Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View

A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)

Published July 6, 2025
Author

Anas Baig

Product Marketing Manager at Securiti

Listen to the content

I. Introduction

Uganda’s Data Protection and Privacy Act (DPPA), enacted on 1 March 2019, stands as a cornerstone for safeguarding personal and sensitive data. It specifies the regulations all public and private entities within and outside Uganda must abide by when processing personal data and the rights individuals possess in deciding how their data is to be collected and processed.

This article delineates the key elements of the DPPA, particularly highlighting its scope of application, key defined terms, obligations of organizations, data subject rights, the role of the regulatory body, penalties for non-compliance, and best practices to ensure swift compliance.

II. Who Needs to Comply with the DPPA

A. Material Scope

The DPPA applies to the processing of data by automated or by any other means, including:

  • the organization, modification, or alteration of data;
  • the retrieval, consultation, or utilization of data;
  • disclosure of data through transmission, dissemination, or other means; and
  • alignment, integration, obstruction, deletion, or disposal of data.

B. Personal Scope

The DPPA applies to all individuals, institutions, and public entities collecting, processing, storing, and using personal data within or outside Uganda.

C. Territorial Scope

The DPPA also applies to any person, institution, or public body based outside of Uganda that collects and processes data related to Ugandan citizens.

III. Definitions of Key Terms

1. Authority

This refers to the National Information Technology Authority (NITA).

2. Personal Data

Any information that results in the identification of an individual, recorded in any form, including an individual’s nationality, age, marital status, education level, occupation, personal identification number, and any other information, including opinions about the person, that is or may come into the possession of the data controller.

3. Data Subject

An individual from whom or in respect of whom personal information has been requested, collected, collated, processed, or stored.

4. Data Controller

A person who, either independently, jointly with others, or as a part of a statutory duty decides the purposes for and the manner by which personal data is or will be processed.

5. Data Processor

A person other than an employee of the data controller who processes personal data on behalf of the data controller.

Any voluntary, specific, informed, and clear expression of the data subject’s desire indicated through a statement or affirmative action, by which they agree to the collection and processing of their personal data.

7. Recipient

A person who receives data while it is being processed for the data controller or the data processor such as an employee or representative. However, this does not include individuals to whom information is disclosed solely for a specific inquiry under a legal mandate.

8. Third-Party

Any person other than the data subject, data collector, data controller, data processor, or other person who possesses the authority to process data for the data controller or data processor.

IV. Obligations for Organizations Under the DPPA

Before collecting or processing personal data, it is mandatory to obtain consent from the data subject. However, personal data may also be collected or processed if:

  • Collection or processing is authorized or required by law;
  • It is necessary:
    • For the performance of a public duty by a public body;
    • For national security;
    • For the prevention, detection, prosecution, or punishment of an offence.
    • It is required for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract;
    • It is for medical purposes;
    • It is needed to ensure compliance with a legal requirement to which the data controller is subject.

The data subject possesses the right to withdraw their consent at any time and the data collection or processing must be halted instantly. However, this right does not extend to the data collected for the aforementioned purposes.

Additionally, as specified in Section 8 of the DPPA, a child’s data cannot be collected or processed without obtaining prior consent from their parent or guardian or any individual who has assumed authority over the child or where it is required to comply with a legal obligation or it is for research or statistical purposes.

B. Privacy Notice Requirements

Under the DPPA, a person collecting personal data is required to provide the data subject with the following information before commencement of collection:

  1. The nature and category of data being collected;
  2. The name and address of the person undertaking data collection;
  3. The reason for data collection;
  4. Whether the provision of the data by the data subject is discretionary or mandatory;
  5. The consequences that would result if data is not provided;
  6. The particular law that authorizes the collection;
  7. The recipients of the data;
  8. The availability of the rights to access and request rectification of the collected data;
  9. The duration for which the data will be retained to fulfill the purposes of collection.

