Digital Manners: A Strategist’s Guide to Data Privacy in Uganda

Hi, I’m Stella. I used to introduce myself as a risk management professional, but these days, I call myself a strategist. Living and working here in Uganda, I have spent years helping organizations navigate the Data Protection and Privacy Act.

This past January 28th was Data Privacy Day, a moment for us to stop and ask: Do we actually understand privacy, or are we just pretending? My late father never quite grasped my career; he eventually gave up and told everyone I was an accountant! Because, ironically, that’s the degree he paid for. Even now, I often get blank stares until things go wrong and a company ends up in the headlines. That’s when the questions start: ‘Stella, why does this matter? Why should the Board or the CEO care?’

Let’s answer that.

I normally ask people to think about something very simple, your house.

Your house is a very personal space. From time to time, you invite people in, your house manager, friends, family, visitors. And you’re comfortable with them being in certain areas. They can sit in the living room, maybe walk into the kitchen, help themselves to a glass of water.

But let’s be honest… there are areas where you would not be comfortable with someone just walking in.

Your bedroom. Your wardrobe. That drawer you never want anyone to open.

If a visitor came into your house and started opening your cupboards and going through your personal things, you wouldn’t say, ‘Oh, feel free, make yourself at home.’ You would feel violated. You would probably escort them out… very quickly.

And that is the shift we need to make. We need to stop looking at data as ‘records’ and start seeing it as people’s ‘private drawers’.

You would feel violated. You would probably escort them out… very quickly.

And then I usually ask another question, one that makes people uncomfortable, because almost everyone has been there:

Have you ever sent an email attachment to the wrong person?

Maybe it was a salary report. Maybe it was a contract. Maybe it was something you definitely did not intend for that person to see. That moment when you realize what you’ve just done… your heart stops. You start praying the person hasn’t opened it yet. You might even try to ‘recall’ the email, knowing full well it rarely works.

That, right there, is data privacy in real life.

People’s data is personal. It’s not just ‘bits and bytes’ on a server; it’s the digital extension of that private bedroom drawer. Data privacy is about giving individuals control over how their information is used. It’s not just about collecting data to provide a service; it’s about ensuring that the way we use it doesn’t leave people feeling exposed, uncomfortable, or harmed.

So, the first question we usually tackle is: What is personal data?

In simple terms, personal data is any information that can identify a person. It’s the breadcrumbs that lead back to a specific human being.

From there, we move to some terms that sound like they were invented to confuse us, but they’re actually very practical. In my world as a strategist, I need you to know who is who:

So, to make these terms stick, let’s look at something we see every day on our roads – a Boda Boda.

Imagine a large delivery company, let’s call them ‘Quick-Delivery.’ They want to send packages across Kampala, so they hire riders.

• The Data Controller (The Company): Quick-Delivery is the one who decided, ‘We are going to collect customer names and house locations to deliver these packages.’ They own the ‘why’ and the ‘how.’ They are in the driver’s seat of the whole operation. If a customer’s address is leaked, the finger points at them first.
• The Data Collector (The Boda Rider): Now, think of the rider out in the sun. He’s the one who actually goes to the customer and says, ‘Please sign here and give me your phone number.’ He is the boots on the ground gathering the info. He doesn’t own the data; he’s just the one physically collecting it on behalf of the company.
• The Data Processor (The Tracking App): Quick-Delivery uses a separate GPS app to manage all their routes. That app company doesn’t care who the customers are; they are just crunching the coordinates to provide the best route. They are the Processor, handling the data only because the Controller told them to.

Basically, everyone is on the same bike, whether they like it or not. If the rider (the Collector) leaves his delivery logbook at a local mandazi stall for anyone to read, the Company (the Controller) still has a massive problem on their hands.

At this point, I usually clarify something people often mix up: the difference between data protection and privacy.

I once tried to explain it by asking what the difference is between wearing a bikini and being naked… but okay, that’s a bit of a wild example, let’s move on! (Though I think you get the point about ‘layers’ of exposure.)

