When we think of data
privacy laws and all of the facets and
provisions that surround them, we often think of the United States first, then
following us would be the European Union (EU), with ever famous law called the
GDPR. But believe it or not, there are
other nations around the world, that you may not have even heard of, that are
also adopting their own form of data privacy laws.
These can even include the poorest of the poor countries, especially
those found in Africa.
One such place is Rwanda. In fact,
in October of 2021, during the height of the COVID-19 pandemic, the government
of this country passed their own data
privacy law. It is formally called the “Law
on the Protection of Personal Data and Privacy (Data Privacy Law).”
Just like the CCPA and the GDPR, the primary goals are to
protect the PII datasets of the citizens of Rwanda, to give them far greater
control as to how businesses can use their data, and making sure that organizations
are implementing the right controls to protect them.
This law just does not impact people in Rwanda, but it also
has global reach as well, especially if entities transact business there, or
have customers in that geographic area.
Here are some of the key provisions of it:
“*Article 48 bars data being transferred to third parties
unless they are authorized by the National Cyber Security Authority (NCSA).
Article 50 requires all personal data to be stored in Rwanda
except for registered entities with NCSA-issued certificates to store data
abroad.
Article 17 mandates data controllers and processors to keep
a record of personal data-processing activities and submit the data to NCSA
upon request.
Article 38(3) requires controllers and processors to provide
data protection impact assessments (DPIAs) when processing poses a high risk to individuals'
rights.
Article 43 mandates a data processor to inform the data
controller of a data breach within 48 hours of discovery. It also requires a
data controller to notify NCSA within 48 hours of becoming aware of a breach.
The data controller must inform the subject of the data breach unless the
breach is communicated to the public.
Article 9 requires a parent or guardian's consent before the
personal data of a child under 16 can be processed. It also states that consent
is acceptable only if it's in the child's interest. However, consent is not
required if processing the data is important to the child's welfare.
Article 8 grants data subjects the right to revoke consent
at any time.
Articles 29–31 require that anyone who intends to process
data must register with the NCSA and be granted a data protection and privacy
(DPP) certificate.”
(SOURCE: This is a
direct quote taken from Dark Reading, at this link: https://www.darkreading.com/dr-global/navigating-rwanda-new-data-protection-law)
Much more detailed information about Rwanda’s Data Privacy
Law can be found at the links below:
https://securiti.ai/rwanda-data-protection-law/
Up this point, since 2021, the Rwandan Government has
allowed for a two-year transitory period for business to come into compliance
with this law. But this grace period
will end on October 15th of this month. Just like the GDPR and the CCPA, there are
also rather harsh financial penalties (by Rwandan standards) if compliance is
not met. Here are the details into this:
*A fine of up to 1% of the total revenue for a business
(this can range anywhere from $1,700.00
to $4,250.00).
*Any data processors or third-party vendors that are not certified under this new law will also face the same financial penalties
as described above.
My Thoughts On This:
Believe it or not, Rwanda now becomes the 35th
nation in Africa to have a rather comprehensive data security law. I never knew about this. In fact, this is deemed to be one of the most stringent and strongest data privacy laws on
the African Continent. Some of the other
key benefits of this are as follows:
*The confidence of the Rwanda consumer should pick up, as
they now they have a recourse and legal actions to protect their data. More information about this can be seen at
the link below:
*They will now be assured that businesses are taking far
more precautions to protect their PII datasets by implementing the right
controls.
*It is anticipated that the flow of international trade should
pick up, as more countries will have stronger faith about the security steps
the Rwandan Government talking serious steps in terms of protecting commerce.
Probably best of all is that the Rwandan Government has also
created a data protection authority, called the NCSA, to enforce this data
privacy law. In closing, I think we here
in the United States could learn a thing or two from this new law passed in
Rwanda.
No comments:
Post a Comment