Friday, September 15, 2023

How The New Rwandan Data Privacy Law Will Impact US Businesses

 


When we think  of data privacy laws and all of the facets  and provisions that surround them, we often think of the United States first, then following us would be the European Union (EU), with ever famous law called the GDPR.  But believe it or not, there are other nations around the world, that you may not have even heard of, that are also adopting their own form of data privacy laws. 

These can even include the poorest of the poor countries, especially those found in Africa.

One  such place is Rwanda.  In fact,  in October of 2021, during the height of the COVID-19 pandemic, the government  of this country passed their own data privacy law.  It is formally called the “Law on the Protection of Personal Data and Privacy (Data Privacy Law).” 

Just like the CCPA and the GDPR, the primary goals are to protect the PII datasets of the citizens of Rwanda, to give them far greater control as to how businesses can use their data, and making sure that organizations are implementing the right controls to protect them.

This law just does not impact people in Rwanda, but it also has global reach as well, especially if entities transact business there, or have customers in that geographic area.  Here are some of the key provisions of it:

“*Article 48 bars data being transferred to third parties unless they are authorized by the National Cyber Security Authority (NCSA).

Article 50 requires all personal data to be stored in Rwanda except for registered entities with NCSA-issued certificates to store data abroad.

Article 17 mandates data controllers and processors to keep a record of personal data-processing activities and submit the data to NCSA upon request.

Article 38(3) requires controllers and processors to provide data protection impact assessments (DPIAs) when processing poses a high risk to individuals' rights.

Article 43 mandates a data processor to inform the data controller of a data breach within 48 hours of discovery. It also requires a data controller to notify NCSA within 48 hours of becoming aware of a breach. The data controller must inform the subject of the data breach unless the breach is communicated to the public.

Article 9 requires a parent or guardian's consent before the personal data of a child under 16 can be processed. It also states that consent is acceptable only if it's in the child's interest. However, consent is not required if processing the data is important to the child's welfare.

Article 8 grants data subjects the right to revoke consent at any time.

Articles 29–31 require that anyone who intends to process data must register with the NCSA and be granted a data protection and privacy (DPP) certificate.”

(SOURCE:  This is a direct quote taken from Dark Reading, at this link:  https://www.darkreading.com/dr-global/navigating-rwanda-new-data-protection-law)

Much more detailed information about Rwanda’s Data Privacy Law can be found at the links below:

https://dpo.gov.rw/

https://securiti.ai/rwanda-data-protection-law/

Up this point, since 2021, the Rwandan Government has allowed for a two-year transitory period for business to come into compliance with this law.  But this grace period will end on October 15th of this month.  Just like the GDPR and the CCPA, there are also rather harsh financial penalties (by Rwandan standards) if compliance is not met.  Here are the details into this:

*A fine of up to 1% of the total revenue for a business (this can  range anywhere from $1,700.00 to $4,250.00).

*Any data processors or third-party vendors that are  not certified under this new law  will also face the same financial penalties as described above.

My Thoughts On This:

Believe it or not, Rwanda now becomes the 35th nation in Africa to have a rather comprehensive data security law.  I never knew about this.  In fact, this is deemed  to be one of the most  stringent and strongest data privacy laws on the African Continent.  Some of the other key benefits of this are as follows:

*The confidence of the Rwanda consumer should pick up, as they now they have a recourse and legal actions to protect their data.  More information about this can be seen at the link below:

https://www.darkreading.com/endpoint/why-the-culture-shift-on-privacy-and-security-means-today-s-data-looks-different

*They will now be assured that businesses are taking far more precautions to protect their PII datasets by implementing the right controls.

*It is anticipated that the flow of international trade should pick up, as more countries will have stronger faith about the security steps the Rwandan Government talking serious steps in terms of protecting commerce.

Probably best of all is that the Rwandan Government has also created a data protection authority, called the NCSA, to enforce this data privacy law.  In closing, I think we here in the United States could learn a thing or two from this new law passed in Rwanda.

 

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...