Sector Analysis
Banks & Finance
52%
SECTOR PERFORMANCE
36
COMPANIES ASSESSED
Overview of the Sector & Data Collectors Evaluated
The banking and finance sector remains a cornerstone of economic activity, underpinning access to savings, credit, payments, and investment services. Given the volume and sensitivity of personal and financial data processed by banks and other financial institutions, effective compliance with data protection laws and robust data security practices are fundamental. The sector therefore carries a heightened responsibility to safeguard customer information against misuse, unauthorised access, and data breaches, particularly as financial services become increasingly digitised.
In East Africa, countries such as Uganda, Kenya, and Tanzania host relatively mature banking ecosystems comprising both domestic and multinational institutions. Kenya continues to stand out for its leadership in digital and mobile financial services, most notably through platforms such as M-Pesa, which have significantly expanded financial inclusion while simultaneously increasing the scale and complexity of personal data processing. Rwanda's banking sector has also expanded rapidly in recent years, supported by regulatory reforms and state-led digitalisation efforts aimed at modernising financial services.
Mauritius maintains its position as a regional financial hub, with a well-established and internationally oriented banking sector that attracts cross-border investment and operates within a comparatively structured regulatory environment. The inclusion of Nigeria and Ghana broadens the assessment to West Africa's largest and most dynamic financial markets. Nigeria's banking sector is among the most developed on the continent, characterised by large, technology-driven institutions with extensive digital banking platforms and regional footprints. Ghana similarly hosts a growing and competitive financial services sector, supported by regulatory reforms and increased adoption of digital banking and payment systems.
Botswana adds a Southern African perspective marked by a relatively stable financial system and a strong presence of regional and international banks operating under evolving data protection frameworks. Zimbabwe's banking sector continues to operate under challenging economic conditions, including currency volatility and constrained consumer confidence. Despite these pressures, financial institutions remain central to domestic and cross-border financial transactions, making the protection of personal and financial data especially critical in a fragile operating environment.
Across all assessed countries, the banking and finance sector is increasingly prioritising digital service delivery, regulatory compliance, and data governance as core components of consumer trust and market stability. This evaluation examines a cross-section of banks and financial institutions, focusing on transparency, regulatory adherence, and the strength of privacy and data protection practices. In the context of an increasingly data-driven financial ecosystem, the findings provide insight into how effectively institutions are protecting customer privacy, where progress has been made, and where further reforms are necessary to align practices with national data protection laws and evolving global standards.
Analysis of Compliance With Each Criterion
The assessment for this sector draws on data from a total of 36 companies, with four (4) companies selected from each participating country. These included: Zenith Bank, GT Bank (Guaranty Trust Holding), UBA Nigeria, and Access Bank Nigeria from Nigeria; Ecobank Ghana, GCB Ghana, Stanbic Ghana, and ABSA Ghana from Ghana; First National Bank, Absa Botswana, Stanbic Bank Botswana, and Standard Chartered Bank Botswana from Botswana; Bank of Kigali, Access Bank Rwanda, Equity Bank Rwanda, and Ecobank Rwanda from Rwanda; NMB Bank, Equity Bank Tanzania, Stanbic Bank Tanzania, and NBC Bank Tanzania from Tanzania; ABSA Bank Mauritius, Swan Life Limited, SBM Bank (Mauritius) Limited, and Bank of Baroda Mauritius from Mauritius; Empower Bank, CBZ Bank, Stanbic Bank Zimbabwe, and NMB Bank from Zimbabwe; Stima Sacco, Equity Bank Kenya, ABSA Kenya, and KCB Bank from Kenya; and Stanbic Bank Uganda, Pride Microfinance, ABSA Bank Uganda, and Centenary Bank from Uganda.
