Hello

Your subscription is almost coming to an end. Don’t miss out on the great content on Nation.Africa

Ready to continue your informative journey with us?

Hello

Your premium access has ended, but the best of Nation.Africa is still within reach. Renew now to unlock exclusive stories and in-depth features.

Reclaim your full access. Click below to renew.

Caption for the landscape image:

Hidden costs of privacy violations

Scroll down to read the article

Workers at a plant control room at Raxio Data Centre. PHOTO BY STEPHEN OTAGE

The right to privacy was recognised and protected in Uganda as early as 1995 when the country ratified the International Convention on Civil and Political Rights (ICCPR).

The ICCPR mandated Uganda to enact laws prohibiting unlawful interference with a person's privacy, family, home, or correspondence. The right to privacy is further enshrined under Article 27 of the Constitution. However, implementation of the ICCPR’s requirements delayed due to the absence of a statutory or institutional framework for enforcing the right to privacy.

Internationally, the European Union (EU) set the pace for protecting an individual’s right to privacy. In 2018, the EU issued the General Data Protection Regulations (GDPR) to protect the personal information of EU citizens and residents wherever it is collected or processed. 

The GDPR defines the rights and obligations for data privacy and sets out penalties for breaches, which can be as high as Euros 20 million, or 4 percent of an entity’s total global turnover for the preceding fiscal year, whichever is higher.

In 2019, Uganda passed the Data Protection and Privacy Act, followed by the Regulations in 2021. The Act mirrors the principles under the GDPR. It outlines the rights of data subjects and imposes several obligations on those who collect personal data to ensure its privacy. The Act also sets out fines and penalties for data privacy breaches, including a fine of up to 2 percent of an entity’s gross annual turnover.  

The Act established the Personal Data Protection Office (PDPO), which is mandated to implement the Act. It also sets out several compliance obligations for data collectors, controllers, and processors to protect the personal data they handle. 

Organisations are expected to implement measures to comply with the Act, including ensuring that third parties are also compliant.

The surge in digitisation has led to an increase in the personal information accessed over the internet. To protect this information from unlawful access and use, all stakeholders involved in handling this information must collaborate to prevent and mitigate privacy breaches and their consequences.

Here are the key actions that all stakeholders, including data subjects, should undertake to protect the privacy of personal data.

Data subjects should understand and protect their privacy rights.
The primary responsibility to protect personal data from unauthorised access and use lies with the person whose data is collected, processed or controlled (“data subject”). This responsibility arises because the data subject can withhold or disclose their information.

The main legal justification for accessing any person’s information is the person’s consent or the consent of their guardian in the case of minors. This consent remains valid until it is withdrawn. Once withdrawn, the right to collect, process or control the information ceases, unless there is another legal basis to continue these activities. 

Other legal justifications for collecting personal data include legitimate business interests, medical reasons, and compliance with the law. Therefore, data subjects need to read privacy notices to understand the purpose of data collection. They should only consent to the collection if they are satisfied that it is necessary and that their right to privacy will be effectively protected. 

The awareness, curiosity, and assertiveness of data subjects, particularly at the point of data collection, are beneficial. They are a reminder to data collectors to follow the correct procedures and have proper mechanisms in place for collecting, processing, and controlling information. Proper procedures include disclosing the type of data to be collected, the purpose of its collection, where and for how long it will be kept, and the data subject’s rights in relation to the data collected. 

Collectors, processors and controllers should understand and monitor their stakeholders’ compliance with the law.
As businesses grow, it is inevitable that they work and share information with third parties, such as advisors, service providers, and regulators. The information shared may include personal data relating to employees, clients, visitors, and service providers. 

To manage the risk of privacy breaches, entities must continuously assess these third parties to ensure that they have compliance mechanisms in place, such as data protection policies, registration with the PDPO, and a designated Data Protection Officer (DPO). Where gaps are identified, it is prudent to require that they are addressed before granting them access to any personal data. 

Additionally, businesses should document the privacy obligations in contracts and require ongoing compliance with the law. Such contracts should include a provision for indemnity for breaches resulting from the third parties’ failure to comply with their data protection obligations.

Building internal capacity to enable compliance with the law
The obligations imposed by the Act may require entities to adjust their data handling processes. One such obligation is the appointment of a DPO, who is responsible for ensuring compliance with the law. While this role may be assigned to an existing employee, it is crucial to recognise the magnitude of the DPO’s duties and ensure that the designated person is well-positioned and supported to fulfill their mandate. If necessary, the DPO should be backed by a suitably skilled team to discharge the duties of this office.

Additionally, the team responsible for an entity’s compliance should develop and implement a comprehensive data protection programme, including clear policies and procedures that govern the entire data management lifecycle. This team should also conduct regular training for the entity’s staff and stakeholders to promote awareness and ensure compliance with the law. 

Report and respond to complaints
The Act encourages amicable settlement of complaints between the data subject and the data collector, processor, or controller. Complaints may be settled internally; thereby,reducing the number of cases reported to the PDPO. Therefore, it is important to establish a clear system for receipt, investigation, and response to complaints related to personal data breaches.

In conclusion, the risk of fines, imprisonment, and reputational damage due to violations of data privacy rights is preventable. All data collectors, processors and controllers should consider investing in mechanisms and tools to identify and close gaps in their data protection programs.

Hilda Kamugisha is a manager in the legal business solutions practice at PwC Uganda.