- Establish a privacy governance structure, including designation of a data protection officer, as guided by the Regulations.
- Ensure personal data is processed lawfully and fairly.
- When intending to further process personal data, data controllers must first verify whether such intended processing is compatible with the purpose for which the personal data was originally collected.
- Data controllers should only use a data processor that provides a guarantee to implement appropriate technical and organisational measures to protect the integrity of the personal data.
- Embed data protection principles into the data controller’s operations.
- Develop and implement policies and procedures to enable data subjects exercise their data protection rights.
- A data controller shall notify data security breaches to the Personal Data Protection Office immediately after becoming aware of it.
- Any transfer of personal data outside Uganda shall take place only under certain conditions as stipulated by the Act and the Regulations thereunder.
Do I need to appoint a Data Protection Officer?
The Act requires persons, institutions and public bodies to designate a data protection officer in the following circumstances where the core activities of the person, institution or public body consist of:
- the regular and systematic monitoring of data subjects on a large scale; or
- processing of special personal data.
Are there any consequences for violation or non-compliance with the Act and the Regulations thereunder?
Breach or violation of the Act and Regulations thereunder can lead to significant costs and risks for those involved. The possible consequences include:
- damage to the reputation of the person, institution or public body;
- fines of up to two percent of the corporation’s annual gross turnover; and or
- imprisonment of every officer of the institution who knowingly and willingly authorized or permitted such non-compliance with the Act.