Findings - Banks & Finance Sector
Banks & Finance - Nigeria
Zenith Bank, GT Bank (Guaranty Trust Holding), UBA Nigeria and Access Bank Nigeria from Nigeria
All assessed banks demonstrated full compliance with registration requirements under the national data protection regulator, each attaining a perfect score (100%). This reflects a strong baseline commitment to formal regulatory compliance and provides an important foundation for lawful personal data processing. In addition, all institutions showed considerable effort in making their privacy policies accessible, with each scoring 88%. While this indicates a shared recognition of transparency obligations, accessibility alone does not necessarily translate into comprehensive or user-friendly disclosure of data practices.
With respect to data subject rights, performance varied more noticeably across the banks. UBA Nigeria emerged as the strongest performer (85%), suggesting relatively clearer mechanisms for enabling customer rights such as access, correction, and deletion of personal data. Zenith Bank (69%), Access Bank Nigeria (67%), and GT Bank (63%) followed, indicating moderate but uneven implementation of rights-based safeguards. These results imply that, although awareness of data subject rights exists across the sector, their practical enforcement remains inconsistent, potentially limiting customers' ability to exercise rights guaranteed under data protection laws.
All banks were found to share personal data with third parties, a common practice in the financial sector given outsourcing, partnerships, and regulatory reporting obligations. However, compliance in this area was notably weak. UBA Nigeria, despite leading, achieved only 38%, followed by Access Bank Nigeria (34%), Zenith Bank (14%), and GT Bank (6%). These low scores point to insufficient transparency around the scope, purpose, and safeguards governing third-party data transfers, raising concerns about accountability and lawful processing, particularly where cross-border data flows may be involved.
In contrast, data security emerged as a relative strength. Zenith Bank and Access Bank Nigeria both scored highly (89%), reflecting robust technical and organisational measures to protect personal and financial data. GT Bank also performed well (78%), while UBA Nigeria lagged comparatively at 61%. Strong security controls are critical for the banking sector, and these results suggest that most institutions prioritise protection against unauthorised access and breaches, even where other aspects of compliance are weaker.
Transparency reporting and breach governance, however, remain significant gaps. Only Zenith Bank and UBA Nigeria had published transparency reports, indicating limited sector-wide commitment to proactive accountability and public disclosure of data handling practices. Moreover, all banks showed very low compliance with internal data breach resolution mechanisms. UBA Nigeria led with 42%, followed by Access Bank Nigeria at 33%, while the remaining banks scored 0%. This suggests that, despite strong security measures, most institutions lack clear, documented procedures for detecting, managing, and notifying stakeholders of data breaches, a core requirement under data protection laws.
Overall, the findings indicate that while Nigerian banks perform strongly in regulatory registration, privacy policy accessibility, and data security, substantial compliance gaps persist in third-party data sharing, breach response, and accountability mechanisms. These weaknesses expose institutions to regulatory risk and may undermine customer trust. Strengthening internal breach management frameworks, improving transparency around data sharing, and operationalising data subject rights are essential steps for aligning sector practices with both national data protection laws and emerging global standards.
All assessed banks demonstrated full compliance with registration requirements under the national data protection regulator, each attaining a perfect score (100%). This reflects a strong baseline commitment to formal regulatory compliance and provides an important foundation for lawful personal data processing. In addition, all institutions showed considerable effort in making their privacy policies accessible, with each scoring 88%. While this indicates a shared recognition of transparency obligations, accessibility alone does not necessarily translate into comprehensive or user-friendly disclosure of data practices.
With respect to data subject rights, performance varied more noticeably across the banks. UBA Nigeria emerged as the strongest performer (85%), suggesting relatively clearer mechanisms for enabling customer rights such as access, correction, and deletion of personal data. Zenith Bank (69%), Access Bank Nigeria (67%), and GT Bank (63%) followed, indicating moderate but uneven implementation of rights-based safeguards. These results imply that, although awareness of data subject rights exists across the sector, their practical enforcement remains inconsistent, potentially limiting customers' ability to exercise rights guaranteed under data protection laws.
All banks were found to share personal data with third parties, a common practice in the financial sector given outsourcing, partnerships, and regulatory reporting obligations. However, compliance in this area was notably weak. UBA Nigeria, despite leading, achieved only 38%, followed by Access Bank Nigeria (34%), Zenith Bank (14%), and GT Bank (6%). These low scores point to insufficient transparency around the scope, purpose, and safeguards governing third-party data transfers, raising concerns about accountability and lawful processing, particularly where cross-border data flows may be involved.
