Ugandan firms are facing fresh compliance pressure for personal data protection after a new law came into effect.

It means, now, that organisations that collect personal bio data are obliged to register with the Personal Data Protection Office (PDPO) of Uganda according to the Data Privacy and Protection Regulations issued in 2021.

The affected entities include banks, micro-financiers, insurance companies, audit firms, law firms, telecommunications firms, government ministries and agencies, hospitals, schools, utility companies, airlines, and many others.

Read: East Africa must harness a digital financial services ecosystem

So far, the Uganda Securities Exchange (USE) has suffered rebuke from the personal data protection regulator following a serious breach experienced at the local bourse last year, in a scenario that exposed glaring weaknesses in the stock market’s data storage systems.

The data security breach was reported to the PDPO in 2022 by a local civil society organisation.

The PDPO investigated the matter in June this year, and its findings revealed gaping loopholes in the bourse’s data management systems. It also faulted USE’s technology services provider over the data breach.

Noticeable shortcomings

“The USE had experienced a personal data security breach which continued for 12 days without the knowledge of either the USE or its service provider. Personal information accessed included national identification numbers, names, dates of birth, email addresses, physical addresses, telephone numbers, which could be used to identify data subjects.

“The information accessed included personal information that Soft Edge had accessed by virtue of its contractual relationship with the USE…” reads a legal brief by PWC Uganda last month.

Despite noticeable shortcomings discovered in USE data management platforms, the PDPO issued a three-month remedial order to the bourse’s management intended to rectify its technical flaws. This compliance window expires this month.

Read: East Africa countries eye issuance of digital IDs

“There is a growing volume of personal data being collected in many sectors and there is a need to sensitise those that collect it and those that provide it on their rights and obligations,” said Stella Alibateese, PDPO Uganda Chief.

“We have realised that many people do not understand their rights as owners of personal data and organisational levels of understanding in matters of data protection differ a lot in this market.”

Recent deals signed between the PDPO and Uganda Communications Commission, and the NGO Registration Board shows the data protection regulator is now tougher, after a lull last year.

The USE chief executive was not available for comment on the data breach incident by press time.

“The real costs of implementation of data protection compliance tools are still unclear to us,” said a data analyst at Airtel Uganda.

Patrick Ayota, managing director of Uganda’s National Social Security Fund said the fund has fully complied.

“The biggest challenge here is capturing correct personal data in an environment where government struggles to issue national identification cards to its citizens. Protecting data from hackers is another dilemma. Hackers are always active towards select targets,” he said.

“Some of the underlying costs are difficult to figure out because of a weak technology regulatory environment in Uganda. For example, if an agency brings certain creative work to us that includes an image of someone picked from Instagram but is not marked and there is no way to verify the price of that image using online tools, how would you comply with data protection guidelines in this case?"