Date and Time: 18 February, 2026, starting at 8:30 AM.
Location:Next Conference Centre, Next Media Park, Naguru, Kampala, Uganda
The Cybersecurity, Data Protection and Privacy Conference, also known as the #BeeraKuGuard Awareness Conference, is being hosted by the National Information Technology Authority (NITA-U) under the Uganda Digital Acceleration Project (UDAP-GovNet). The event addresses the critical need to promote cybersecurity, data protection, and privacy awareness due to the growing scale and sophistication of cyber threats, which have escalated with the nationwide increase in affordable broadband and e-services. The conference aims to promote cyber hygiene, personal data protection, and privacy best practices across the country.
Data Protection Officers (DPOs) from across the country gathered at Four Points by Sheraton, Kampala, on Wednesday, 28 January 2026, for a masterclass aimed at strengthening strategic data protection leadership. Organised by the Personal Data Protection Office (PDPO) in partnership with the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), the event marked the annual International Data Privacy Day and focused on helping DPOs balance compliance, risk, and business needs within their organisations.
While giving opening remarks at the masterclass, Baker Birikujja, the National Personal Data Protection Director, highlighted the everyday realities of personal data protection.
“Some of the most damaging privacy incidents do not begin with hackers,” he said. “They begin with a printed report left on a desk, a patient file discussed in an open corridor, an unlocked cabinet, or a phone call handled without discretion. Personal data exists not only online, but on paper, in recordings, photographs, CCTV footage, and everyday conversations and it deserves the same discipline and respect wherever it sits.”
He added that modern privacy management is not merely a file of policies. “It is a system of decisions, behaviors, controls, and accountability,” he said, noting that effective data protection requires attention to both digital environments such as databases, apps, and cloud services, and physical or offline environments, including paper records, filing systems, CCTV, and call recordings.
Edrine Wanyama, Programme Manager Legal at CIPESA, noted that the partnership with the PDPO was driven by a shared commitment to building strong and effective collaborations in data governance and protection. “We believe in building good partnerships, and we have actively leveraged and worked through these processes to buttress efforts,” he said. He added that data protection is central to CIPESA’s work.
He further noted that marking International Data Privacy Day through the workshop was intentional, explaining that the masterclass was designed to enhance knowledge of Data Protection Officers and build their capacity to effectively respond to emerging data protection risks and take appropriate actions
Edrine Wanyama, Programme Manager, Legal at CIPESA, explained why CIPESA partnered with PDPO; “We believe in building strong partnerships and have leveraged these collaborations over time. Data protection is central to what we do, and data is critical because it relates directly to individuals.”
He also highlighted that the timing of the masterclass on International Data Privacy Day was intentional. He noted that the workshop was designed to bring Data Protection Officers together to not only acquire knowledge but also build their capacity to effectively do their work.
The masterclass featured three key sessions. The first explored the evolving role of the DPO as a strategic advisor, covering legal mandates, independence, and repositioning from a compliance officer to a trusted advisor. The second session focused on applying a risk-based approach to data protection, helping DPOs identify high-risk processing activities, prioritise compliance actions, and use risk assessments to guide management decisions. The final session addressed balancing compliance, risk, and business needs, equipping DPOs with strategies to advise leadership in clear business language, support innovation, and document recommendations effectively.
The sessions come against a backdrop of broader challenges for DPOs in Uganda. A recent PDPO training needs assessment conducted by the PDPO in November 2022, revealed that around 90.6% of DPOs lack formal certification in data protection and privacy, and only a small proportion have technical or legal backgrounds. Many officers are also less involved in core compliance tasks such as audits, breach reporting, and managing data protection complaints. These findings highlight the continued importance of professional development and knowledge-sharing forums like this masterclass.
By convening DPOs on International Data Privacy Day, PDPO and CIPESA emphasised the need for proactive privacy leadership in safeguarding personal data and maintaining public trust. Participants were equipped with practical tools to advise management, manage data protection risks, and integrate privacy considerations into organisational practices.
The masterclass is part of PDPO’s ongoing efforts to foster a culture of responsible data governance in Uganda, ensuring that personal data protection extends beyond regulatory compliance to build public confidence in the country’s growing digital economy.
