Businesses must protect consumers’ data - Alibateesa

Ms Stella Alibateesa, the national director at the Data Protection Office. PHOTO/RACHEL MABALA

What you need to know:

  • Personal data has become integral to the global digital economy and a necessary input for reaping the benefits of digitalisation. However, there are emerging risks.
  • Prosper Magazine’s Paul Murungi caught up with Ms Stella Alibateesa, the national director at The Data Protection Office to shed light on what legal safeguards are in place for businesses and institutions to acess and protect personal data trust.

Tell us about the new data protection solution being developed and how it will work.    
The solution will provide a convenient platform through which all persons, private institutions and public bodies collecting and processing individuals’ personal information will be required to register with the Personal Data Protection Office as required by law.

These institutions are also expected to be compliant in reporting data security breaches that involve accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data in their custody. 

Organisations and businesses that capture, store, share and analyse consumer data are expected to have greater legal obligation to protect consumers’ day. 
Our office will conduct compliance audits in high risk organisations such as health, telecoms, finance, and government bodies that collect a lot of personal data.

We will start with detailed compliance audits for those companies that we feel are high risk, and annually, we shall have to make organisations conduct self-audits. 

Companies and organisations found in breach will have to pay up to 2 per cent of the institutions’ annual gross turnover as fine levy. 

The solution will also enable individuals to submit complaints regarding misuse of their personal data or on general violations of the Data Protection and Privacy Act.

Is this aimed at making ganisations become more responsible in handling clients’ personal information?
Yes, it is. We are implementing the provisions of the Data Protection and Privacy Act, 2019. 
 It imposes responsibilities on everyone who collects and processes personal data. 

What are the implications in case of a personal data security breach by an organisation?
A personal data security breach can have a number of consequences such as loss of control over personal data, identity theft or fraud, damage to reputation, or loss of confidentiality of personal data.

Therefore, an organisation that experiences a data security breach is required by the Data Protection and Privacy Act to immediately notify its occurrence to the Personal Data Protection Office for appropriate guidance on how to deal with the breach.

More organisations are collecting personal data from individuals without their knowledge for marketing purposes.

How is the Personal Data Protection Office dealing with such scenarios?
The Personal Data Protection Office is empowered by the Data Protection and Privacy Act to investigate complaints related to misuse of individuals’ personal data for marketing purposes without their consent.

Where such organisations are found to be in violation with the law, they are fined for each day that contravention continues or officers of the organisation that allowed such violation to happen are imprisoned for six months or both.

What about multinational companies offering services but with no physical addresses in Uganda? How do you make them liable in case of data breach?
We intend to cooperate with the data protection regulators in the countries’ of origin where the organisation is located for enforcement purposes since such a local regulator is entitled to directly enforce data protection and privacy within its territory pursuant to its own legal framework.

We also have a wide network through collaborations at regional and international level that can facilitate and foster cooperation between data protection and privacy regulators. These include; the African Network of Data Protection Authorities at the continental level and the Global Privacy Enforcement Network at an international level. 

Why did you collaborate with the UN Capital Development Fund (UNCDF) in implementing the Data Protection and Privacy Act, 2019?
Our collaboration with UNCDF is to create an enabling environment to oversee the implementation of the Data Protection and Privacy Act, 2019. 

When you look at the mission of UNCDF, you note that their work in advocating for digital services has the potential to reach many underserved persons who are many and unlikely to be aware of their rights as individuals whose personal information is collected and processed. 

It is therefore not unexpected that UNCDF would collaborate with us to support the implementation of the Act.

So far, is there any difference made by the Data Protection and Privacy Act to the data protection landscape since it was enacted?
The Act has established a comprehensive data protection regulatory framework for all sectors collecting and processing personal data in Uganda.

To that end, we have received requests from both small, medium and large organisations seeking to be guided on how they can start on their compliance journey with the Act.
We have also received requests from individuals seeking guidance on how they can exercise their rights in relation to information collected from them by various public and private organisations. 

How should companies prepare for a data breach?
A company’s first step is to have effective preparation is understanding and having an accurate picture of what personal data the organisation has through data mapping and inventory.

After establishing which personal data is in such company’s custody, it will be imperative to implement appropriate technical and operational security measures, proportionate to the risk facing such data. 

These measures include a breach response plan that will detail a strategy for dealing with any breaches such a company may experience. This plan will include steps that will  be undertaken to immediately notify the Personal Data Protection Office, contain the breach(es), and initiate an investigation of its scope and origins.

What does the future look like for data protection? 
The landscape is changing. We plan to implement collaborative regulatory frameworks that will enable various regulators to work as one to reduce the regulatory burden to anyone within the purview of the Data Protection and Privacy Act. 

As more people and companies exercise their rights in a digital economy, we need to develop more tools that can enable automation of data protection and privacy compliance, such as enabling data subjects exercise their rights, data security breach reporting and handling of complaints will make it easy for organisations to comply with the law.
We also have Data Protection Authority networks developing in Africa.

These networks will enable collaboration between data protection and privacy regulators, a common approach to data.