In contrast, data security emerged as a relative strength. Zenith Bank and Access Bank Nigeria both scored highly (89%), reflecting robust technical and organisational measures to protect personal and financial data. GT Bank also performed well (78%), while UBA Nigeria lagged comparatively at 61%. Strong security controls are critical for the banking sector, and these results suggest that most institutions prioritise protection against unauthorised access and breaches, even where other aspects of compliance are weaker.
Transparency reporting and breach governance, however, remain significant gaps. Only Zenith Bank and UBA Nigeria had published transparency reports, indicating limited sector-wide commitment to proactive accountability and public disclosure of data handling practices. Moreover, all banks showed very low compliance with internal data breach resolution mechanisms. UBA Nigeria led with 42%, followed by Access Bank Nigeria at 33%, while the remaining banks scored 0%. This suggests that, despite strong security measures, most institutions lack clear, documented procedures for detecting, managing, and notifying stakeholders of data breaches, a core requirement under data protection laws.
Overall, the findings indicate that while Nigerian banks perform strongly in regulatory registration, privacy policy accessibility, and data security, substantial compliance gaps persist in third-party data sharing, breach response, and accountability mechanisms. These weaknesses expose institutions to regulatory risk and may undermine customer trust. Strengthening internal breach management frameworks, improving transparency around data sharing, and operationalising data subject rights are essential steps for aligning sector practices with both national data protection laws and emerging global standards.
Banks & Finance - Ghana
Eco Bank Ghana, GCB Ghana, Stanbic Ghana and ABSA Ghana from Ghana
All assessed banks demonstrated compliance with registration requirements under the national data protection regulator, with Ecobank Ghana, GCB Ghana, and Absa Ghana achieving perfect scores (100%). This indicates strong formal adherence to statutory registration obligations and reflects a baseline level of institutional awareness of data protection laws. Stanbic Ghana, however, scored 50%, suggesting partial compliance and a need to strengthen alignment with regulatory requirements to ensure lawful data processing.
Similarly, all institutions showed consistent effort in making their privacy policies accessible, each scoring 88%. This points to a shared commitment to transparency at the policy level and ensures that customers can at least locate information about how their personal data is handled. Nevertheless, accessibility alone does not guarantee that privacy notices are sufficiently detailed, clear, or comprehensive to meet substantive legal standards.
In terms of data subject rights, performance was more differentiated. Stanbic Ghana led with a score of 72%, closely followed by Ecobank Ghana (71%), indicating relatively stronger mechanisms for enabling rights such as access, correction, and objection. Absa Ghana (63%) and GCB Ghana (57%) demonstrated moderate compliance, suggesting that while rights are acknowledged, their practical implementation may be limited or uneven. These variations highlight differing levels of maturity in translating legal rights into operational processes that customers can easily exercise.
All banks were found to share personal data with third parties, which is typical in the banking sector due to service outsourcing and regulatory obligations. However, compliance in this area was notably weak across the board. Ecobank Ghana, despite leading, achieved only 44%, followed by Absa Ghana (28%), Stanbic Ghana (20%), and GCB Ghana (18%). These low scores indicate insufficient transparency and safeguards around third-party data sharing, raising concerns about accountability, purpose limitation, and potential risks to customer data, particularly where onward transfers are involved.
Overall, the findings suggest that while Ghanaian banks perform relatively well in regulatory registration and policy-level transparency, significant gaps remain in third-party data governance and the consistent operationalisation of data subject rights. Addressing these weaknesses through clearer disclosures, stronger contractual controls with third parties, and more user-friendly rights-request mechanisms will be essential for achieving fuller compliance with Ghana's data protection framework and reinforcing customer trust in the sector.
