Last week, Rwanda joined seven other Digital Cooperation Organization (DCO) member states to push for developed privacy and user terms that protect user data and ensure that data use aligns with informed user consent.
The appeal to global technology companies and governments was described as an ‘urgent call’ especially with numbers showing that almost half of global data breaches involved personal user data.
Several privacy standards issues to be addressed, including ensuring that data is used in line with the informed user consent, is not transferred to third parties that breach member state privacy regulations, and enables users to migrate or remove their data from platforms were identified.
The call came a few months after Rwanda enacted a data protection law that stipulates that data processors, data controllers and all users of personal data will be required to be fully equipped with all aspects of compliance within 24 months, by October 2023.
Speaking to The New Times in an exclusive interview, Minister of ICT and Innovation Paula Ingabire spoke out on some of the highlights that could plug the gap in protecting users from the misuse of personal information.
Sanctions now applicable
According to Minister Ingabire the data protection and privacy law empowers individuals with rights that are protected under the law, such as consent, right to erasure, etc, a practice that she said, didn’t exist before in Rwanda’s jurisdiction.
"On the other hand, it imposes requirements on those that process data, to ensure it is done in a secure manner, and when it is not, sanctions can be enforced, which wasn’t the case before.”
Ingabire maintained that the law fundamentally changes the way data is protected- from collection, processing to destruction - throughout the entire data life cycle.
"First, it legally mandates organizations to put in place technical and organizational measures to ensure protection - technical measures here include encryption, secure storage in-country, pseudo-anonymisation, while organisational measures include internal protection and privacy policies, trainings and other processing procedures.”
Consequently, she pointed out, by conforming to the law there is a mandatory legal requirement which enforces security behavior, for instance, mandatory reporting of data breaches.
"Besides provisions that mandate protection, the law also offers benefits to complying organizations - trust is established once data subjects understand how they data is protected and used.”
Major milestone
Rwanda’s DPP law establishes a predictable, globally accepted benchmark of protecting personal data- a vital ingredient in data enabled economy.
"DPP law is a major milestone in realizing a modern, data enabled economy,” she added.
Meanwhile, Ingabire highlighted that data protection extends to enhance cyber security, which is already a regulated requirement for risk management by bodies such as the Central Bank, among others.
"Hence, financial institutions that comply with DPP law will find it easy to meet other Cybersecurity regulatory requirements by sector specific regulators.”