Data protection and privacy laws can enable legal safety for citizens’ personal information, prevent unauthorized use of personal data, and establish accountability for organizations that handle sensitive information.

Therefore, on Oct. 15, 2021, the Rwandan government enacted a personal data and privacy protection law. This law applies to individuals and established institutions within or outside Rwanda that process the personal data of individuals living in Rwanda. One of the law’s primary goals is to grant individuals the authority to control their personal information. Another goal is to support the reliable and protected movement of data within Rwanda and across its borders.

Some of the law’s key provisions are:

• Article 48 bars data being transferred to third parties unless they are authorized by the National Cyber Security Authority (NCSA).
• Article 50 requires all personal data to be stored in Rwanda except for registered entities with NCSA-issued certificates to store data abroad.
• Article 17 mandates data controllers and processors to keep a record of personal data-processing activities and submit the data to NCSA upon request.
• Article 38(3) requires controllers and processors to provide data protection impact assessments (DPIAs) when processing poses a high risk to individuals’ rights.
• Article 43 mandates a data processor to inform the data controller of a data breach within 48 hours of discovery. It also requires a data controller to notify NCSA within 48 hours of becoming aware of a breach. The data controller must inform the subject of the data breach, unless the breach is communicated to the public.
• Article 9 requires a parent or guardian’s consent before the personal data of a child under 16 can be processed. It also states that consent is acceptable only if it’s in the child’s interest. However, consent is not required if processing the data is important to the child’s welfare.
• Article 8 grants data subjects the right to revoke consent at any time.
• Articles 29–31 require that anyone who intends to process data must register with the NCSA and be granted a data protection and privacy (DPP) certificate.

Consequences of Noncompliance

The Rwandan government gave a two-year transition period to allow individuals and organizations to align their data processing activities with the law. This transition period will end on Oct. 15, 2023.

If an individual or organization fails to register and comply with this law by the deadline, the NCSA is authorized to enforce the following sanctions:

• Individuals or organizations that operate without a DPP certificate: A fine between RWF 2 million (US$1,700) and RWF 5 million (US$4,250) or an amount equal to one percent of the entity’s total revenue from the previous fiscal year.
• Individuals, organizations, data controllers, or data processors that operate without a DPP certificate may be fined between RWF 2 million (US$1,700) and RWF 5 million (US$4,250) or an amount equal to one percent of the entity’s total revenue from the previous fiscal year.
• Data processors and controllers can also be fined if they operate with an expired DPP certificate.

Impact on Rwandans and Africa

This law makes Rwanda the 35th African country to have a data policy law and the 30th to have a data protection authority to enforce it.

The law is expected to help boost consumer confidence in Rwanda. When people trust that their data is handled responsibly, they are more likely to engage with online services and share their information. This drives economic growth and innovation in the country.

Furthermore, stringent data privacy laws can facilitate international trade and data sharing. This is because countries with robust data protection laws are often deemed safe for cross-border data transfers, a requirement in today’s globalized economy.

Above all, Rwanda’s appointment of a data protection authority, NCSA, to oversee and enforce its data privacy and protection law is projected to help reduce the frequency and impact of data breaches in the country. Hopefully, this law also makes Rwanda a positive example for other African nations to adopt similar regulations and enhance data protection within their borders.