Uganda: Ey – Less Than 50 Percent of Ugandan Entities Have Data Protection Policies

Kampala, Uganda — Less than half of local entities have data protection policies, strategies, and frameworks, a new report shows, signaling possible chances of data privacy breaches.

The Ernst & Young (EY) report released in Kampala on July 18 following a survey of various entities including financial institutions, payment service providers, insurance companies, SACCOs, healthcare, government agencies and departments, manufacturing companies, NGOs, and telecommunication companies among others between October 2022 and December 2022, shows that only 47% of entities had put in place data protection policies, strategies, and frameworks.

The report also shows that 30% of the entities carry out private audits while 23% never carry out these audits.

However, the majority of the entities accounting for 74% acknowledged having data protection officers while 26% did not have any. Interestingly, 80% of the data protection officers were assigned to other tasks within the organization.

Only 11% of the respondents had a privacy steering committee and most of the entities did not have data privacy analysts, coordinators, and data privacy managers. Data protection and loss were carried out using mobile devices.

Titled ‘Uganda Data Protection and Privacy Survey 2022’ carried out in line with the Data Protection and Privacy Regulations, 2021, also sheds light on the challenges faced by entities in complying with data protection laws in Uganda.

These challenges encompass areas such as data breach prevention, cross-border data transfers, and industry-specific concerns while stressing the importance of organizations adopting robust data protection strategies.

The report recommends that business owners understand that data held by their entities have the potential to enhance customer trust.

The report notes that the entities need to review and improve their data protection program continuously to keep up with emerging threats.

They also need to monitor the technology environment for new instances that may not be appropriately classified or protected.

The report also adds that there is a need to improve awareness and understanding of data protection regulations among individuals, private sector organizations, and government MDAs in Uganda. This includes enhancing knowledge about compliance requirements and the rights of data subjects.

Alfred Mugume, the manager of Cybersecurity, Data Privacy and Trusted Technology at EY said, this new report underscores EY’s commitment to advancing data protection practices and fostering compliance with regulations in Uganda and provides valuable insights into the state of the country’s data protection and privacy.