Imagine this. You are a director of a mid-sized company. One morning, the security guard calls you in a panic: “Sir, thieves broke in, but they did not touch the furniture or computers. They opened the safe.”
You rush to the office. The steel safe stands wide open. But strangely, bundles of cash are untouched. Instead, the robbers carried away files, employee contracts, customer details, supplier bank accounts, and even board minutes.
That is the modern burglary. No crowbars, no gunfire, no missing shillings. Yet, the loss is catastrophic. Competitors now know your customer lists.
Fraudsters will exploit payroll records. Staff will feel betrayed. And regulators will demand answers from one person, the board of directors.
Data is today’s gold.
And the Data Protection & Privacy Act, 2019, is Uganda’s attempt to guard that gold. But unlike a physical safe, this law places the ultimate lock and key in the hands of directors. Ignore it, and you are complicit in leaving the safe open.
Why directors cannot outsource data protection
Many boards still believe data protection is “an IT matter.” That illusion is as dangerous as leaving fuel near a fire.
The Act is clear: data controllers and data processors, which include your organization, must comply with principles of consent, purpose limitation, security, and accountability.
But who ensures compliance? The IT manager? No. The accountability starts with the board. If a regulator investigates and your CEO says, “The board never approved the data policy,” you are finished.
The law
The Data Protection & Privacy Act, 2019, is not legal jargon; it is practical governance. Here are the pillars every director must grasp: Lawful and fair processing.
You cannot collect data just because it is available. Example: Harvesting customer phone numbers from social media without consent breaches the law.
Purpose limitation
If you collect employee data for payroll, you cannot secretly share it with an insurance broker.
Data minimization
Only collect what you truly need. Why ask a customer for their spouse’s details if you are only selling cement?
Accuracy and integrity
You must ensure data is correct and up to date. Wrong NINs or outdated addresses expose the company to risk.
Security safeguards
Encryption, access controls, and audit logs. Without these, your systems are wide open.
Accountability
Boards must ensure there is a compliance framework: policies, a Data Protection Officer, and regular audits.
“Ignore it, and you will one day stand like the director staring at the empty safe, no cash stolen, but everything of value gone.”
The hidden costs of ignoring the Act
Directors often ask: “But what is the worst that can happen?” Let’s break it down.
- Regulatory fines. The law imposes penalties running into billions of shillings. Unlike a small compliance fee, this is a financial earthquake.
- Loss of trust. When patient files leak at a hospital or donor databases are sold on the black market, recovery is nearly impossible. In Uganda, gossip travels faster than boda bodas.
- Board liability. Directors may be held personally accountable for negligence. Imagine paying damages from your own pocket.
- Investor and donor withdrawal. Foreign investors increasingly ask: “Show us your data protection compliance.” Without it, expect funding cuts.
- Operational paralysis. A single data breach investigation can freeze a business for months. Emails seized, systems locked, reputations shredded.
A few cases in Uganda
- Payroll leak: An NGO’s salary details of expatriates circulate on WhatsApp. Staff morale collapses. Donors question governance.
- Hospital files sold: Patient records from a Kampala clinic end up with insurance agents. Trust broken, lawsuits follow.
- SIM swap fraud: Employee data stolen from a company’s HR files used to hijack mobile money accounts. Directors grilled by police.
Each of these was preventable; the board had made data protection a priority.
Here is what every serious director must demand immediately:
- Data protection audit. Commission an annual audit by an independent firm. Treat it with the same weight as a financial audit.
- Appoint a Data Protection Officer. Even if outsourced, someone must oversee compliance, training, and breach reporting.
- Approve policies. Ensure there is a clear data protection and privacy policy, communicated to staff and suppliers.
- Incident response plan. Ask: “If our donor list leaks today, who does what, in what order?”
- Board reporting. Demand quarterly updates on data risks, just like you do with finances.
At IFIS and Summit Consulting Ltd, we have seen the same pattern in fraud investigations: fraudsters exploit weak data controls. When personal data is poorly managed, collusion becomes easy.
In one case, suspect 1, an HR officer, printed CVs and staff files and quietly sold them to loan sharks. Suspect 2, a systems administrator, left audit logs disabled, so no one noticed.
The board only discovered after staff were hounded by illegal lenders. Losses? Not in stolen shillings, but in trust, productivity, and lawsuits.
This is why we tell directors: data protection is not about IT firewalls. It is about tone at the top.
Data is governance, not compliance
Most boards in Uganda view data protection as another compliance headache, like filing returns with URA.
That thinking is fatal. Data protection is a strategy. A bank that safeguards customer privacy wins loyalty. A university that protects student records attracts international partnerships.
An NGO that secures donor lists keeps funding stable. The board that ignores data privacy risks is irrelevant. The board that embraces it builds trust as a strategic moat.
If you sit on a board and have never asked your management:
- Do we have a Data Protection Officer?
- When was our last privacy audit?
- What is our breach response plan?
Then you are not governing, you are gambling.
The Data Protection & Privacy Act, 2019, is not optional reading for directors. It is your legal duty, your reputational insurance, and your strategic edge.
Ignore it, and you will one day stand like the director staring at the empty safe, no cash stolen, but everything of value gone.
Copyright Institute of Forensics & ICT Security, IFIS, 2025. All rights reserved.
