Navigating Rwandas New Data Protection Law

As the laws October 2023 transition deadline approaches, its critical for organizations doing business in Rwanda to understand its requirements and implications.

Data protection and privacy laws can enable legal safety for citizens personal information, prevent unauthorized use of personal data, and establish accountability for organizations that handle sensitive information.
Therefore, on Oct. 15, 2021, the Rwandan government enacted a
personal data and privacy protection law
. This law applies to individuals and established institutions within or outside Rwanda that process the personal data of individuals living in Rwanda. One of the laws primary goals is to grant individuals the authority to control their personal information. Another goal is to support the reliable and protected movement of data within Rwanda and across its borders.
Some of the laws key provisions are:
Article 48 bars data being transferred to third parties unless they are authorized by the
National Cyber Security Authority
(NCSA).
Article 50 requires all personal data to be stored in Rwanda except for registered entities with NCSA-issued certificates to store data abroad.
Article 17 mandates data controllers and processors to keep a record of personal data-processing activities and submit the data to NCSA upon request.
Article 38(3) requires controllers and processors to provide data protection impact assessments (
DPIAs
) when processing poses a high risk to individuals rights.
Article 43 mandates a data processor to inform the data controller of a data breach within 48 hours of discovery. It also requires a data controller to notify NCSA within 48 hours of becoming aware of a breach. The data controller must inform the subject of the data breach, unless the breach is communicated to the public.
Article 9 requires a parent or guardians consent before the personal data of a child under 16 can be processed. It also states that consent is acceptable only if its in the childs interest. However, consent is not required if processing the data is important to the childs welfare.
Article 8 grants data subjects the right to revoke consent at any time.
Articles 29–31 require that anyone who intends to process data must register with the NCSA and be granted a data protection and privacy (DPP) certificate.
The Rwandan government gave a two-year transition period to allow individuals and organizations to align their data processing activities with the law. This transition period will end on Oct. 15, 2023.
If an individual or organization fails to register and comply with this law by the deadline, the NCSA is authorized to enforce the following sanctions:
Individuals or organizations that operate without a DPP certificate: A fine between RWF 2 million (US$1,700) and RWF 5 million (US$4,250) or an amount equal to one percent of the entitys total revenue from the previous fiscal year.
Individuals, organizations, data controllers, or data processors that operate without a DPP certificate may be fined between RWF 2 million (US$1,700) and RWF 5 million (US$4,250) or an amount equal to one percent of the entitys total revenue from the previous fiscal year.
Data processors and controllers can also be fined if they operate with an expired DPP certificate.
This law makes Rwanda the 35th African country to have a data policy law and the 30th to have a data protection authority to enforce it.
The law is expected to help
boost consumer confidence
in Rwanda. When people trust that their data is handled responsibly, they are more likely to engage with online services and share their information. This drives economic growth and innovation in the country.
Furthermore, stringent data privacy laws can facilitate international trade and data sharing. This is because countries with robust data protection laws are often deemed safe for cross-border data transfers, a requirement in todays globalized economy.
Above all, Rwandas appointment of a data protection authority, NCSA, to oversee and enforce its data privacy and protection law is projected to help reduce the frequency and impact of data breaches in the country. Hopefully, this law also makes Rwanda a positive example for other African nations to adopt similar regulations and enhance data protection within their borders.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Navigating Rwandas New Data Protection Law