Following the sessions, participants agreed on collective actions to:
Prioritise privacy-by-design and continually engage in robust cybersecurity practices aimed at protecting and securing individuals’ personal data.
Develop internal data protection policies to guide the implementation of data practices and ensure personal data protection.
Keep abreast of technological developments, including AI, and ensure minimisation of risks associated with it for progressive data protection.
Conduct staff and customer tailored trainings and raise awareness amongst them on data protection and the need to safeguard their data.
Ensure that as DPOs, they take on pivotal leadership over data protection to ensure compliance with the data protection principles and protection of data protection rights.
Hold all perpetrators of data breaches accountable for their actions in order to deter any further similar breaches by errant data controllers and processors.
Conduct regular data mapping and maintain up-to-date records of processing activities to understand what data is in their possession and how to rightly handle it in the changing technological and business spaces.
Foster collaboration across teams and recognise that privacy cannot be managed in isolation but through joint responsibility and efforts.
Recognise their central role in the compliance and reporting function to ensure the establishment of safeguards that protect their organisations from reputational, legal, and financial harms.
Ugandan journalists are increasingly facing intertwined physical and digital threats which intensify during times of public interest including elections and protests. These threats are compounded by internet shutdowns, targeted surveillance, account hacking, online harassment, and regulatory censorship that directly undermines their safety and work. A study on the Daily Monitor’s experience found that the 2021 general election shutdown constrained news gathering, data-driven reporting, and online distribution, effectively acting as digital censorship. These practices restrict news gathering, production, and dissemination and have been documented repeatedly from the 2021 general election through the run‑up to the 2026 polls.
Over the years, CIPESA has documented digital rights violations, challenged internet shutdowns, and worked directly with media practitioners to strengthen their ability to operate safely and independently. This work has deepened as the threats to journalism have evolved.
In recent months CIPESA has conducted extensive journalist safety and digital resilience trainings across the country, reaching more than 200 journalists from diverse media houses and districts across the country, in the Acholi subregion (Gulu, Kitgum, Amuru, Lamwo, Agago, Nwoya, Pader, and Omoro), Ankole sub region (Buhweju, Bushenyi, Ibanda, Isingiro, Kazo, Kiruhura, Mbarara (City & District), Mitooma, Ntungamo, Rubirizi, Rwampara, and Sheema), Central (Kampala, Wakiso), Busoga Region (Bugiri, Bugweri, Buyende, Iganga, Jinja, Kaliro, Kamuli, Luuka, Mayuge, Namayingo, and Namutumba), and the Elgon, Bukedi, and Teso subregions (Mbale, Bududa, Bulambuli, Manafwa, Namisindwa, Sironko, Tororo, Busia, Butaleja, Kapchorwa, Soroti, and Katakwi).
The trainings aimed to strengthen the capacity of media actors to mitigate digital threats and push back against rising online threats and censorship that enable digital authoritarianism. The training was central to helping journalists and the general media sector to understand media’s role in democratic and electoral processes, ensure legal compliance and navigate common restrictions, buttressing their digital and physical security resilience, enhancing the skills to identify and counter disinformation and facilitating the newsroom safety frameworks for the media sector.
The various trainings were tailored to respond to the needs of the journalists, covering media, democracy, and elections; electoral laws and policies; and peace journalism, with attention to transparent reporting and the effects of military presence on journalism in post-conflict settings.
Meanwhile, in Mbale and Jinja, reporters unpacked election-day risks, misinformation circulating on social media, and the legal boundaries that are often used to intimidate them. Across the different regions, newsroom managers, editors and reporters worked through practical exercises on digital hygiene, safer communication, and physical-digital risk intersections.
CIPESA’s digital security trainings respond to the real conditions journalists work under. The sessions focus on election-day and post-election reporting, verifying information and claims under pressure, protecting sources, and strengthening everyday digital security through strong passwords, two-factor authentication, and safe device handling. Journalists also develop newsroom safety protocols and examine how peace journalism can help de-escalate tension rather than inflame it during contested political moments
One of the most important shifts for the participants, came from the perspective that safety stopped being treated as an individual burden and started being understood as an organisational responsibility. Through protocol-development sessions, journalists mapped threats, identified vulnerabilities such as predictable routines and weak passwords, and designed “if-then” responses for incidents like account hacking, detention, or device theft. For many journalists, this was the first time safety had been written down rather than improvised.