In the case where data is collected by a third party, the data subject shall be provided with the above-mentioned information before collection commences or as soon as practicable after the collection of the data.

C. Security Requirements

The data controller, data collector, or data processor must safeguard the integrity of personal data in their possession by implementing suitable, reasonable, technical, and organizational measures to prevent any loss, damage, unauthorized destruction, unlawful access, or unauthorized processing of data.

Consequently, the data controller is required to take the following measures:

  1. identify potential risks, both internal and external, to personal data within that person’s possession or control;
  2. implement and maintain suitable safeguards against the identified risks;
  3. consistently verify that the safeguards are effectively implemented; and
  4. ensure that the safeguards regularly evolve to address new risks or deficiencies.

D. Data Breach Requirements

As soon as the data controller, data collector, or data processor discovers that the data subject’s data has been accessed or attained by an unauthorized person, they must notify the Authority immediately and mention the remedial action they have taken. However, it is up to the Authority to decide whether or not the data subject will be informed of the breach.

In cases where the Authority determines the data subject must be informed, the notification should be made through:

  • The last registered email address belonging to the data subject;
  • A mail to the data subject’s last known residential or postal address;
  • A placement in a prominent position on the responsible party’s website;
  • Publication in a mass media outlet.

The aforementioned notification must provide sufficient information about the breach to ensure the data subject can take appropriate protective measures against the potential consequences of the unauthorized data breach.

In cases where the Authority has sufficient reasons to believe that publicity would protect the data subject affected by the data breach, the Authority will direct the responsible party to publicize in a specified manner along with the fact of the compromise to the integrity or confidentiality of their data.

E. Data Protection Officer Requirements

The institution must appoint a Data Protection Officer (DPO) as mandated by the Regulations. Particularly, the Regulations dictate that any individual, institution, or public entity engaged in processing or overseeing personal data must assign a DPO if:

  • the activities involve regular and systematic monitoring of data subjects on a large scale due to their nature, scope, or purpose; or
  • the primary activities entail processing special categories of personal data as outlined in the DPPA.

According to the Regulations, a DPO is responsible for the following:

  • carry out frequent assessments and audits to verify compliance with the DPPA;
  • work in close liaison with the person, institution, or public body, and the Personal Data Protection Office (PDPO) to coordinate necessary communication between them;
  • keep records of all data processing activities conducted by a person, institution, or public body;
  • notify data subjects about how their data is being used and the measures the person, institution, or public body has implemented to ensure adequate protection of their data;
  • ensure data subjects’ requests to see copies of their personal data or have their data deleted are met and catered to.

F. Data Protection Impact Assessment

In the case where the collection or processing of personal data is likely to pose a threat to the data subject’s rights and freedoms, the data controller, data processor, or data collector must carry out an assessment of the impact of the proposed processing operations on the protection of personal data prior to the collection or processing of data.

The Data Protection Impact Assessment (DPIA) must include the following:

  • a coherent description of the anticipated processing and the reasons for the processing;
  • an evaluation of the risks to personal data and the actions to overcome those risks;
  • any other information the PDPO may require.

G. Retention of Records of Personal Data

According to the DPPA, any person who collects personal data can only retain it up until the time that is required to fulfill the purpose for which it was collected, except when:

  • The retention of the data has been authorized by law;
  • The retention of the data serves a lawful purpose associated with a function or activity for which the data was collected or processed;
  • A contract between the parties, subject to the contract, requires the retention of the data;
  • The data subject has agreed to the retention of the data.

However, these aforementioned conditions are not applicable to data retained for:

  • Prevention, detection, investigation, prosecution, or punishment for an offence;
  • The national security purposes;
  • The enforcement of a law that imposes a pecuniary penalty;
  • The enforcement of legislation related to public revenue collection;
  • The conduct of proceedings before a court or tribunal;
  • Historical, statistical, or research purposes.

A person using the data subject’s personal data to make a decision about the data subject will:

  • Retain the data for as long as legally necessary;
  • In case of no legal retention period, retain the data for a period that allows the data subject an opportunity to request access to the data.