All assessed banks demonstrated compliance with registration requirements under the national data protection regulator, with Ecobank Ghana, GCB Ghana, and Absa Ghana achieving perfect scores (100%). This indicates strong formal adherence to statutory registration obligations and reflects a baseline level of institutional awareness of data protection laws. Stanbic Ghana, however, scored 50%, suggesting partial compliance and a need to strengthen alignment with regulatory requirements to ensure lawful data processing.
Similarly, all institutions showed consistent effort in making their privacy policies accessible, each scoring 88%. This points to a shared commitment to transparency at the policy level and ensures that customers can at least locate information about how their personal data is handled. Nevertheless, accessibility alone does not guarantee that privacy notices are sufficiently detailed, clear, or comprehensive to meet substantive legal standards.
In terms of data subject rights, performance was more differentiated. Stanbic Ghana led with a score of 72%, closely followed by Ecobank Ghana (71%), indicating relatively stronger mechanisms for enabling rights such as access, correction, and objection. Absa Ghana (63%) and GCB Ghana (57%) demonstrated moderate compliance, suggesting that while rights are acknowledged, their practical implementation may be limited or uneven. These variations highlight differing levels of maturity in translating legal rights into operational processes that customers can easily exercise.
All banks were found to share personal data with third parties, which is typical in the banking sector due to service outsourcing and regulatory obligations. However, compliance in this area was notably weak across the board. Ecobank Ghana, despite leading, achieved only 44%, followed by Absa Ghana (28%), Stanbic Ghana (20%), and GCB Ghana (18%). These low scores indicate insufficient transparency and safeguards around third-party data sharing, raising concerns about accountability, purpose limitation, and potential risks to customer data, particularly where onward transfers are involved.
Overall, the findings suggest that while Ghanaian banks perform relatively well in regulatory registration and policy-level transparency, significant gaps remain in third-party data governance and the consistent operationalisation of data subject rights. Addressing these weaknesses through clearer disclosures, stronger contractual controls with third parties, and more user-friendly rights-request mechanisms will be essential for achieving fuller compliance with Ghana's data protection framework and reinforcing customer trust in the sector.
Banks & Finance - Botswana
First national Bank (FNB), Absa Botswana, Stanbic Bank Botswana and Standard Chartered Bank from
Botswana
The assessment indicates that Botswana's banks have made demonstrable efforts to establish accessible privacy policies, suggesting an acknowledgment of their obligations under data protection and privacy principles. Absa Botswana performed strongest in this area, scoring 88%, while First National Bank, Stanbic Bank Botswana, and Standard Chartered Bank Botswana each achieved 75%. This reflects a generally positive baseline commitment to transparency, although accessibility alone does not guarantee substantive compliance.
In relation to the observance of data subject rights, performance was mixed. Absa Botswana again led with a high score of 89%, indicating comparatively stronger alignment with core data protection requirements such as access, correction, and consent. Standard Chartered Bank Botswana followed at 68%, while First National Bank (59%) and Stanbic Bank Botswana (57%) recorded moderate compliance. These results suggest that, although mechanisms to uphold data subject rights exist, their implementation may be uneven and, in some cases, insufficiently robust.
All assessed banks disclosed that they share personal data with third parties; however, compliance in this area was notably weak. Even the highest-performing institution, Absa Botswana, scored only 38%, while Stanbic Bank Botswana and Standard Chartered Bank Botswana each scored 26%, and First National Bank lagged significantly at 14%. This raises concerns regarding transparency, lawful basis, and safeguards surrounding third-party data sharing, which are critical elements of data protection laws and pose heightened risks to customer privacy.
With respect to data security measures, the banks demonstrated stronger performance overall. Stanbic Bank Botswana led with a score of 78%, followed by Standard Chartered Bank Botswana at 72%. First National Bank and Absa Botswana both scored 56%, indicating moderate but potentially inadequate protection against data breaches and unauthorised access. While these results suggest awareness of security obligations, they also highlight the need for continuous improvement in technical and organisational safeguards.
