Why personal data protection law was necessary in Rwanda
Sunday, November 07, 2021
Ghislaine Kayigi, Chief Cybersecurity Standards Officer at National Cyber Security Authority.

In October, the law on personal data protection and privacy was gazetted. which among other things gives unambiguous consent of an individual to the collection, storage, and processing of personal data.

Companies and individuals in Rwanda that process personal data of individuals in Rwanda have up to  October 2023 to comply with the new law.

In the build-up to compliance, The New Times Collins Mwai spoke to Ghislaine Kayigi, Chief Cybersecurity Standards Officer at National Cyber Security Authority on the necessity of the law, process of establishment and roadmap to compliance.

Excerpts:

What would you say was the main incentive for the Personal Data Protection and Privacy Law in the local ecosystem?

As digital social and economic services become central to today’s modern way of life, protecting personal data and ensuring privacy of users has become so essential. The law also enhances, within the digital domain, the fundamental right to privacy.

Globally, Data Protection and Privacy legislations have been enacted in the last 5 years - the most predominant of which is the EU General Data Protection Regulation.

Rwanda’s Personal Data Protection and Privacy Law is a significant step in establishing a foundation for a predictable framework that enables local and international firms to securely use personal data – a critical element of modern services, e-commerce and trade – while at the same time ensuring the privacy of the user.  

One of the fundamental tenets of this law is the consent of the user. Article 6 of the law requires that all processors of personal data must first obtain ‘consent of the data subject’ which must be ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes’.

In coming up with the law, how inclusive was the process and consultations made to ensure that there is little resistance during uptake?

In coming up with the law, there were wide consultations held with several stakeholders. The Ministry of ICT and Innovation led the consultative process and brought several key partners on the table. 

Several additions and changes were received from the private sector, particularly the financial sector - who are among the users of personal data, and other service providers.

The law also went through several law making iterations, all to bring it in line with international best practices, such as the General Data Protection Regulations and the African Union Convention on Cyber Security and Personal Data (Malabo Convention), while remaining relevant to the Rwandan society.

There were also international consultations with multinational organizations that work in this domain. Several consultative sessions were held with Microsoft and Google among others.  

Organizations, such as these, rely solely on data as the core of their business model and their input and contribution were essential in drafting a business friendly, internationally allied Rwandan Personal Data Protection and Privacy Legislation.

Through the Center for Fourth Industrial Revolution, we received support from international law firms with wide experience in Data Protection and Privacy Legislations. 

We consulted, throughout the process, with Covington, a renowned international law firm, which provided legal advice and ensured benchmarking with global based practices. We also consulted other countries that had already passed similar legislation.

Therefore, we can confidently say that this was a widely-consulted legislation, both locally and internationally and fully aligned with global best practices - this is so essential for establishing and enabling a legal and regulatory framework for a data-driven economy.

In the build-up to October 2023 when all entities and individuals are expected to be compliant, what are the key milestones, activities, and deliverables during the transition period?

The law stipulates that data processors, data controllers and all users of personal data will be required to be fully equipped with all aspects of compliance within 24 months, by October 2023.

To ensure smooth implementation, the National Cyber Security Authority (NCSA), the supervisory authority as per the law, will soon publish a compliance guide to help data processors and data controllers start the process.

The first step will be awareness. NCSA and other stakeholders will conduct sessions to educate the general public but also the specific concerned sectors the requirements for compliance.

The second important step is registration of data processors or data controllers.  Organizations that process personal data are first required to register with NCSA. 

According to Article 29 "A person who intends to be a data controller or a data processor must register with the supervisory authority”.

The supervisory authority will receive the application and upon compliance with the registration requirements as stipulated in Article 30, will issue a registration certificate that permits the applicant to process personal data.

The process will be smooth to facilitate efficient registration and subsequent compliance.

Some start-ups and Small and Medium organizations might require support and assistance to comply, do you have such provisions?

During the 24 month period towards mandatory compliance, NCSA and other agencies including sector regulators will work together to make sure that by the time the law takes effect, we will provide a compliance guide to help firms work towards compliance. 

Since this is a new law, we will work together with all parties to ensure readiness towards the compliance deadline.

We will provide advice and support for any legitimate requests in line with the law.

Based on your agency's consultations during the process, what do you foresee to be the most challenging aspects in the build up to October 2023?

It is a new law and not everyone is aware of the global trends in this aspect. The general public and individuals may not necessarily understand how the law applies to them and how it comes in to help them. 

That is why much effort will be put in educating the general public and the institutions themselves.

One of the things we expect during the transition period and even after is creating awareness and support in adoption of the law.

Any questions that I should have asked and didn’t?

Can’t think of any. Just to add that passing of the Personal Data Protection and Privacy Law is a key milestone in ensuring protection of personal data and safeguarding privacy of users. It provides a predictable environment that allows data-driven services to operate in our economy and brings Rwanda in line with the global best practices like the General Data Protection Regulations (GDPR). 

These regulations are an important element of a modern data driven economy and will be essential for fostering growth of data driven services like the financial services among others.

NCSA, together with other stakeholders in Government and private sector will continue to educate the public on the importance of the law and key compliance milestones.  This law is vital for a data-driven modern economy and society.