Let’s look at it through my lens as a strategist:

• Data Protection is the ‘how.’ It’s the technical and administrative stuff. It’s the locks on the doors, the passwords, the encrypted servers, and the secure filing cabinets. It’s how we collect, store, and process information so it doesn’t leak.
• Privacy, on the other hand, is the ‘why.’ It’s about the individual’s right to say, ‘This part of my life is not for public consumption.’ It’s about dignity.

Going back to the house example: Data protection is the high wall and the electric fence around your compound. It keeps the bad guys out.

But Privacy? Privacy is the fact that even if I am a guest inside your house, I have no business walking into your bedroom and opening your wardrobe. You wouldn’t just be annoyed; you’d feel like your personal dignity had been violated.

In Uganda, this isn’t just a ‘nice to have’ it’s a fundamental human right protected by the Constitution. The Data Protection and Privacy Act is basically the law telling organizations: ‘Yes, you can be a guest in people’s lives… but please, behave responsibly.’“

Now, when we talk about being ‘responsible’ with data, we have to talk about who actually carries the weight.

In most of our families, the first-born is rumored to be the most responsible person in the house. But let’s be honest, the first-born isn’t just responsible; they are basically forced into early parenthood! They are managing siblings, chores, and expectations before they can even spell ‘accountability’.

In a business, we often treat the IT department or the DPO like that first-born. We dump everything on them and say, ‘You’re responsible for the “children” (the data), don’t let them get hurt!’

But as a strategist, I’m here to tell you: you cannot outsource parenthood. If an organization is serious about privacy, responsibility has to be shared across the entire family, or in our case, the Governance Triangle:

• The Board (The Head of House): You provide the vision and the resources. If you aren’t asking about privacy in your meetings, the rest of the house won’t care.
• Senior Management (The Managers): You ensure the ‘first-born’ (the DPO) actually has the power to do their job, rather than just the title.
• Operations (The Siblings): These are the ones actually playing with the data every day. If they aren’t careful, everyone gets in trouble.

If the Board is talking about privacy but Operations has no idea what it means, the house will fall. If Operations is trying to be careful but Leadership is looking the other way, it will also fail. To survive, you need ‘Privacy Champions’ in every room, ensuring that ‘responsible’ isn’t just a label we gave to the first-born, but a culture we all live by.

Once governance is in place, the next thing is policies and procedures.

Once you have the right people in the triangle, you need the ‘Rule Book.’

Every organization must have a data protection policy and a privacy notice that people can actually read and understand. I’m talking about real English (or Luganda!), not just a document someone ‘borrowed’ from a random website on the internet and left to gather digital dust in a folder somewhere.

If your privacy notice looks like it was written by a robot for a robot, you’ve already failed.

People, your customers, your staff, should be able to look at your notice and clearly see:

• What are you taking?
• Why do you need it?
• Where is it going (especially if it’s crossing borders)?
• How are you keeping it safe?

But as a strategist, I’ll tell you a secret: Policies are just intentions. Processes are reality. You can have a policy that says ‘We value your privacy,’ but if you don’t have a process for what happens when a laptop is stolen or a database is breached, that policy is just a decoration.

You need real, living processes behind the paper:

• Privacy Impact Assessments (PIAs): Checking for landmines before you launch a new product.
• Incident Management: Knowing exactly who to call when things go sideways.
• Data Security: The actual digital ‘padlocks’ on your information.

If you have the policy but no process, you’re just a person with a map who doesn’t know how to drive.

Then, I usually ask organizations to reflect on the law, because the law doesn’t care about your good intentions; it cares about your tracks.

This is where the “blank stares” usually start, so I like to break it down using a “follow the person vs. follow the soil” approach. As a strategist, I need my clients to understand that the law is either tied to the land or tied to the human.