Once the retention period expires, the data controller must destroy or delete all records of personal data or de-identify it. The destruction or deletion of the data will be done in a manner that prevents its reconstruction in an intelligible form.

H. Cross-Border Data Transfer Requirements

If a data controller or data processor residing within Uganda wishes to process or store personal data outside of the country, the DPPA does not restrict that, but certain conditions must be fulfilled:

  • The country in which the data will be stored or processed must have adequate security measures in place at least equal to the protection provided for by the DPPA;
  • The data subject must have agreed to the transfer of their data.

V. Data Subject Rights

The DPPA grants the following exercisable rights to individuals relating to their personal data:

A. Right of Access

A data subject has the right to request the following information from the data controller:

  • the reasons for which their personal data was collected;
  • a confirmation as to whether the data controller possesses information about the data subject;
  • the type of personal data the data controller has in possession;
  • disclosure of the identity of a third party who has or has had access to the data.

B. Right to Rectification

The data subject has the right to request the rectification, erasure, blocking, and destruction of their personal data that is inaccurate. Once the data subject has complained to the NITA, they must ensure that the data controller takes the necessary steps immediately. Moreover, the data controller must also inform third parties who have previously been given access to the data so that they can also rectify, block, update, or destroy the data.

C. Right to Opt-Out of Processing Personal Data

The data subject has the right to opt out of the processing of their personal data, particularly if the processing of that data has the potential to cause significant harm or distress to the data subject. Additionally, the data subject can halt the processing of their personal data for direct marketing purposes. This can be achieved by sending a written notice to the data controller or data processor, to which the data controller or data processor is obligated to respond within 14 days of receipt, highlighting either their intention to comply or the reasons for non-compliance.

D. Right Not to Be Subject to Automated Decision-Making

The data subject also has the right to request that the data controller not rely entirely on automatic means of processing data for decisions that are likely to significantly impact the data subject. This can be done by sending a formal written notice to the controller, to which they are obligated to respond within 21 days of receipt, indicating the steps they have taken to comply with the request.

E. Right to Prevent Processing Of Personal Data For Direct Marketing

The term “direct marketing” includes communication by any means of any advertising or marketing material directed at an individual.

The data subject has the right to provide a written notice to the data controller requiring them to stop processing their personal data for direct marketing purposes.

Once such a request is received, the data controller must inform the data subject about whether they’ve complied with their request or if they plan to within fourteen days. In case they will not comply, they must also provide reasons for the non-compliance within the same period.

If the data controller provides reasons for non-compliance, a copy of their notice to the data subject will be forwarded to the Authority within the fourteen day period. If the Authority determines the data subject’s request to be justified, they may direct the data controller to comply with the request.

The data subject and data controller may enter into an agreement related to processing the data subject’s personal data for direct marketing purposes for pecuniary benefits.

VI. Regulatory Authority

The National Information Technology Authority - Uganda has been appointed as the data protection authority. It is responsible for maintaining the Data Protection Register (Register)and recording and listing every institution, person, or public body that collects or processes personal data.

The Personal Data Protection Office (PDPO), headed by the National Personal Data Protection Director, operates as an independent office under the NITA. It not only oversees the implementation of the DPPA but also ensures all the relevant parties abide by the rules and regulations stated within it.

The Authority, i.e., the NITA, is authorized to keep and maintain a Register comprising details of every person, institution, or public entity that is collecting or processing personal data and the reasons for which the data is collected or processed. The data controller, data processor, or data collector is required to register themselves through a formal application. Moreover, the Authority may grant the public access to the Register for inspection.

Additionally, the NITA is responsible for the following:

  • ensuring every entity collecting or processing personal data complies with the rules of data protection specified in the DPPA;
  • providing timely responses to data breaches and deciding whether or not to inform the data subject about the breach;
  • maintaining the Register to document entities collecting or processing personal data along with the purpose of collecting such data;
  • allowing public access to the Register for inspection;
  • inquiring into and addressing any complaints related to data protection and privacy.