Transparency reporting emerged as a major area of weakness. Only First National Bank, Absa Botswana, and Stanbic Bank Botswana published transparency reports, and even then, compliance levels were extremely low in respect of internal data breach resolution mechanisms. Standard Chartered Bank Botswana led marginally with 33%, followed by Stanbic Bank Botswana at 8%, while First National Bank and Absa Botswana each scored 0%. This lack of meaningful transparency undermines accountability and limits public trust, particularly in relation to government requests, data sharing practices, and internal compliance oversight.
Overall, the findings indicate that while Botswana's banks show awareness of privacy obligations and have taken initial steps toward compliance, significant gaps remain. Weaknesses in third-party data sharing practices and transparency reporting suggest partial rather than comprehensive compliance with data protection laws. To strengthen privacy governance and legal compliance, the banks must move beyond policy availability and invest in enforceable practices, clearer disclosures, and stronger accountability mechanisms across all aspects of personal data processing.
The assessment indicates that Botswana's banks have made demonstrable efforts to establish accessible privacy policies, suggesting an acknowledgment of their obligations under data protection and privacy principles. Absa Botswana performed strongest in this area, scoring 88%, while First National Bank, Stanbic Bank Botswana, and Standard Chartered Bank Botswana each achieved 75%. This reflects a generally positive baseline commitment to transparency, although accessibility alone does not guarantee substantive compliance.
In relation to the observance of data subject rights, performance was mixed. Absa Botswana again led with a high score of 89%, indicating comparatively stronger alignment with core data protection requirements such as access, correction, and consent. Standard Chartered Bank Botswana followed at 68%, while First National Bank (59%) and Stanbic Bank Botswana (57%) recorded moderate compliance. These results suggest that, although mechanisms to uphold data subject rights exist, their implementation may be uneven and, in some cases, insufficiently robust.
All assessed banks disclosed that they share personal data with third parties; however, compliance in this area was notably weak. Even the highest-performing institution, Absa Botswana, scored only 38%, while Stanbic Bank Botswana and Standard Chartered Bank Botswana each scored 26%, and First National Bank lagged significantly at 14%. This raises concerns regarding transparency, lawful basis, and safeguards surrounding third-party data sharing, which are critical elements of data protection laws and pose heightened risks to customer privacy.
With respect to data security measures, the banks demonstrated stronger performance overall. Stanbic Bank Botswana led with a score of 78%, followed by Standard Chartered Bank Botswana at 72%. First National Bank and Absa Botswana both scored 56%, indicating moderate but potentially inadequate protection against data breaches and unauthorised access. While these results suggest awareness of security obligations, they also highlight the need for continuous improvement in technical and organisational safeguards.
Transparency reporting emerged as a major area of weakness. Only First National Bank, Absa Botswana, and Stanbic Bank Botswana published transparency reports, and even then, compliance levels were extremely low in respect of internal data breach resolution mechanisms. Standard Chartered Bank Botswana led marginally with 33%, followed by Stanbic Bank Botswana at 8%, while First National Bank and Absa Botswana each scored 0%. This lack of meaningful transparency undermines accountability and limits public trust, particularly in relation to government requests, data sharing practices, and internal compliance oversight.
Overall, the findings indicate that while Botswana's banks show awareness of privacy obligations and have taken initial steps toward compliance, significant gaps remain. Weaknesses in third-party data sharing practices and transparency reporting suggest partial rather than comprehensive compliance with data protection laws. To strengthen privacy governance and legal compliance, the banks must move beyond policy availability and invest in enforceable practices, clearer disclosures, and stronger accountability mechanisms across all aspects of personal data processing.
Banks & Finance - Rwanda
Bank of Kigali, Access Bank Rwanda, Equity Bank Rwanda and Ecobank Rwanda in Rwanda
Overall, the current assessment shows incremental but uneven progress in privacy practices among Rwandan banks when compared to last year. While foundational elements such as privacy policy availability and data security remain relatively strong and stable, critical accountability mechanisms — particularly third-party data transfers, transparency reporting, and internal data breach resolution — continue to exhibit persistent weaknesses, raising concerns about full compliance with data protection laws.
