Our Expert in Uganda
Last updated: 24 May 2026
Understanding how to report a data breach in Uganda online is now a frontline compliance obligation for every organisation that collects, stores or processes personal data within the country. The Personal Data Protection Office (PDPO Uganda) operates a dedicated data protection office portal where controllers submit Form 7, Notification of Data Breach, and the regulator’s enforcement posture has sharpened considerably since its landmark 2025 findings against multinational technology companies.
This guide walks data protection officers, in-house counsel and IT security managers through every stage of the breach notification process: who must act, what Form 7 requires field by field, the statutory timelines under the Data Protection and Privacy Act Uganda (the DPPA), available escalation channels, and the penalties that follow non-compliance.
Yes, you report a data breach in Uganda online through the PDPO portal at pdpo. go. ug, using the “File Complaint / Report a Breach” function and completing Form 7 (Notification of Data Breach). The data controller bears primary responsibility for the notification. Processors must inform the controller without undue delay so that the controller can submit Form 7 to the PDPO. Where the breach is likely to result in high risk to the rights and freedoms of affected individuals, the controller must also notify those data subjects directly. Internally, your organisation should contain the incident immediately, within hours, and then file the PDPO notification as soon as practicable.
Failure to report can trigger administrative penalties, compliance orders and reputational damage under the DPPA.
Uganda’s data breach notification requirements are anchored in the Data Protection and Privacy Act, 2019 (the DPPA). The Act places mandatory obligations on data controllers and processors to safeguard personal data and to report breaches that compromise its confidentiality, integrity or availability. The DPPA applies to all organisations, whether incorporated in Uganda or processing the data of persons located in Uganda, and covers both the public and private sectors. Its provisions establish the legal framework within which breach notification in Uganda operates.
The Personal Data Protection Office (PDPO), established under the DPPA, is the primary supervisory authority. Housed within the National Information Technology Authority, Uganda (NITA-U), the PDPO receives breach reports, investigates complaints, issues compliance orders and imposes penalties. NITA-U itself provides the broader ICT governance framework and operates complementary data-protection obligations for government bodies. The Uganda Communications Commission (UCC) handles cybercrime and telecommunications-related offences, making it a parallel reporting channel where criminal activity, such as ransomware or hacking, is involved. Organisations should understand which regulator to approach first: for data privacy breaches, the PDPO; for cybercrime, UCC and law enforcement.
A critical early step after discovering a breach is determining who holds the notification obligation. The DPPA draws a clear line between the data controller (the entity that determines the purposes and means of processing) and the data processor (the entity that processes data on the controller’s behalf). The table below sets out the primary duties and practical actions each party must take.
| Entity Type | Primary Legal Duties on Breach | Practical Immediate Actions |
|---|---|---|
| Controller | Notify PDPO via Form 7 if the breach is likely to pose risk to data subjects; notify affected individuals where required; maintain an internal breach register. | Activate incident-response plan; gather evidence (logs, forensic report); complete Form 7; obtain legal review; issue individual notifications where necessary. |
| Processor | Inform the controller without undue delay upon becoming aware of the breach; assist the controller with investigation and mitigation. | Contain the breach at source; preserve system logs and access records; compile a timeline and evidence pack for the controller. |
| Joint Controllers / Third Parties | Determine the lead controller per the data-processing agreement; allocate Form 7 submission and communications responsibilities. | Confirm contractual roles; appoint lead organisation for PDPO notification; coordinate messaging to data subjects. |
A processor that becomes aware of a personal data breach must alert its controller without undue delay. The notification should include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures the processor has already taken to contain the incident. In practice, data-processing agreements should set a tighter contractual window, commonly 24 to 48 hours, to give the controller sufficient time to assess the breach and file Form 7 with the PDPO. Processors that delay or suppress breach information face potential contractual liability and regulatory scrutiny.
Once a controller receives a breach notice from its processor, it must independently evaluate the severity, scope and risk to data subjects. If the breach is likely to result in risk to individuals’ rights and freedoms, the controller must file Form 7 with the PDPO and consider whether direct notification to affected data subjects is also required. The controller should document every decision, including any decision not to notify, in its internal breach register. This record becomes vital if the PDPO later investigates or audits the organisation’s compliance posture.
The data protection office portal at pdpo.go.ug is the single official channel for submitting a Form 7 notification of data breach to the regulator. Below is a detailed, step-by-step walkthrough designed for compliance officers filing for the first time.
Before accessing the portal, assemble the following evidence and information:
Navigate to pdpo.go.ug and locate the “File Complaint” or “Report a Breach” link, typically displayed on the homepage navigation bar. Registered organisations can log in with their existing PDPO credentials; first-time users may need to create an account or submit as a guest, depending on current portal settings. Industry observers note that the PDPO has progressively streamlined the portal interface since its initial launch, which was covered by UNCDF when the platform first went live.
Once inside the portal, select the breach-reporting function (as distinct from general complaints about data misuse). The system will present Form 7, Notification of Data Breach. This is the prescribed form under the DPPA for controllers to formally report a breach to the PDPO. Confirm the entity name, registration number (if applicable) and proceed to the form fields.
Form 7 typically requires the following information. Provide clear, factual answers, avoid speculation or minimisation:
Upload supporting documents: the incident report, relevant log extracts, forensic analysis summaries and copies of any communications sent to affected individuals. Redact any data that is not necessary for the PDPO’s assessment, for example, mask full national ID numbers in sample records. Use PDF or standard file formats accepted by the portal.
Review all entries, then submit. The portal should generate a confirmation reference number. Save this immediately, take a screenshot and store the reference in your breach register. This reference will be needed for all follow-up correspondence with the PDPO. Retain a complete copy of the submitted Form 7 and all attachments in your organisation’s records.
