In almost every work or business operations to day, there is undoubtedly bound to be an exchange, recording and use of information/ data belonging to individuals who may have different descriptions such as clients, suppliers, users or employers among others. This information will likely be stored in either physical or digital form and will most likely be used or exploited through the same formats.
Most people are aware of the contribution of their data to the economy, but not everyone knows or can measure this value, which leads many people to lose interest in the value of their personal data. Concerns around data integrity caused the harmonization of a legislative framework around data protection and privacy through the enactment of the Data Protection & privacy Act. While the Act touches on various aspects, one of the compliance requirements it establishes is the requirement for data collectors/ data processors/ data controllers to register with the office of the Personal Data Protection Officer under section 29 of the Act and Regulation 15(1) of the Data Protection & Privacy Regulations.
The Personal Data Protection Office (PDPO), is an independent office under National Information Technology Authority (NITA) operationalized in August 2021 whose mandate is to regulate the collecting and processing of personal data in Uganda.
Registration hereunder entails submitting the “Application for Registration/Renewal of Registration” form to the Office setting out the description of personal data collected or processed by a data collector, data processor or data controller; the purpose for which the personal data is collected or processed; amongst other details as specified in Form 2 of the Data Protection and Privacy Regulations.
Certain Policies should be in place when applying for registration with the PDPO. These include;
- The Organisation’s Information Security Policy.
- The Organisation’s Data Retention Policy.
Upon registration, a data collector, data processor or data controller must submit to the Office an annual compliance report. This should be submitted within 90 days after the end of every financial year. The report should contain a summary of all the complaints received and the status of such complaints, including whether the complaint was resolved or is still pending and all data breaches and the action taken to address such data breaches.
Failure to register/ renew registration amounts to committing an offence and one will be liable, on conviction to a fine or imprisonment not exceeding three months or both.
Where the offence is committed by an Organisation, the Organisation and every officer of the Organisation who knowingly and wilfully authorizes the contraventions commits an offence and is liable, on conviction to the penalty above and the fine specified in the law.
Is regulatory compliance important for your business?
Whereas specific compliance requirements will vary by industry and sector, general regulatory compliance will help to serve the best interests of any Organisation/ business. An organization that achieves regulatory compliance can confidently indicate to its stakeholders that it has met specific standards and is certified by an industry-accepted regulatory body. By following the laws and regulations relevant to its business operations, it can prove its integrity, reliability, and ethics-all of which can engender stakeholder trust and strengthen its competitive position.
Caveat
The contents of this article are intended to convey general information only and not to provide legal advice or opinions. An advocate/ attorney should be contacted for advice on specific factual legal issues.