The Uganda Data Protection and Privacy Act 2019 (PDPA) came into force in February 2019, establishing the country's first comprehensive data protection framework. Three years on, compliance remains uneven — and enforcement is beginning to accelerate.
What the PDPA Requires
The Act applies to any person or organisation that collects, processes, or stores personal data in Uganda. Key obligations include: appointing a data protection officer, implementing technical and organisational security measures, obtaining informed consent before collecting personal data, and honouring data subject rights including access, correction, and deletion.
Enforcement Landscape
The Personal Data Protection Office (PDPO) — established under NITA-U — is the enforcement body. It has the power to investigate complaints, issue compliance notices, and impose penalties. Fines of up to UGX 250 million or 2% of annual revenue can be levied for serious breaches.
What Organisations Must Do Now
Conduct a data mapping exercise to understand what personal data you hold and where it flows. Review your privacy notices, consent mechanisms, and retention policies. Appoint or designate a Data Protection Officer. Document your processing activities and establish a breach notification procedure.
Our think tank provides detailed PDPA readiness assessments and policy gap analysis. Contact our team for a confidential review.