Get ready for compliance with Rwanda’s data protection law: why organisations should start now
16 August 2022
by Eustache Ngoga
Two months from now, organisations will have only one year remaining to comply with the provisions of the Law Nº 058/2021 of 13/10/2021 relating to the protection of personal data and privacy (the “Data Protection Law”) following its entry into force on 15 of October 2021.
Some requirements that organisations should be aware of as they get prepared for full compliance by the end of the Transitional Period are:
- the obligation to register with the supervisory authority as a data controller or data processor for organisations that intend to be data controllers or data processors and who are established and reside in Rwanda;
- the obligation to designate a representative in Rwanda for data controllers or the data processors who are neither established nor reside in Rwanda, but process personal data of data subjects located in Rwanda; and
- the obligation to designate a personal data protection officer.
With regard to the obligation to register as a data controller or a data processor for organisations that are established and reside in Rwanda, the Data Protection Law provides a list of minimum requirements that must be met by the applicant before the supervisory authority can issue the registration certificate for the data controller or data processor.
According to the Data Protection Law, the application for registration as a data controller or data processor must include:
- the identity and the single point of contact of the applicant;
- the identity and address of the applicant’s representative if it has nominated any, a description of personal data to be processed and the category of data subjects;
- whether or not the applicant holds or is likely to hold the types of personal data based on the sectors in which it operates;
- the purposes of the processing of personal data, the categories of recipients to whom the data controller or the data processor intends to disclose the personal data;
- the country to which the applicant intends to directly or indirectly transfer the personal data and;
- the risks in the processing of personal data and measures to prevent such risks and protect personal data.
It is worth noting that the requirements set forth in the Data Protection Law are considered minimum requirements to be met by applicants for registration as a data controller or data processor. These may be supplemented by additional requirements that may be prescribed under the regulation which may be put in place by the supervisory authority i.e., the National Cyber Security Authority, from time to time.
If the application meets the requirements, a certificate of registration will be issued by the supervisory authority to the applicant within 30 working days from the date of receipt of the registration application.
It should be noted that the Data Protection Law does not prescribe the validity period of the data controller or data processor registration certificate, but has instead delegated such authority to the supervisory authority to prescribe the validity period by way of regulation, which is yet to be put in place.
As to the requirement regarding the obligation to designate a representative in Rwanda for data controllers or data processors who are neither established nor reside in Rwanda, but process personal data of data subjects located in Rwanda, the Data Protection Law provides that the supervisory authority must put in place a regulation governing the designation of such a representative, but such regulation is yet to be put in place.
As such, organisations will have to wait until such regulation is put in place to guide them in terms of compliance with the provisions of the law.
With regard to the designation of a personal data protection officer, the Data Protection Law requires data controllers or data processors to appoint a personal data protection officer in a situation where:
- the processing of personal data is carried out by public or private corporate body or a legal entity, except courts;
- the core activities of the data controller or the data processor consist of personal data processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale;
- the core activities of the data controller or the data processor consist of processing on a large scale of special categories of data and personal data of a convict.
The data protection officer is designated on the basis of professional qualities, expert knowledge of personal data protection, practices and the ability to fulfil the tasks assigned to him or her and the said officer may be a permanent staff member of the data controller or the data processor, or a person who fulfils the tasks on the basis of a service contract.
Although there is still ample time before the full implementation of the Data Protection Law, organisations should not wait long to start their preparation toward full compliance ,as the process is not a one-day journey considering the various challenges that they may face when the law comes into full implementation on 15 October 2023.
It is therefore necessary for organisations to take advantage of the current requirements and register with the supervisory authority and appoint a data protection officer as a starting point in the compliance preparation process. This will help to avoid any situation where they could be subjected to new additional requirements as may be prescribed in the regulation which could be put in place by the supervisory authority and which could be more onerous in terms of compliance with the law.
Organisations should consider seeking advice from professional lawyers to guide them in their journey towards compliance with the Data Protection Law before the end of the Transitional Period on 15 October 2023.