Uganda Data Protection and Privacy Act 2019
Pointer

Data protection principles are provided for under part II of the DPPA. It provides for duties and responsibilities that a person or entity holding data shall comply with. Superficially the DPPA provides that a person holding data including a data collector, processor, controller or any person who collects, processes, holds or uses data shall follow the set principles. The principles of data protection includes.

  • Accountability to the data subject.
  • Fairness and lawfulness.
  • Adequacy and relevance of data.
  • Use of data as authorized by law.
  • Ensuring quality of information collected, processed or held.
  • Transparency and participation of data subject.
  • Ensuring safety and security of the data.
The Trust Challenge

Key obligations and consequences

Pointer

Applicability:This act applies to a person, institution or public body.

  • Collecting, processing, holding or using personal data within uganda.
  • Outside Uganda who collects, processes, holds, or uses personal data relating to ugandan citizens.
Pointer

Every data collector, data processor or data controller is required to register with the Personal Data Protection Office as stipulated by Regulation 15 (1) of the Data Protection and Privacy Regulations.

Pointer

Section 29 (2) of the Data Protection and Privacy Act mandates the Personal Data Protection Office (the Office/PDPO) to register in the data protection register, every person, institution or public body collecting or processing personal data and the purpose for which the personal data is collected or processed. The registration validity period is one year and the person or institution shall apply for renewal within three months before the date of expiry of your registration.

Pointer

Failure to register and or renew the registration, one commits an offence and will be liable on conviction to a fine or imprisonment not exceeding three months or both.

The Trust Challenge

Key Challenges in brief:

A person should not collect or process personal data without the prior consent of the data subject unless the collection or processing is authorized or required by law, for the proper performance of a public duty by a public body, for national security, for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law, for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, for medical purposes; or for compliance with a legal obligation to which the data controller is subject.

A person should not collect or process personal data relating to a child unless the collection or processing thereof is carried out with the prior consent of the parent or guardian or any other person having authority to make decisions on behalf of the child and it is necessary to comply with the law or it is for research or statistical purposes.

Under the act, the data subjects have the following rights

  • Right to access personal information held by the data controller after providing proof of identity.
  • Right to prevent processing of personal data which causes or is likely to cause unwarranted substantial damage or distress to the data subject by notice in writing to the data controller or processor.
  • Right to prevent processing of personal data for purposes of direct marketing.
  • Rights in relation to automated decision-taking.
  • Right to make a complaint to the Authority where he or she believes that a data collector or processor or controller is infringing upon his or her right or violating provisions of the Act.

Where the collection or processing of personal data poses a high risk to the rights and freedoms of natural persons, the data collector, data processor or data controller shall, prior to the collection or processing, carry out an assessment of the impact of the envisaged collection or processing operations on the protection of personal data.

Every Data protection impact assessment shall include-

  • A systematic description of the envisaged processing and the purposes of the processing.
  • An assessment of the risks to personal data and the measures to address the risk.
  • Any other matter the office may require.

Where the Authority determines that the data collector, data processor or data controller should notify the data subject, the notification shall be made by

  • Registered mail to the data subject’s last known residential or postal address.
  • Electronic mail to the data subject’s last known electronic mail address.
  • Placement in a prominent position on the website of the responsible party.
  • Publication in the mass media.

Sufficient information relating to the breach to allow the data subject to take protective measures against the consequences of unauthorized access or acquisition of the data.

This is permissible under the DPPA in a limited number of circumstances. Therefore, the data flow (outgoing personal and sensitive data) ought to be monitored appropriately.

Win-Win Situation

Solutions

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key Obligations & Consequences

Pointer

Applicability:This act applies to a person, institution or public body.

  • Collecting, processing, holding or using personal data within uganda.
  • Outside Uganda who collects, processes, holds, or uses personal data relating to ugandan citizens.
Pointer

Every data collector, data processor or data controller is required to register with the Personal Data Protection Office as stipulated by Regulation 15 (1) of the Data Protection and Privacy Regulations.

Pointer

Section 29 (2) of the Data Protection and Privacy Act mandates the Personal Data Protection Office (the Office/PDPO) to register in the data protection register, every person, institution or public body collecting or processing personal data and the purpose for which the personal data is collected or processed. The registration validity period is one year and the person or institution shall apply for renewal within three months before the date of expiry of your registration.

Pointer

Failure to register and or renew the registration, one commits an offence and will be liable on conviction to a fine or imprisonment not exceeding three months or both.

The Trust Challenge

Key Challenges in brief:

Pointer

Consent Requirement

A person should not collect or process personal data without the prior consent of the data subject unless the collection or processing is authorized or required by law, for the proper performance of a public duty by a public body, for national security, for the prevention, detection, investigation, prosecution or punishment of an offence or breach of law, for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, for medical purposes; or for compliance with a legal obligation to which the data controller is subject.

A person should not collect or process personal data relating to a child unless the collection or processing thereof is carried out with the prior consent of the parent or guardian or any other person having authority to make decisions on behalf of the child and it is necessary to comply with the law or it is for research or statistical purposes.

Pointer

Data Subject Rights

Under the act, the data subjects have the following rights

  • Right to access personal information held by the data controller after providing proof of identity.
  • Right to prevent processing of personal data which causes or is likely to cause unwarranted substantial damage or distress to the data subject by notice in writing to the data controller or processor.
  • Right to prevent processing of personal data for purposes of direct marketing.
  • Rights in relation to automated decision-taking.
  • Right to make a complaint to the Authority where he or she believes that a data collector or processor or controller is infringing upon his or her right or violating provisions of the Act.
Pointer

Data Protection Impact assessment

Where the collection or processing of personal data poses a high risk to the rights and freedoms of natural persons, the data collector, data processor or data controller shall, prior to the collection or processing, carry out an assessment of the impact of the envisaged collection or processing operations on the protection of personal data.

Every Data protection impact assessment shall include-

  • A systematic description of the envisaged processing and the purposes of the processing.
  • An assessment of the risks to personal data and the measures to address the risk.
  • Any other matter the office may require.
Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us