The recent Master Class for Data Protection Officers, convened by the Collaboration on International ICT Policy for Eastern and Southern Africa in partnership with the Personal Data Protection Office, surfaced an uncomfortable truth.

• Only 13% of Ugandans online are aware of the Data Protection and Privacy Act.
• Nearly 90% of designated Data Protection Officers lack formal certification.
  

Opening the session, the National Director of the PDPO, Baker Birikujja, did not soften the message. He warned that low public awareness and weak professional preparation among DPOs are undermining the intent of the law itself. The problem, he suggested, is not the absence of legislation, but the gap between legal obligation and organisational practice. Data protection, he noted, cannot work when the people tasked with enforcing it lack both recognition and support within their institutions.

That tension was taken further by Stephen Mugabe, Manager for Data Protection Affairs at the PDPO, who argued for a risk based approach that begins long before breaches occur. He explained that DPOs must be able to identify high risk processing activities early and guide management decisions using clear assessments of potential harm. To make the point tangible, he offered a simple example: leaving a cabinet containing patient or client records unlocked. Such an act, he said, may appear minor, but it can have severe consequences for affected individuals. The risk does not arise from malice, but from routine organisational neglect.

From the industry side, Barbra Among Arinda, Executive Director of the Credit Reference Bureaus of Uganda, addressed the persistent tension between compliance and business objectives. She urged DPOs to speak in the language of management, linking data protection to innovation, efficiency, and trust. At the same time, she was clear that advice must be documented and delivered early. When DPOs are consulted only during audits or after incidents, she observed, they are denied the chance to prevent harm. “If you bring the DPO at the end,” she cautioned, “you are already managing failure, not risk.”

Taken together, these interventions pointed to a shared conclusion that remained largely implicit. The challenge facing data protection in Uganda is not only technical capacity, but governance. When DPOs are appointed without authority, when their advice can be ignored without consequence, accountability does not disappear. It shifts. As Uganda marks Data Privacy Day 2026, the master class leaves boards, executives, and regulators with a direct question: if data protection officers are expected to advise strategically, are institutions prepared to listen and to own the risks created when they choose not to.