Obligations of Data Controllers under the Data Protection and Privacy Act

Section 3 of the Data Protection and Privacy Act, 2019 (the Act) sets out key principles of data protection regime. These key principles influence obligations of data collectors, data processors and data controllers. Therefore, compliance with these fundamental principles is the first step for data collectors, data processors and data controllers in ensuring that they fulfil their obligations under the Act. The following is a brief overview of the obligations:

  1. Register in compliance with the law: Register as a data collector, data processor or data controller and annually renew this registration with the Personal Data Protection Office.
  2. Establish a privacy governance structure: Establish and maintain a comprehensive data protection compliance program which should include:
    1. Designating a Data Protection Officer (DPO) as guided by the Data Protection and Privacy Regulations. Publish the contact details of the DPO as part of the privacy notice/policy/statement.
    2. Training staff involved in personal data processing operations about the Act's requirements and the effect of non-compliance.
    3. Developing an internal-facing Data Protection Policy.
    4. Establishing reporting lines and regular communication between the Data Protection Officer, internal and external stakeholders.
  3. Ensure personal data is processed lawfully: A data controller must have a lawful basis for collecting and processing personal data. Processing is lawful if one of the following applies:
    1. Developing and implementing personal data policies on retention and data security breach response and management. This will enable the data controller to immediately notify the Personal Data Protection Office whenever data security breaches occur.
    2. The processing is necessary for:
      1. the proper performance of a contract with the data subject;
      2. national security
      3. prevention, detection, investigation, prosecution or punishment of an offence or breach of law;
      4. medical purposes;
      5. compliance with a legal obligation to which the data controller is subject.
  4. Further processing/secondary use of personal data collected
    A data controller generally cannot use personal data for a different purpose than the one it originally collected the personal data for, unless the secondary use is compatible with the original purpose.
  5. Obligation to enter into data processing contracts with data processors
    A data controller is required to enter into a contract when engaging a data processor to process personal data on its behalf. The Act further requires the data controller to use only a data processor that provides a guarantee to implement appropriate technical and organizational measures to protect the integrity and confidentiality of the personal data.
  6. Embed Data Protection into operations
    To demonstrate compliance with the Act, a data controller must embed data protection principles into its day-to-day operations by:
    1. Developing and implementing personal data policies on retention and data security breach response and management. This will enable the data controller to immediately notify the Personal Data Protection Office whenever data security breaches occur.
    2. Conducting Data Protection Impact Assessments under certain circumstances, including where the processing is likely to result in a high risk to the rights and freedoms of data subjects.
    3. Implementing technical and organizational measures appropriate to the risk posed by the processing and collection.
  7. Develop and implement policies and procedures to enable data subjects exercise their data protection rights. These include the following:
    1. Implementing internal policies and procedures to facilitate the exercise of data subjects' rights.
    2. Review and revise privacy notices/policies/statements or disclosures to ensure that they comply with Section 13 of the Act to provide certain information to data subjects; and clearly communicate the data subject's rights.
  8. Conduct thorough due diligence before processing personal data out of Uganda – ensure that such jurisdictions have equivalent protection.