Beyond the training for journalists, CIPESA hosted several digital security clinics and help desks for human rights defenders and activists. At separate engagements, close to 70 journalists received one-on-one support during a digital security clinic at Ukweli Africa held from the 15 December 2025 including the at the Uganda Media Week. These efforts sought to enhance their digital security practices. The support provided during these interventions included checking the journalists’ devices for vulnerabilities, removal of malware, securing accounts, enabling encryption, and secure data management approaches.
“Some journalists who had arrived unsure, even embarrassed, about their digital habits, left lighter, not because the risks had vanished, but because they now understood the tools and how to manage risks.”
These engagements serve as avenues to build the digital resilience of journalists in Uganda, especially as the media faces heightened online threats amidst a shrinking civic space.Such trainings that speak the language of lived experience often travel further than any policy alone. In Uganda, where laws can be used to narrow civic space, where the internet can be switched off, and where surveillance blurs the line between public and private, practical digital security becomes a necessity.
By training journalists across Uganda, supporting them through digital security desks, and standing with them during moments like Media Week, CIPESA has helped journalists strengthen their resilience to keep reporting in spite of the challenges and threats they encounter daily.
As Artificial Intelligence (AI) rapidly transforms Africa’s digital landscape, it is crucial that digital governance and oversight align with ethical principles, human rights, and societal values.
Multi-stakeholder and participatory regulatory sandboxes to test innovative technology and data practices are among the mechanisms to ensure ethical and rights-respecting AI governance. Indeed, the African Union (AU)’s Continental AI Strategy makes the case for participatory sandboxes and how harmonised approaches that embed multistakeholder participation can facilitate cross-border AI innovation while maintaining rights-based safeguards. The AU strategy emphasises fostering cooperation among government, academia, civil society, and the private sector.
As of October 2024, 25 national regulatory sandboxes have been established across 15 African countries, signalling growing interest in this governance mechanism. However, there remain concerns on the extent to which African civil society is involved in contributing towards the development of responsive regulatory sandboxes. Without the meaningful participation of civil society in regulatory sandboxes, AI governance risks becoming a technocratic exercise dominated by government and private actors. This creates blind spots around justice and rights, especially for marginalised communities.
At DataFest25, a data rights event hosted annually by Uganda-based civic-rights organisation Pollicy, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), alongside the Datashphere Initiative, hosted a session on how civil society can actively shape and improve AI governance through regulatory sandboxes.
Regulatory sandboxes, designed to safely trial new technologies under controlled conditions, have primarily focused on fintech applications. Yet, when AI systems that determine access to essential services such as healthcare, education, financial services, and civic participation are being deployed without inclusive testing environments, the consequences can be severe.
The Global Index on Responsible AI found that civil society organisations (CSOs) in Africa are playing an “outsized role” in advancing responsible AI, often surpassing government efforts. These organisations focus on gender equality, cultural diversity, bias prevention, and public participation, yet they face significant challenges in scaling their work and are frequently sidelined from formal governance processes. The consequences that follow include bias and exclusion, erosion of public trust, surveillance overreach and no recourse mechanisms.
However, when civil society participates meaningfully from the outset, AI governance frameworks can balance innovation with justice. Rwanda serves as a key example in the development of a National AI Policy framework through participatory regulatory processes.
Case Study: Rwanda’s Participatory AI Policy Development
The development of Rwanda’s National AI Policy (2020-2023) offers a compelling model for inclusive governance. The Ministry of ICT and Innovation (MINICT) and Rwanda Utilities Regulatory Agency (RURA), supported by GIZ FAIR Forward and The Future Society, undertook a multi-stakeholder process to develop the policy framework. The process, launched with a collective intelligence workshop in September 2020, brought together government representatives, private sector leaders, academics, and members of civil society to identify and prioritise key AI opportunities, risks, and socio-ethical implications. The Policy has since informed the development of an inclusive, ethical, and innovation-driven AI ecosystem in Rwanda, contributing to sectoral transformation in health and agriculture, over $76.5 million in investment, the establishment of a Responsible AI Office, and the country’s role in shaping pan-African digital policy.
