Since October 15 2021, Rwanda’s law on personal data protection and privacy has been in action (officially gazetted as Law No 058/2021 of 13/10/2021), and institutions are currently observing a compliance period of two years (ending October 15 2023) to follow all of its provisions.

One of the provisions of the law on personal data protection and privacy, indicates the need to designate a data protection officer (DPO) for any processing of personal data (Art.40).

Whether your institution acts as a data controller, data processor or both of these roles, the law on personal data protection and privacy makes it mandatory to ensure the DPO role is filled if you are processing personal data.

Adding this provision on appointing a data protection officer ensures this law equals global standards of data protection frameworks.

The UK’s General Data Protection Regulation (GDPR) makes it mandatory for every organization that processes or stores personal data to appoint a data protection officer. The GDPR also states that data protection officers must have “expert knowledge of data protection laws and practices” emphasizing the need for a high level of competence within the role.

This is mirrored in Rwanda’s law on personal data protection and privacy, which states in (Art.40) that “The data protection officer is designated on the basis of professional qualities, expert knowledge of personal data protection, practices and the ability to fulfil the tasks assigned to him or her.” These two provisions indicate the importance assigned to effectiveness within this role.

But within this role, what are the principal duties a data protection officer holds? According to (Art.40) of Rwanda’s law on personal data protection and privacy. The duties are;

1. To inform and advise the data controller, the data processor and the employees who carry out personal data processing, of their obligations pursuant to this Law.

2. To monitor, in his or her area of work, compliance with this Law and with the policies of the data controller or data processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in personal data processing operations, and the related audits.

3. To provide advice were requested as regards the data protection impact assessment and monitor its performance.

4. To cooperate with the supervisory authority and to act as its contact point on issues relating to processing of personal data, including the prior consultation with the supervisory authority, and to consult, where appropriate, with regard to any other matter.

Those who do not comply with the mandatory appointment of a data protection officer in situations where personal data is being processed, commit an offence. (Art.53) on Administrative Misconducts states “failure to designate a personal data protection officer” as a misconduct that goes against compliance with this law.

The duties of the data protection officer outline the importance of having this role filled for every institution that processes personal data. They provide expertise and knowledge, ensure appropriate compliance with the law, and act as the registered contact person for the supervisory authority. It is critical that this provision is observed in order to ensure effective compliance with the law on personal data protection and privacy.