Entities — public, private, NGOs and others — that deal with personal data have two months to adjust their data privacy policies and seek licenses as a new law comes into force to check breach cases and cyber crimes.

All data controllers and processors in Rwanda are also required to store data in the country under the law enacted in October 2021, but whose  enforcement was delayed by two years to allow concerned entities to prepare.

The transitional period ends this year on October 15.

The enforcement is expected to bring about changes across the board as entities are obliged to seek consent prior to processing personal data, and to constantly report data breach incidents.

Despite deepening digitilisation of services in key sectors of Rwanda’s economy, consent has not been a requirement prior to personal data collection, processing or storage.

Most companies barely indicate to users of their services what to expect when it comes to management of personal data they collect, including aspects like sharing, disclosure and transfer.

In one case in 2017, for instance, a local telecommunication company with footprint on the continent was handed a hefty fine ($8.5 million) by the industry regulator after it emerged that the former was hosting its IT services outside the country. 

There have been growing concerns that foreign firms that entered sectors such as banking, insurance, telcom and betting could transfer users’ personal data to their subsidiaries abroad, if unchecked.

Compliance

“One of the tenets of this law is the clear and unambiguous consent of an individual to the collection, storage, and processing of personal data, which is a fundamental right. The law now brings Rwanda in line with international data protection standards, vital for the modern digital economy facilitating services such as e-commerce, international financial transactions, and various online services,” said Rwanda’s ministry of ICT and Innovation.

According to the ministry, the law does not only apply to entities established or residing in Rwanda, but also individuals and institutions established or residing outside of Rwanda, that process the personal data of individuals in Rwanda.

Government recently passed Artificial Intelligence (AI) policy as part of the drive to spur the adoption of technology for improved service delivery.

Also read: Rwanda’s incoming digital IDs: What you need to know

Industry players have indicated that the development, coupled with impending data governance frameworks could help maximize the socio-economic benefits of these emerging technologies as they heavily rely on massive amounts of data.

The law designated the newly created National Cyber Security Authority (NCSA) as the supervisory authority charged with enforcement of its provisions. The agency’s other primary roles include securing Rwanda’s cyberspace and defending against growing cyber threats.

Non-compliance with data privacy rules could attract hefty penalties including a fine of up to one per cent of entity’s annual turnover.

As data privacy law takes effect in October, Rwanda joins other African countries to enforce such legislations. The country ratified African Union’s Convention on Cyber Security and Personal Data Protection also known as Malabo Convention which came into effect this year after garnering required threshold of ratifications by member States nine years since its adoption.

Under the instrument, AU member countries committed to establish a legal framework aimed at strengthening fundamental rights and public freedoms, particularly protection of physical data, and punish any violation of privacy without prejudice.

Also read: Sovereign data control could boost Africa’s ‘gig economy’