By embedding civil society in the process from the outset, Rwanda ensured that its AI governance framework, which would guide the deployment of AI within the country, was evaluated not just for performance but for justice. This participatory model demonstrates that inclusive AI governance through multi-stakeholder regulatory processes is not just aspirational; it’s achievable.
Rwanda’s success demonstrates the power of participatory AI governance, but it also raises a critical question: if inclusive regulatory processes yield better outcomes for AI-enabled systems, why do they remain so rare across Africa? The answer lies in systemic obstacles that prevent civil society from accessing and influencing sandbox and regulatory processes.
Consequences of Excluding CSOs in AI Regulatory Sandbox Development???
The CIPESA-DataSphere session explored the various obstacles that civil society faces in the AI regulatory sandbox processes in Africa as it sought to establish ways to advance meaningful participation.
The session noted that CSOs are often simply unaware that regulatory sandboxes exist. At the same time, authorities bear responsibility for proactively engaging civil society in such processes. Participants emphasised that civil society should also take proactive measures to demand participation as opposed to passively waiting for an invitation.
The proactive measures by CSOs must move beyond a purely activist or critical role, developing technical expertise and positioning themselves as co-creators rather than external observers.
Several participants highlighted the absence of clear legal frameworks governing sandboxes, particularly in African contexts. Questions emerged: What laws regulate how sandboxes operate? Could civil society organisations establish their own sandboxes to test accountability mechanisms?
Perhaps most critically, there’s no clearly defined role for civil society within existing sandbox structures. While regulators enter sandboxes to provide legal oversight and learn from innovators, and companies bring solutions to test and refine, civil society’s function remains ambiguous with vague structural clarity about their role. This risks civil society being positioned as an optional stakeholder rather than an essential actor in the process.
Case Study: Uganda’s Failures Without Sandbox Testing
Uganda’s recent experiences illustrate what happens when digital technologies are deployed without inclusive regulatory frameworks or sandbox testing.Although not tested in a sandbox—which, according to Datasphere Initiative’s analysis, could have made a difference given sandboxes’ potential as trust-building mechanisms for DPI systems– Uganda’s rollout of Digital ID has been marred by controversy. Concerns include the exclusion of poor and marginalised groups from access to fundamental social rights and public services. As a result, CSOs sued the government in 2022. A 2023 ruling by the Uganda High Court allowed expert civil society intervention in the case on the human rights red flags around the country’s digital ID system, underscoring the necessity of civil society input in technology governance.
Similarly, Uganda’s rushed deployment of its Electronic Payment System (EPS) in June 2025 without participatory testing led to public backlash and suspension within one week. CIPESA’s research on digital public infrastructure notes that such failures could have been avoided through inclusive policy reviews, pre-implementation audits, and transparent examination ofalgorithmic decision-making processes and vendor contracts.
Uganda’s experience demonstrates the direct consequences of the obstacles outlined above: lack of awareness about the need for testing, failure to shift mindsets about who belongs at the governance table, and absence of legal frameworks mandating civil society participation. The result? Public systems that fail to serve the public, erode trust, and costly reversals that delay progress far more than inclusive design processes would have.
Models of Participatory Sandboxes
Despite the challenges, some African countries are developing promising approaches to inclusive sandbox governance. For example, Kenya’s Central Bank established a fintech sandbox that has evolved to include AI applications in mobile banking and credit scoring. Kenya’s National AI Strategy 2025-2030 explicitly commits to “leveraging regulatory sandboxes to refine AI governance and compliance standards.” The strategy emphasises that as AI matures, Kenya needs “testing and sandboxing, particularly for small and medium-sized platforms for AI development.”
However, Kenya’s AI readiness Index 2023 reveals gaps in collaborative multi-stakeholder partnerships, with “no percentage scoring” recorded for partnership effectiveness in the AI Strategy implementation framework. This suggests that, while Kenya recognises the importance of sandboxes, implementation challenges around meaningful participation remain.
