a data breach or violation of the law.

Data Protection Principles

The law requires data controllers and processors to ensure the fulfillment of the following data protection principles:

• Personal data to be processed lawfully, fairly, and transparently.
• Personal data to be collected only for explicit, specified, and legitimate purposes.
• Personal data to be kept accurate and up-to-date.
• Personal data to be retained no longer than is necessary for the purposes it is processed.
• Personal data to be processed in compliance with the rights of data subjects.

Lawful Grounds of Processing

Data controllers must have a lawful basis for the processing of personal data. Where consent is used as a lawful basis of data processing, it is valid only when it is based on the data subject’s free decision after being informed of the consequences of his or her consent. Grounds for data processing are as follows:

• Data subject’s consent.
• Performance of a contract.
• Compliance with a legal obligation.
• Data subject’s vital interests.
• Public interest.
• Performance of public duties of a public entity.
• Legitimate interests of the data controller.
• Research purposes upon authorization by relevant institution.

Key Responsibilities of Data Controllers and Data Processors

Data controllers and processors have the following key responsibilities:

• Implement data security measures.
• Maintain a record of personal data processing operations.
• Carry out data protection impact assessments where the processing is likely to result in a high risk to data subjects.

Data subjects’ rights

Rwanda’s Data Privacy Law provides control to data subjects over their personal data by providing them the following rights:

• Right to information.
• Right to access.
• Right to object.
• Right to personal data portability.
• Right to not be subject to automated decision-making.
• Right to restriction of processing.
• Right to erasure.
• Right to rectification.
• Right to designate an heir to personal data.
• Right to representation.

Breach notification

Rwanda’s Data Privacy Law requires data controllers to notify personal data breaches to the regulatory authority within 48 hours after becoming aware of the breach. Data processors are also required to notify data controllers.

Where a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, data controllers must communicate the breach to the data subject after becoming aware of it.

Cross Border Data Transfers

Personal data storage outside Rwanda is permitted only if the data controller or the data processor holds a valid registration certificate authorizing him or her to store personal data outside Rwanda. The supervisory authority issues such a certificate.

In addition, the law provides that cross-border data transfers are permitted under one of the following circumstances:

• Authorization from the supervisory authority after providing proof of appropriate safeguards with respect to the protection of personal data,
• Where the data subject has provided his/her consent,
• Where a transfer is necessary for the performance of a contract, public interests grounds, the exercise of a legal claim, protection of vital interests of the data subject or of another person, legitimate interests of the controller, or for the performance of international instruments ratified by Rwanda.

Failure to comply with the law may result in administrative fines on data controllers, data processors, and third parties.

How Securiti Can Help

The world is witnessing a massive debate concerning the accessibility and transmission of personal data. This has led organizations to become more cyber aware and privacy-conscious of their online and offline processes that deal with users’ data.

As such, organizations have an obligation to secure their consumers' data, all while adapting to unmanned privacy and security operations for prompt response and action. As users tenfold, organizations need to incorporate robotic automation to operationalize compliance without discounting the global standards.

While multiple services offer software that enables companies to comply with global privacy regulations, those solutions only go as far as possible with various restrictions or elementary data-driven functions.

Securiti binds reliability, intelligence, and simplicity, working on the PrivacyOps framework to allow end-to-end automation for organizations. Securiti can help you stay compliant with Rwanda’s data protection law and other privacy and security regulations worldwide. See how it works. Request a demo today.