All four assessed banks (Bank of Kigali, Access Bank Rwanda, Equity Bank Rwanda, and Ecobank Rwanda) have made demonstrable efforts to maintain accessible and publicly available privacy policies, with each institution scoring 88%, reflecting parity across the sector. This represents no change from last year for Bank of Kigali, Equity Bank Rwanda, and Ecobank Rwanda, while Access Bank Rwanda improved from 75% to 88%, indicating progress in policy publication and visibility.
All policies exceed 200 words and are easily noticeable on bank websites, ensuring a baseline level of transparency. However, readability remains a concern. With readability grades ranging from 12 to 13, the policies may be difficult for the average user to fully understand, potentially undermining meaningful transparency. Word counts vary substantially, from 1,905 words at Access Bank Rwanda to 5,766 words at Equity Bank Rwanda, suggesting comprehensive coverage but at the cost of clarity. Consequently, while policy availability strongly supports formal compliance with data protection requirements, linguistic complexity continues to limit effective user comprehension.
The banks demonstrate notable improvement in the observance of data subject rights compared to last year, indicating growing awareness of legal obligations under data protection frameworks. Equity Bank Rwanda leads with a score of 81%, a substantial increase from 57% last year, reflecting enhanced disclosure of collected data types, retention practices, third-party sharing, and recognition of user rights, including complaint mechanisms. Ecobank Rwanda follows with 74%, up from 41%, reflecting clearer articulation of collection purposes, supported rights, and limitations on third-party sharing, though gaps remain in contact disclosure and precise retention periods.
Bank of Kigali and Access Bank Rwanda both scored 52%. Bank of Kigali improved from 41%, while Access Bank declined from 57%, suggesting stagnation or regression in transparency efforts. Both banks demonstrate moderate compliance by outlining collection purposes, general categories of personal data, and basic user rights, but they continue to omit explicit contact details, detailed retention timelines, and clear complaint procedures. Access Bank Rwanda additionally lacks clarity on law enforcement access. While the upward trend indicates progress toward compliance, persistent gaps in complaint mechanisms, retention specificity, and contact transparency limit users' ability to effectively exercise their rights, weakening accountability.
All assessed banks continue to share personal data with third parties, but compliance levels remain low, despite modest year-on-year improvements. This area remains one of the most significant compliance risks under data protection laws. Ecobank Rwanda leads with 44%, improving from 34%, followed by Equity Bank Rwanda at 30% (up from 10%). Access Bank Rwanda scored 14%, and Bank of Kigali 16%, both improving slightly from 10% last year. Despite these gains, disclosures remain incomplete across the sector. Most banks fail to specify all third-party entities, exact categories of shared data, conditions for law enforcement access, or comprehensive breach-reporting mechanisms. These deficiencies suggest partial compliance at best and expose customers to heightened privacy risks due to limited oversight and transparency in data-sharing arrangements.
Data security practices remain largely consistent with last year's findings, indicating stability but limited advancement. Access Bank Rwanda again leads with 67%, followed by Equity Bank Rwanda at 61%, and Bank of Kigali maintaining 56%. Ecobank Rwanda scored 45%, reflecting mixed technical performance. While most banks demonstrate strong SSL ratings and reference organisational, technical, and physical safeguards, policies generally lack detailed explanations of specific security measures. This limits the ability of users and regulators to assess whether protections meet legal standards for adequacy and proportionality. The results suggest that while banks recognise their duty to safeguard personal data, transparency around implementation remains insufficient.
Transparency reporting remains a critical weakness. Only Equity Bank Rwanda has published a transparency report since 2024. Bank of Kigali, Access Bank Rwanda, and Ecobank Rwanda have not issued any transparency reports, mirroring last year's findings. The continued absence of transparency reports undermines public accountability, particularly regarding government data requests, third-party disclosures, and internal compliance oversight. This persistent gap reflects limited alignment with international best practices in privacy governance.