Below is sample language for selected fields to illustrate the level of detail the PDPO expects:
The DPPA requires controllers to notify the PDPO of a qualifying breach without undue delay. While the Act does not prescribe a rigid hour count in the way that the EU’s GDPR specifies 72 hours, the practical expectation, informed by PDPO guidance and comparative regional standards, is that organisations should aim to submit Form 7 within 48 to 72 hours of becoming aware of a breach that is likely to pose risk. The phrase “without undue delay” means that unjustified postponement will itself be treated as a compliance failure.
| Action | Who Acts | Deadline / Guidance |
|---|---|---|
| Contain and record the incident | Controller / Processor | Immediately, within hours of discovery |
| Notify PDPO (Form 7) | Controller (or lead controller) | Without undue delay; aim for 48–72 hours from awareness |
| Notify affected individuals | Controller | Without undue delay if breach poses likely high risk to rights and freedoms |
| Report to law enforcement (Police / UCC) | Controller / IT | Immediately if criminal activity suspected (ransomware, fraud, hacking); can be simultaneous with PDPO filing |
Individual notification is required when the breach is likely to result in a high risk to the rights and freedoms of data subjects, for example, where identity documents, financial data or health records have been exposed. The notification should be in plain language and must include: a description of the breach, the types of data involved, the likely consequences, the measures taken, and clear contact details for the organisation’s data protection officer. Early indications suggest the PDPO favours proactive individual notification as a mitigating factor during enforcement reviews.
If the breach involves criminal conduct, hacking, ransomware, fraud or sabotage, the organisation should report simultaneously to the Uganda Police Force (CID, Electronic Crimes Unit) and the Uganda Communications Commission (UCC). The UCC maintains guidance on cybercrime reporting through its fraud and complaints channels. Reporting to law enforcement does not replace the obligation to file Form 7 with the PDPO; both tracks should proceed in parallel. For breaches within government agencies, NITA-U may additionally coordinate the response under its mandate for public-sector ICT governance. Organisations operating in regulated sectors, such as banking or telecommunications, may also have sector-specific reporting obligations to the relevant industry regulator.
The DPPA provides the PDPO with a range of enforcement powers. These include issuing compliance notices, ordering cessation of data-processing activities, imposing administrative fines and, in serious cases, recommending criminal prosecution. Organisations that fail to report a breach, obstruct an investigation or repeatedly violate data protection obligations face the heaviest sanctions.
The PDPO’s enforcement posture has intensified. On 18 July 2025, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) reported that the PDPO issued findings against Google for breaching Uganda’s data protection law, including a failure to register locally, and ordered the company to comply with registration and other DPPA requirements. This decision signalled that even global technology companies are not beyond the PDPO’s reach and that registration and breach-reporting compliance are being actively monitored.
Separately, the civil society organisation Unwanted Witness published an investigation report into a data security breach at the Uganda Securities Exchange (USE), detailing how personal and financial data of investors was exposed. The investigation highlighted weaknesses in incident-response preparedness and the importance of timely regulator notification. Industry observers expect these cases to set the tone for stricter enforcement through 2026 and beyond.
After filing Form 7 with the PDPO, your obligations continue. Use the checklist below to ensure your post-submission compliance is complete:
The DPPA requires controllers to maintain a register of all data breaches, regardless of whether a PDPO notification was triggered. Each entry should record the facts of the breach, its effects and the remedial action taken. The likely practical effect of this requirement is that organisations should retain breach records for a minimum period aligned with general regulatory limitation periods, typically five to seven years, unless the PDPO specifies otherwise. This register may be requested during PDPO audits or follow-up investigations and serves as evidence of an organisation’s overall compliance culture in Uganda.
Organisation: [Company Name] | PDPO Registration No.: [If applicable]
Date of breach: 14 March 2026 | Date discovered: 14 March 2026
Nature: Unauthorised access to customer database via SQL injection
Data compromised: Full names, email addresses, phone numbers (approx. 12,000 customers)
Likely consequences: Moderate risk of phishing; low risk of financial loss (no payment data exposed)
Mitigation: Vulnerability patched; passwords force-reset; forensic firm engaged; enhanced WAF rules deployed
Individual notification: Sent by email on 15 March 2026
Contact: [DPO Name], [Email], [Phone]
Dear [Name],
We are writing to inform you of a data security incident that may have affected your personal information. On [date], we identified unauthorised access to a system that contained your [types of data]. We have taken immediate steps to contain the incident, including [brief mitigation summary]. Based on our assessment, the main risk to you is [describe risk, e.g., potential phishing emails]. We recommend that you [change your password / monitor your accounts / remain alert to suspicious communications]. If you have questions, please contact our Data Protection Officer at [email] or [phone]. We have also reported this incident to the Personal Data Protection Office (PDPO).
Data breach response in Uganda demands swift coordination between legal, technical and compliance teams. If your organisation has experienced a breach, or wants to build a robust incident-response framework before one occurs, specialist legal guidance is essential. The Uganda lawyer directory on Global Law Experts connects organisations with TMT and data protection practitioners who advise on PDPO filings, cross-border transfer risks and regulatory investigations. Whether you need immediate incident-response support, assistance completing Form 7, or a comprehensive review of your data protection compliance programme, engaging experienced Ugandan counsel early is the most effective way to protect your organisation. Browse the Uganda legal directory to find a qualified practitioner.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Brian Kalule at Af Mpanga Advocates, a member of the Global Law Experts network.
posted 7 minutes ago
posted 31 minutes ago
posted 57 minutes ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 5 hours ago
posted 5 hours ago
posted 5 hours ago
posted 6 hours ago
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message
