Uganda's Data Protection and Privacy Act, 2019 requires data controllers to adopt "appropriate, reasonable, technical and organisational measures" to protect personal data. Section 20 is explicit. A one-off workshop doesn't meet the bar.
The Aware Front is a fully-managed e-learning and compliance platform that delivers the year-long programme, behavioural testing, and audit-ready evidence pack that stands up to a Personal Data Protection Office review — built in Kampala, for Ugandan organisations.
DOPA 2019 doesn't describe what compliant training looks like in checklist form. It sets a standard — and leaves the evidence of meeting that standard up to you.
A data controller, data collector or data processor shall secure the integrity of personal data in the possession or control of a data controller, data processor or data collector by adopting appropriate, reasonable, technical and organisational measures to prevent loss, damage, or unauthorised destruction and unlawful access to or unauthorised processing of the personal data.
Every public or private organisation in Uganda that collects, processes, holds, or uses personal data. The Act is also extraterritorial — it applies to organisations outside Uganda that handle personal data of Ugandan citizens.
Section 20(2) sets out the obligations underneath the standard: identify foreseeable internal and external risks, and establish and maintain appropriate safeguards. The Data Protection and Privacy Regulations, 2021 make staff training an enumerated safeguard.
The Personal Data Protection Office (PDPO), established under the National Information Technology Authority, Uganda (NITA-U), has investigation, audit, and enforcement powers. Breach notifications flow through this office.
DOPA 2019 creates three distinct layers of exposure — criminal, civil, and reputational. Untrained staff don't just create risk; they create liability your organisation carries.
The Act creates offences for unlawful obtaining, disclosure, destruction, concealment, or alteration of personal data. For corporations, the fine can reach 2% of gross annual income. Individual officers face up to 240 currency points or 10 years imprisonment — and company directors are personally on the hook for offences they authorise.
Data subjects can sue for damages resulting from a breach. This exposure is distinct from regulatory penalties — a breach caused by a phished employee can generate simultaneous PDPO action and private-party litigation.
Where the PDPO determines publicity would protect affected data subjects, it can direct the organisation to publicise the compromise. For regulated sectors — healthcare, finance, gaming — that disclosure is often more damaging than the fine.
A breach caused by an untrained staff member does not exempt the organisation from liability. Documented, structured training is the defence — on paper, not in intent.
Every major training-relevant obligation in the Act and the 2021 Regulations maps to a specific programme component. This is the table you share with your Data Protection Officer or external auditor.
At the end of the programme year, you have a structured, timestamped evidence pack. Not raw data dumps — narrative reports, signed certificates, and verifiable logs. The below is what sits in the evidence folder.
Name, department, modules enrolled, completion dates, assessment scores, reinforcement assignments. Exportable CSV and PDF.
70% pass threshold enforced per module. First-attempt and final scores, remediation attempts, time-to-pass by cohort.
Per-campaign detail — delivered, viewed, replied, clicked, submitted credentials, reported. Department-level heatmaps and trajectory versus baseline.
Annual vishing test of reception, finance, and procurement. Script, call log, staff response, and per-recipient outcome — the drill auditors ask about but nobody runs.
Baseline (Month 1) to Month 12 risk-score timeline, per employee and per department. 12-month forecasting curves showing programme impact.
Digital acknowledgement records with timestamp, IP, and device — for data protection policies, acceptable use, and incident reporting procedures.
Kick-off, role-based workshops, and tabletop exercise. Signed attendance sheets, session recordings (where consented), facilitator debriefs.
Board-ready narrative document. Before/after comparison, department analysis, DOPA 2019 compliance statement, and Year-2 recommendations.
Signed certification for board minutes, insurance renewal, and PDPO audit response. Plus individual completion certificates for every employee.
Generic Western training content won't map to a Kampala reception desk. We author and maintain custom modules that reflect how Ugandan organisations actually get attacked — and how DOPA 2019 expects them to respond.
The most common East African social-engineering attack. A finance officer receives a WhatsApp message from what appears to be the MD's number, requesting urgent payment processing. Our module walks staff through the verification workflow required before acting — and what to log for DOPA breach assessment if it succeeds.
A hospital clerk answers the phone. The caller claims to be calling on behalf of an insurer and needs patient records faxed urgently. Our healthcare-sector module covers the data subject verification standard under Section 24 and the circumstances that justify disclosure.
Staff receive SMS or WhatsApp messages purporting to be from MTN MoMo, Airtel Money, or a bank — requesting PIN confirmation, transaction approval, or account linking. Module covers recognition, reporting, and the personal-data implications where work phones are involved.
For gaming regulators, government agencies, and licensed operators — social engineering is often attempted through ostensibly routine industry contacts. The module builds on real cases of regulatory-capture attempts and maps the response to the PDPO breach framework.
Request a proposal tailored to your organisation's sector, staff structure, and current compliance posture. We'll come back with a scoped plan for Year 1 — including baseline, content customisation, and evidence-pack targets — not a generic deck.