Kenya’s evolving fintech sandbox and the case study from Rwanda above both demonstrate that inclusive AI governance is not only possible but increasingly recognised as essential.
Pathways Forward: Building Truly Inclusive Sandboxes
Session participants explored concrete pathways toward building truly inclusive regulatory sandboxes in Africa. The solutions address each of the barriers identified earlier while building on the successful models already emerging across the continent.
Creating the legal foundation
Sandboxes cannot remain ad hoc experiments. Participants called for legal frameworks that mandate sandboxing for AI systems. These frameworks should explicitly require civil society involvement, establishing participation as a legal right rather than a discretionary favour. Such legislation would provide the structural clarity currently missing—defining not just whether civil society participates, but how and with what authority.
Building capacity and awareness
Effective participation requires preparation. Participants emphasised the need for broader and more informed knowledge about sandboxing processes. This includes developing toolkits and training programmes specifically designed to build civil society organisation capacity on AI governance and technical engagement. Without these resources, even well-intentioned inclusion efforts will fall short.
Institutionalise cross-sector learning.
Rather than treating each sandbox as an isolated initiative, participants proposed institutionalising sandboxes and establishing cross-sector learning hubs. These platforms would bring together regulators, innovators, and civil society organisations to share knowledge, build relationships, and develop a common understanding about sandbox processes. Such hubs could serve as ongoing spaces for dialogue rather than one-off consultations.
Redesigning governance structures
True inclusion means shared power. Participants advocated for multi-stakeholder governance models with genuine shared authority—not advisory roles, but decision-making power. Additionally, sandboxes themselves must be transparent, adequately resourced, and subject to independent audits to ensure accountability to all stakeholders, not just those with technical or regulatory power.
The core issue is not if civil society should engage with regulatory sandboxes, but rather the urgent need to establish the legal, institutional, and capacity frameworks that will guarantee such participation is both meaningful and effective.
Academic research further argues that sandboxes should move beyond mere risk mitigation to “enable marginalised stakeholders to take part in decision-making and drafting of regulations by directly experiencing the technology.” This transforms regulation from reactive damage control to proactive democratic foresight.
Civil society engagement:
Surfaces lived experiences regulators often miss.
Strengthens legitimacy of governance frameworks.
Pushes for transparency in AI design and data use.
Ensures frameworks reflect African values and protect vulnerable communities, and
Enables oversight that prevents exploitative arrangements
While critics often argue that broad participation slows innovation and regulatory responsiveness, evidence suggests otherwise. For example, Kenya’s fintech sandbox incorporated stakeholder feedback through 12-month iterative cycles, which not only accelerated the launch of innovations but also strengthened the country’s standing as Africa’s premier fintech hub.
The cost of exclusion can be seen in Uganda’s EPS system, the public backlash, eroded trust, and potential system failure, ultimately delaying progress far more than inclusive design processes. The window for embedding participatory principles is closing. As Nigeria’s National AI Strategy notes, AI is projected to contribute over $15 trillion to global GDP by 2030. African countries establishing AI sandboxes now without participatory structures risk locking in exclusionary governance models that will be difficult to reform later.
The future of AI in Africa should be tested for justice, not just performance. Participatory regulatory sandboxes offer a pathway to ensure that AI governance reflects African values, protects vulnerable communities, and advances democratic participation in technological decision-making.
Join the conversation! Share your thoughts. Advocate for inclusive sandboxes. The decisions we make today about who participates in AI governance will shape Africa’s digital future for generations.
The AU-NEPAD and GIZ in collaboration with CIPESA are pleased to convene this three-day capacity-building and stakeholder engagement workshop to support the Government of Uganda in its data governance journey.
The three-day workshop will focus on providing insights into data governance and the transformative potential of data to drive equitable socio-economic development, empower citizens, safeguard collective interests, and protect digital rights in Uganda. This will include aspects on foundational infrastructure, data value creation and markets, legitimate and trustworthy data systems, data standards and categorisation, and data governance mechanisms.
Participants will critically evaluate regulatory approaches, institutional frameworks, and capacity-building strategies necessary to harnessing the power of data for socio-economic transformation and regional integration, in line with the African Union Data Policy Framework.
The workshop will take place from November 19th to 21st, 2025.