VII. Penalties for Non-Compliance

The DPPA states various offenses that are punishable if discovered. They include:

  • unlawful acquisition or disclosure of personal data
  • unlawful destruction, erasure, concealment, or modification of personal data; and
  • sale of personal data.

Any person who engages in the above-stated activities is liable to imprisonment for a maximum period of 10 years, payment of a fine not greater than 240 currency points, or both. In case the offense has been committed by a corporation, then 2% of the corporation’s gross income must be paid as a fine.

VIII. How Can an Organization Operationalize the PDPL

Organizations can operationalize Uganda’s Data Protection and Privacy Act (DPPA) by:

  • establishing a regulatory authority tasked with enforcing the DPPA;
  • developing guidelines and standards for compliance;
  • conducting public awareness campaigns;
  • providing training to organizations on data protection principles;
  • ensuring adequate resources for implementation and enforcement;
  • creating mechanisms for reporting and investigating data breaches and violations.

IX. How Securiti Can Help

Securiti empowers organizations to effortlessly adhere to Uganda’s Data Protection and Privacy Act 2019 with its AI-driven data discovery, DSR automation, universal consent management, documented accountability, autonomous data breach management, and cookie consent management solution.

Delve into the capabilities of our all-encompassing Data Command Center, which enables compliance with various sections of the DPPA and supports enterprises on their path to align with the DPPA through automation, enhanced data visibility, and identity linking.

Request a demo to learn more.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


Share

More Stories that May Interest You
Videos
View More
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...
AWS Startup Showcase Cybersecurity Governance With Generative AI View More
AWS Startup Showcase Cybersecurity Governance With Generative AI
Balancing Innovation and Governance with Generative AI Generative AI has the potential to disrupt all aspects of business, with powerful new capabilities. However, with...

Spotlight Talks

Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Spotlight 13:32
Ensuring Solid Governance Is Like Squeezing Jello
Watch Now View
Latest
View More
Databricks AI Summit (DAIS) 2025 Wrap Up
5 New Developments in Databricks and How Securiti Customers Benefit Concerns over the risk of leaking sensitive data are currently the number one blocker...
Inside Echoleak View More
Inside Echoleak
How Indirect Prompt Injections Exploit the AI Layer and How to Secure Your Data What is Echoleak? Echoleak (CVE-2025-32711) is a vulnerability discovered in...
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA) View More
A Complete Guide on Uganda’s Data Protection and Privacy Act (DPPA)
Delve into Uganda's Data Protection and Privacy Act (DPPA), including data subject rights, organizational obligations, and penalties for non-compliance.
Data Risk Management View More
What Is Data Risk Management?
Learn the ins and outs of data risk management, key reasons for data risk and best practices for managing data risks.
Beyond DLP: Guide to Modern Data Protection with DSPM View More
Beyond DLP: Guide to Modern Data Protection with DSPM
Learn why traditional data security tools fall short in the cloud and AI era. Learn how DSPM helps secure sensitive data and ensure compliance.
Mastering Cookie Consent: Global Compliance & Customer Trust View More
Mastering Cookie Consent: Global Compliance & Customer Trust
Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.
View More
Key Amendments to Saudi Arabia PDPL Implementing Regulations
Download the infographic to gain insights into the key amendments to the Saudi Arabia PDPL Implementing Regulations. Learn about proposed changes and key takeaways...
Understanding Data Regulations in Australia’s Telecom Sector View More
Understanding Data Regulations in Australia’s Telecom Sector
Gain insights into the key data regulations in Australia’s telecommunication sector. Learn how Securiti helps ensure swift compliance.
Gencore AI and Amazon Bedrock View More
Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock
Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...
DSPM Vendor Due Diligence View More
DSPM Vendor Due Diligence
DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...
What's
New