The National Cyber Security Authority (NCSA) presented Rwanda Social Security Board (RSSB) with Data Controller certification, following the institution’s full compliance with registration requirements.
The handover ceremony took place at the Data Protection and Privacy Office on Thursday, August 24.
Rwanda passed the Personal Data Protection and Privacy Law on October 15, 2021, which introduced a two-year transitional period for businesses and organisations to have ample time to adjust their operations to comply with the legal framework before the ultimate deadline of October 15, 2023.
In the quest to uphold the provisions of the Personal Data Protection and Privacy Law, RSSB has demonstrated their commitment to safeguarding the personal information of members who rely on their services.
According to Regis Rugemashuro, CEO of RSSB, the certificate signifies that the institution has achieved a higher level of trustworthiness, ensuring the safeguarding of Rwandans' data in compliance with international standards.
"While we have successfully obtained this certification, our journey is just beginning, especially considering the continuous growth in data volume. Strengthening data protection remains a top priority for us,” he said. "We are committed to enhancing our capabilities, backed by skills, expertise, and determination. Rwandans can rest assured that their data is secure as we collaborate closely with relevant authorities."
Rugemashuro emphasised the critical nature of the information RSSB handles and highlighted their rigorous efforts to eliminate any margin for error.
He further pointed out that RSSB beneficiaries also bear a responsibility in safeguarding their personal data, as the process commences with their active involvement.
Eraste Rurangwa, the Data Protection Officer at NCSA, explained the procedure for obtaining Data Controller and Data Processor registration certificates.
He said the institutions initiate the process by submitting a registration form, expressing their intent to be recognised as a Data Controller or Data Processor or both. During this registration, institutions are required to detail the nature of the data they oversee, specify the legal justifications for such data handling, and outline their protective measures.
"These measures are crucial in preventing unauthorised access to personal data and sensitive data, which could jeopardise the trust of data owners who rely on the institution to safeguard their information,” he said.
Rurangwa further emphasized that obtaining a registration certificate is a key step in complying with the Personal Data Protection and Privacy Law. He also cautioned that institutions failing to comply by October 15 2023 will face legal consequences.
He urged both public and private institutions to actively engage in the certification process, adding that NCSA provides guidance and support on how institutions can register and enhance the security of their clients' data, further underlining their commitment to data protection advocacy.
For further information on Data Controller or Data Processor registration, visit www.dpo.gov.rw.