IN RWANDA, like in many countries, digital revolution has transformed the economy and the way of life. Due to emerging digital technologies, such as social media, cloud computing, Internet of Things (IoT) devices and artificial intelligence systems, it has been crucially important to ensure that these new technologies contribute to data protection and privacy. However, the use of these technologies by companies may have adverse impacts on people’s lives, especially on data protection. A prevalent challenge emanating from use of these new technologies is the leak of personal information.
Thus, technology companies have a corporate social responsibility to ensure compliance with data protection principles anchored in existing legal and regulatory framework. Corporate social responsibility is loosely defined as the responsibility that companies take with respect to their societal impact. There is a need for responsible and sustainable corporate conduct in global value chain.
Given that most of global businesses are reliant on technology, technology companies have a pivotal role in complying with the relevant regulatory framework. This would, in turn, contribute to positive impact.
As regards the legal framework, Rwanda ratified the African Union Convention on Cybersecurity and Personal Data Protection, which embodies basic principles governing the processing of personal data. As of now, it is the applicable legal instrument in governing personal data prior to coming into effect of national data protection and privacy law.
Just to illustrate, Rwanda ratified the AU Convention and has become part of laws in force. The enforcement stems from Article 168 of the Rwandan Constitution which expresses that: "Upon publication in the Official Gazette, international treaties and agreements which have been duly ratified or approved have the force of law as national legislation in accordance with the hierarchy of laws provided for under the first paragraph of Article 95 of this Constitution.”
Going beyond mere legal compliance to responsible data processing activities, technology companies must enhance the effective protection of data subjects and their rights. They have corporate responsibility to respect human rights, by not infringing on the rights of others, and to address adverse impacts on human rights related to their activities. So data protection is one of these rights ought to be safeguarded. Any processing of personal data in a manner that is inconsistent with the basic principles governing the processing of personal data, earlier noted, is a breach of data subject’s rights.
Again, the corporate social responsibility is anchored in the UN Guiding Principles on Business and Human Rights. These principles prescribe that "the corporate responsibility to respect human rights”. This pillar articulates social responsibility to respect human rights by technology companies.
Interestingly, the Guiding Principles offer a principled and pragmatic framework that can be applied globally and allows the positive impact and opportunities of technological innovation to flourish in a rights-respecting ecosystem.
Currently, technology companies need to secure business process that help manage the client data [personal data] respectfully. In fact, this is central to the success of any organisation. It is, therefore, important for companies to consider paying close attention to developing processes and mechanisms around how data is collected, stored, and managed within an organisation. In so doing, technology companies, which are technically referred to as data controllers, would be complying with their confidentiality and security obligations in respect of data protection.
Corporate social responsibility is increasingly linked to data privacy which is embedded in corporate strategy. For example, technology companies need to develop a ‘privacy by design’. This concept integrates information privacy into the creation and operations of business processes from end to end. While privacy by design is not a legal framework, it, however, plays an integral role in shaping company’s policy and regulations. More importantly, Article 21 of the African Union Convention on Cybersecurity and Personal Data Protection requires a data controller to take all appropriate precautions, according to the nature of the data, and in particular, to prevent such data from being altered or destroyed, or accessed by unauthorized third parties.
Furthermore, technology companies [data controllers] need to put in place the appropriate technical and organisational measures to implement the data protection principles in order to meet the requirements of applicable laws and to protect the rights of the data subject. So, ‘privacy by design’, however, imposes a legal obligation and default setting to all data controllers and processors. The AU Convention impliedly puts the rights of data subjects to ensure that their data is protected, first.
The basic principles governing the processing of personal data contained in the AU Convention (the ‘Malabo Convention’) require adherence to these principles during the course of processing personal data. Then, the AU instrument, which is presently an integral part of Rwandan laws, provides legal framework for technology companies to adopt a privacy design as one of the best practices in data protection. This ensures that the protection of personal data is in-built into the operational framework.
In this data-centric world businesses need to consider best practices, data protection and privacy, as assets that can help technology companies to meet expectation of the data subjects. It is worth underscoring that data protection will continue to be one of the most business-critical issues in the contemporary world. It affects virtually every institution, government, business and non-profits/NGO.
The writer is a data protection and privacy expert.
The views expressed in this article are of the author.