Internal data breach resolution remains largely unchanged and inadequate, signalling ongoing non-compliance with core data protection principles related to accountability and user protection. Bank of Kigali and Access Bank Rwanda each scored 0%, as their policies provide no meaningful guidance on breach identification, investigation, resolution, user notification, or reporting channels, unchanged from last year. Equity Bank Rwanda and Ecobank Rwanda show partial improvement, each scoring 33%, by acknowledging breach handling procedures and providing limited reporting channels. However, both lack detailed internal processes, clear timelines, and guarantees of fair and impartial investigations. The continued weakness in breach response frameworks represents a significant compliance risk, particularly given statutory obligations to notify regulators and affected individuals within defined timeframes.
Compared to last year, the current analysis reveals incremental progress in transparency and data subject rights, particularly by Equity Bank Rwanda and Ecobank Rwanda. However, improvements remain largely procedural rather than structural. Persistent deficiencies in third-party data governance, transparency reporting, and breach management indicate that compliance with data protection laws remains partial and uneven across the sector. To achieve stronger compliance and build public trust, Rwandan banks must move beyond policy availability and baseline security measures toward clearer disclosures, enforceable internal procedures, and robust accountability mechanisms, particularly in areas involving third-party data sharing and breach response.
Overall, the current assessment shows incremental but uneven progress in privacy practices among Rwandan banks when compared to last year. While foundational elements such as privacy policy availability and data security remain relatively strong and stable, critical accountability mechanisms — particularly third-party data transfers, transparency reporting, and internal data breach resolution — continue to exhibit persistent weaknesses, raising concerns about full compliance with data protection laws.
All four assessed banks (Bank of Kigali, Access Bank Rwanda, Equity Bank Rwanda, and Ecobank Rwanda) have made demonstrable efforts to maintain accessible and publicly available privacy policies, with each institution scoring 88%, reflecting parity across the sector. This represents no change from last year for Bank of Kigali, Equity Bank Rwanda, and Ecobank Rwanda, while Access Bank Rwanda improved from 75% to 88%, indicating progress in policy publication and visibility.
All policies exceed 200 words and are easily noticeable on bank websites, ensuring a baseline level of transparency. However, readability remains a concern. With readability grades ranging from 12 to 13, the policies may be difficult for the average user to fully understand, potentially undermining meaningful transparency. Word counts vary substantially, from 1,905 words at Access Bank Rwanda to 5,766 words at Equity Bank Rwanda, suggesting comprehensive coverage but at the cost of clarity. Consequently, while policy availability strongly supports formal compliance with data protection requirements, linguistic complexity continues to limit effective user comprehension.
The banks demonstrate notable improvement in the observance of data subject rights compared to last year, indicating growing awareness of legal obligations under data protection frameworks. Equity Bank Rwanda leads with a score of 81%, a substantial increase from 57% last year, reflecting enhanced disclosure of collected data types, retention practices, third-party sharing, and recognition of user rights, including complaint mechanisms. Ecobank Rwanda follows with 74%, up from 41%, reflecting clearer articulation of collection purposes, supported rights, and limitations on third-party sharing, though gaps remain in contact disclosure and precise retention periods.
Bank of Kigali and Access Bank Rwanda both scored 52%. Bank of Kigali improved from 41%, while Access Bank declined from 57%, suggesting stagnation or regression in transparency efforts. Both banks demonstrate moderate compliance by outlining collection purposes, general categories of personal data, and basic user rights, but they continue to omit explicit contact details, detailed retention timelines, and clear complaint procedures. Access Bank Rwanda additionally lacks clarity on law enforcement access. While the upward trend indicates progress toward compliance, persistent gaps in complaint mechanisms, retention specificity, and contact transparency limit users' ability to effectively exercise their rights, weakening accountability.
All assessed banks continue to share personal data with third parties, but compliance levels remain low, despite modest year-on-year improvements. This area remains one of the most significant compliance risks under data protection laws. Ecobank Rwanda leads with 44%, improving from 34%, followed by Equity Bank Rwanda at 30% (up from 10%). Access Bank Rwanda scored 14%, and Bank of Kigali 16%, both improving slightly from 10% last year. Despite these gains, disclosures remain incomplete across the sector. Most banks fail to specify all third-party entities, exact categories of shared data, conditions for law enforcement access, or comprehensive breach-reporting mechanisms. These deficiencies suggest partial compliance at best and expose customers to heightened privacy risks due to limited oversight and transparency in data-sharing arrangements.
