Rwanda Data Protection Law (Law No. 058/2021)

Rwanda - Data Protection Law.

David Tubananayo

2/4/20222 min read

The Rwanda Data Protection Law (Law No. 058/2021), recently passed by the Rwandan government, went into force on July 28th, 2021. The purpose of this law is to safeguard the personal information of Rwandan residents and to ensure that businesses are held liable for any data breaches or improper handling of personal information. We will examine the law's specifics and what it implications for companies doing business in Rwanda in this blog post.

Law's Purpose

Anyone who gathers, uses, or maintains personal information in Rwanda is subject to the Rwanda Data Protection Law. This covers both governmental and commercial enterprises, as well as international businesses operating in the entire country.

key components of the law

Organizations must abide by a number of essential provisions of the Rwanda Data Protection Law in order to secure the personal information of Rwandan citizens. These consists of:

  • Data Protection Officer: Companies that handle personal data are required to designate a data protection officer (DPO) to monitor data protection initiatives and guarantee legal observance.

  • Data Protection Impact Assessment (DPIA): Before processing any personal data, organizations are required to perform a data protection impact assessment (DPIA). Any potential threats to the rights and freedoms of the data subject should be identified and assessed in this evaluation.

  • Consent: Before collecting, processing, or keeping a data subject's personal information, organizations must get that person's express consent. This consent shall be precise, informed, and given voluntarily.

  • Notification regarding a Data Breach: A data breach affecting personal data must be reported to the Rwanda Information Society Authority (RISA) within 72 hours of being discovered. Additionally, notice must be given to affected data subjects without excessive delay.Data transfers across international borders are only permitted if the target country offers an appropriate level of data protection or if the organization has put in place the necessary security measures.

    Penalties for Failure to Comply

    A violation of the Rwanda Data Protection Law can result in severe consequences for organizations. Fines of up to RWF 5 million (about $5000), whichever is higher, are among the sanctions. In addition, anyone can sue the organization for compensation if they sustain harm as a result of non-compliance.

    What This Means for Rwandan Businesses

    To avoid severe fines, companies doing business in Rwanda must make sure they adhere to the country's data protection laws. This entails appointing a DPO, conducting DPIAs, getting express consent before processing personal data, and putting in place suitable security measures for cross-border data transfers. The best practices for data protection should be taught to employees by organizations, and they should have a plan in place for handling data breaches.

    The Rwanda Data Protection Law is an important milestone in safeguarding the personal data of Rwandan citizens and making sure that businesses are held responsible for any improper handling of this data. Businesses can gain customers' trust and show their dedication to protecting personal data by complying with the law.