Here’s how we break down Territorial Scope versus Data Subject Scope:

To really understand your legal footprint, you have to look at two different ‘scopes.’ Think of it as the difference between the rules of a football pitch and the rules of a club membership.

1. Territorial Scope (The Pitch)

This is about where you are physically sitting. If your office is in Kampala, you are on the Ugandan ‘pitch.’ This means the Uganda Data Protection and Privacy Act applies to you simply because you are operating within our borders. It doesn’t matter if you are processing data for a Kenyan or a Canadian; because you are doing the work on Ugandan soil, you must follow Ugandan rules.

2. Data Subject Scope (The Member)

This is about who the person is, regardless of where you are. This is where laws get ‘extra-territorial.’ A Data Subject is simply the individual whose data is being collected.

If that individual is in the EU, they carry the protection of the GDPR with them like a digital passport. If you, sitting in Uganda, target them with services or monitor their behavior, you have just entered the ‘EU Club.’ You are now bound by their rules because of who the person is, not where you are. If you are a Ugandan fintech or a bank with customers in Nairobi, the Kenyan ODPC (Office of the Data Protection Commissioner) is looking at you. Under Kenyan law, if you’re processing data of Kenyan residents, you’re in their “club.”

The danger for many Ugandan businesses is that they think: ‘I am a local company, so I only have a local problem.’ But as a strategist, I ask:

• Are you a hotel? You have EU, Kenyan, and Rwandan data subjects.
• Are you an exporter? You have international data subjects.
• Are you an app developer? You definitely have data subjects from all over the EAC and beyond.

If you only build your strategy for the ‘Territorial’ side, you are leaving your bedroom door wide open to international regulators. You might be ‘compliant’ at home but a ‘fugitive’ abroad.

I used to be a scout, and let me tell you, that was way before Google Maps was a thing. We had to learn how to read the land, understand where we were, and exactly what we were carrying. If your pack was too heavy with things you didn’t need, you wouldn’t make it to the camp.

As a strategist, I bring that same ‘scout’ energy to organizations when I encourage them to really understand their data. We call it Data Mapping, but it’s really just a digital inventory. I ask five simple questions:

1. What data do you have?
2. Why do you have it?
3. Where is it stored?
4. Who has access to it?
5. Who do you share it with?

This process often reveals something interesting: many organizations are ‘data hoarders.’ They are collecting data just because they can, not because they need it.

I remember applying for medical insurance online recently. The website asked for my name, age, and location, which made perfect sense for a premium calculation. But then, it asked for my blood group.

I stopped typing and just stared at the screen. I remember thinking, ‘Wait… are you giving me a quotation… or are you planning to donate my blood?’

That is the ‘Strategy Gap’ in action. If you don’t need my blood group to tell me how much the insurance costs, why are you taking it? Every extra piece of data you collect is a liability you have to protect. It’s like carrying an extra 10kg in your scout pack just for the sake of it. If you lose that pack, you haven’t just lost your gear; you’ve lost something precious that didn’t even belong to you.

I’ve done many things with my life. I guess you would call me a ‘planned baby’, everything had a purpose. Back then, I used to swim competitively, and one of the things I would train myself for was seeing how long I could swim underwater without breathing.

In that silence, you are hyper-aware of your limits. You know exactly how much oxygen you have and exactly when you need to surface.

That is exactly why organizations must conduct Data Protection Impact Assessments (DPIAs). A DPIA is your ‘oxygen check.’ It helps you understand:

• Is this data actually necessary?
• What risks are we creating by holding it?
• And most importantly, what would happen to us if this data were exposed? Can the business survive that ‘underwater’ moment, or will we drown?

From there, I move the conversation to Privacy by Design and Privacy by Default.

You see this every day on your phone now. Most apps will pop up and ask:

• Allow access always?
• Allow only while using the app?
• Don’t allow?

By default, the door is locked. Access is restricted unless you explicitly grant permission. That is Privacy by Design. It’s building the system so that the ‘private drawer’ we talked about stays closed unless there is a very good reason to open it.

