Ethiopia: Implemented Personal Data Protection Proclamation (Proclamation No. 1321/2024) icluding cybersecurity regulation

On 24 July 2024, the Personal Data Protection Proclamation enters into force. The Proclamation applies to public and private entities handling personal data within Ethiopia and includes security measures. The obligations of data controllers and data processors include implementing technical and organisational measures to ensure compliance with data protection regulations. These measures involve data security, record-keeping, impact assessments, prior authorisation, and appointing a data protection officer. Controllers must document personal data breaches and communicate them to data subjects within 72 hours unless certain conditions are met. The Authority may require communication of breaches and conduct security checks. Additionally, controllers and processors must maintain records of all processing operations.