Rwanda: Rwanda's Data Protection Law: Four Days Left For Full Compliance Deadline

It is now almost two years since Law No. 058/2021 of October 13, 2021, on the protection of personal data and privacy (the "Data Protection Act" or "DPA" or "DPP") came into force, subject to a grace period of two years. This period ends on 15 October 2023, leaving only four days to comply. The DPA sets out a comprehensive framework for the protection of personal data, and this comprehensive and far-reaching new law applies to all organisations that collect or process personal data in Rwanda. This is especially important for organisations that conduct business in Rwanda and process the personal information of Rwandans, with significant fines being imposed should they be found to be non-compliant.

Organisations that collect or process personal data in Rwanda should take note of the following requirements and practical steps in order to comply with the law:

• Registering as a data controller or data processor with the National Cyber Security Authority (NCSA)
• Designating a data protection officer (DPO)
• Implementing a privacy policy
• Conducting a Data Protection Impact Assessment (DPIA)
• Meeting all other requirements as may be prescribed by the NCSA

Organisations can avoid severe penalties by ensuring full compliance with the DPA. Instances of non-compliance include:

• Failure to designate a personal data protection officer
• Failure to register as a data controller or data processor or operating without a registration certificate
• Failure to maintain records of processed personal data
• Failure to notify a personal data breach

These instances of non-compliance can result in an administrative fine of no less than RWF2000000 (approximately USD2000) but not more than RWF5000000 (approximately USD5000) or 1% of the global turnover of the preceding financial year.

In addition to financial penalties, non-compliance can result in reputational damage and lead to a loss of customer trust.

Considering this looming deadline, it is crucial that businesses take meaningful steps to comply with the requirements of the Data Protection Act before the deadline. Organisations should consider seeking legal advice to guide them towards full compliance with the DPA before the grace period ends on 15 October 2023.

Reviewed by Eustache Ngoga, an Executive in Rwanda.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.