As a strategist, I tell organizations they should think the same way when designing their own systems and processes. Don’t build a ‘leaky’ process and try to patch it later with a policy. Build the ‘oxygen tank’ into the design from day one.

Then there is the issue of third parties and cross-border transfers.

Let’s go back to the house for a moment. You hire a house manager to help you run your home. You trust them with the keys. But imagine if that house manager goes to jazz with other house managers exposing your private business, what you eat, who you talk to, what’s in your bedroom with all the other house managers in the hood.

Even though they are the one talking, it’s your house being exposed. In the business world, sharing data with a third party does not remove your responsibility. If you give a vendor your customers’ data to process payroll or send emails, you must ensure they are protecting it as well as you do.

The law is very clear on this: You can’t just say, ‘It wasn’t us, it was our vendor.’ The Personal Data Protection Office (PDPO) will politely, but firmly, remind you that it is still your problem. As a strategist, I tell my clients: ‘Choose your partners like you choose your house manager. If they can’t keep a secret, they shouldn’t have your keys.

When it comes to breaches, I always emphasize preparedness. I liken it to knowing how to change a flat tyre. We don’t buy a spare tyre because we plan on having a puncture. We buy it because we know the roads we drive on. If you’re driving on a rainy night and your tyre goes flat, that is not the time to start reading the car manual or watching a YouTube tutorial on how to use a jack. You need to know where the tools are, how to loosen the nuts, and how to get back on the road before the rain soaks you to the bone.

In Uganda, when a data breach occurs, the ‘rain’ starts immediately. You are legally required to notify the Personal Data Protection Office (PDPO) and, in many cases, the affected individuals.

But beyond the law, every organization needs to ask itself: If a breach happens tomorrow at 8:00 AM, do we have our ‘spare tyre’ ready? Do we know:

• Who identifies the leak?
• Who ‘jacks up’ the system to stop the damage?
• Who calls the regulator?
• Or are we going to stand on the side of the road, in the rain, forming a committee to discuss which nut to loosen first?

Strategy is about having the tools in the boot and the skill in your hands before the puncture happens. Because in the world of data, it’s not a matter of if you’ll get a flat tyre, it’s a matter of when.

Finally, I talk about Culture.

Because you can have the best strategy in the world, but as we say, culture eats strategy for breakfast or lunch or was it dinner.

I often look at our roads in Uganda to explain this. We have laws, we have traffic lights, and we have signs. But then you see a driver who has zero courtesy, cutting people off, overlapping, or a Boda rider weaving recklessly through traffic as if they have a spare life in their pocket.

That driver isn’t just breaking a rule; they lack a culture of respect for others on the road. They think, ‘As long as I get where I’m going, it doesn’t matter who I push off the way.’

In many organizations, we see the ‘reckless driver’ version of data handling. The best example? The Visitor Book.

Go to almost any reception desk in the city. There it is, a big, open book full of names, phone numbers, ID numbers, and signatures of everyone who came before you. Anyone standing there can read it, photograph it, or even take a picture of your phone number while they wait. Few people know where those books go at the end of the month or who is responsible for storring those books.

That is not a technical problem. It is a cultural problem. It’s a lack of ‘digital manners.’

Culture only changes through three things:

1. Leadership: The Board and Management modeling the right behavior.
2. Awareness: Everyone from the CEO to the security guard must understand that a phone number is a piece of a person’s dignity.
3. Training: Teaching people the value of data and data privacy

Privacy is not something you do once and forget. It must evolve, just like the roads we drive on. We must keep improving.

So when people ask me why data privacy matters to managers, board members, and business leaders, I usually say this:

It’s not just about compliance. It’s about Trust. It’s about Dignity. And it’s about Responsibility.

Honestly, if we think about it carefully… data privacy is just good manners in digital form. And for me, as a strategist, that is where a real privacy program begins.

Article by Stella Simiyu,
Managing Director – Sentinel Africa Consulting Uganda