Who regulates data protection in Uganda?

The Personal Data Protection Office (PDPO) under NITA-U enforces the Data Protection and Privacy Act 2019 and its 2021 Regulations.

Do Ugandan businesses need to register as data collectors?

Yes. The Data Protection and Privacy Regulations 2021 require data collectors, processors, and controllers to register with PDPO and renew annually.

How does GeraCompliance help with EU customers?

We map Ugandan DPA 2019 controls to GDPR and, for applicable companies, to the EU AI Act. The compliance evidence pack is reusable across audits.

GeraCompliance in Uganda 2026 — DPA 2019, PDPO, and EAC Data Rules for Ugandan Businesses

Quick answer: GeraCompliance gives Ugandan businesses a single tool to manage compliance with the Data Protection and Privacy Act 2019, the 2021 Regulations, and cross-border obligations across the East African Community. For companies serving EU customers we overlay GDPR and EU AI Act mapping. Pricing is in UGX; MTN MoMo accepted.

Uganda's data-protection regime

The Data Protection and Privacy Act 2019 and the Data Protection and Privacy Regulations 2021 set out the framework for personal-data processing in Uganda. Oversight sits with the Personal Data Protection Office (PDPO) under the National Information Technology Authority Uganda (NITA-U). Key obligations include registration of data collectors/processors/controllers with PDPO, appointment of a DPO where relevant, lawful-basis mapping, breach notification within 72 hours, and cross-border transfer safeguards.

Other regulators that touch compliance

Uganda Registration Services Bureau (URSB) — business registration, beneficial ownership disclosure
Uganda Revenue Authority (URA) — tax compliance, e-invoicing (EFRIS)
Bank of Uganda (BoU) — payment system providers, FX controls
Financial Intelligence Authority (FIA) — AML/CFT
Uganda Communications Commission (UCC) — telecom and digital services
Insurance Regulatory Authority (IRA) — insurance and insurtech
National Drug Authority (NDA) — pharmacies, telemedicine fulfilment

EAC cross-border data

EAC Partner States have varying data regimes — Kenya (Data Protection Act 2019), Rwanda (Law 058/2021), Tanzania (Personal Data Protection Act 2022), Burundi (emerging), South Sudan (emerging). GeraCompliance maps cross-border transfer grounds (consent, contractual necessity, adequacy, SCCs) across these jurisdictions so a Ugandan SaaS company serving EAC customers has one compliance ledger.

What GeraCompliance does

PDPO registration preparation and renewal tracking
ROPA (records of processing activities) builder
DPIA templates aligned to Uganda DPA 2019
Data subject request (DSR) workflow
Breach register with 72-hour notification workflow
GDPR overlay for EU customers; AI Act mapping where applicable
URA e-invoicing integration for audit-ready records

Pricing in UGX

Starter (SME under 20 staff): UGX 150,000/month
Growth (20–100 staff): UGX 450,000/month
Enterprise: bespoke quote in UGX or USD

MTN MoMo, Airtel Money, and card via Flutterwave supported. Bank transfer for annual plans.

Related Gera services

GeraCash — payment-system compliance for BoU PSP applicants
GeraSure — cyber and PI insurance for Ugandan tech firms
GeraGuard — browser privacy layer complementing DPA 2019 obligations