Data security practices remain largely consistent with last year's findings, indicating stability but limited advancement. Access Bank Rwanda again leads with 67%, followed by Equity Bank Rwanda at 61%, and Bank of Kigali maintaining 56%. Ecobank Rwanda scored 45%, reflecting mixed technical performance. While most banks demonstrate strong SSL ratings and reference organisational, technical, and physical safeguards, policies generally lack detailed explanations of specific security measures. This limits the ability of users and regulators to assess whether protections meet legal standards for adequacy and proportionality. The results suggest that while banks recognise their duty to safeguard personal data, transparency around implementation remains insufficient.
Transparency reporting remains a critical weakness. Only Equity Bank Rwanda has published a transparency report since 2024. Bank of Kigali, Access Bank Rwanda, and Ecobank Rwanda have not issued any transparency reports, mirroring last year's findings. The continued absence of transparency reports undermines public accountability, particularly regarding government data requests, third-party disclosures, and internal compliance oversight. This persistent gap reflects limited alignment with international best practices in privacy governance.
Internal data breach resolution remains largely unchanged and inadequate, signalling ongoing non-compliance with core data protection principles related to accountability and user protection. Bank of Kigali and Access Bank Rwanda each scored 0%, as their policies provide no meaningful guidance on breach identification, investigation, resolution, user notification, or reporting channels, unchanged from last year. Equity Bank Rwanda and Ecobank Rwanda show partial improvement, each scoring 33%, by acknowledging breach handling procedures and providing limited reporting channels. However, both lack detailed internal processes, clear timelines, and guarantees of fair and impartial investigations. The continued weakness in breach response frameworks represents a significant compliance risk, particularly given statutory obligations to notify regulators and affected individuals within defined timeframes.
Compared to last year, the current analysis reveals incremental progress in transparency and data subject rights, particularly by Equity Bank Rwanda and Ecobank Rwanda. However, improvements remain largely procedural rather than structural. Persistent deficiencies in third-party data governance, transparency reporting, and breach management indicate that compliance with data protection laws remains partial and uneven across the sector. To achieve stronger compliance and build public trust, Rwandan banks must move beyond policy availability and baseline security measures toward clearer disclosures, enforceable internal procedures, and robust accountability mechanisms, particularly in areas involving third-party data sharing and breach response.
Banks & Finance - Tanzania
NMB Bank, Equity Bank Tanzania, Stanbic Bank Tanzania and NBC Bank Tanzania in Tanzania
The current assessment of Tanzanian banks indicates measured progress in several areas of privacy governance, particularly in data subject rights, data security, and limited accountability mechanisms, when compared to last year's findings. However, despite these improvements, systemic weaknesses persist, especially in third-party data transfers and internal data breach resolution, which continue to undermine full compliance with data protection laws.
All assessed banks continue to demonstrate strong performance in the accessibility of their privacy policies, reflecting stability and sustained commitment in this foundational area. NMB Bank, Equity Bank Tanzania, and NBC Bank Tanzania each maintained a score of 88%, consistent with last year's results, while Stanbic Bank Tanzania again scored 75%. This consistency indicates that the banks' privacy policies remain publicly available, easily noticeable on their websites, and written in fairly readable language, as confirmed by favourable readability grades using the Hemingway Editor. From a compliance perspective, this supports baseline transparency requirements under data protection laws. However, as in previous assessments, accessibility does not necessarily translate into substantive compliance across all privacy obligations.
The observance of data subject rights shows clear improvement overall, suggesting increasing awareness of statutory obligations relating to lawful processing, transparency, and user control. Equity Bank Tanzania leads with a score of 82%, up from 78% last year, although it still falls short by permitting data sharing with third-party advertisers without providing a comprehensive list of those entities. NMB Bank and NBC Bank Tanzania each scored 76%. Notably, NMB Bank recorded a substantial improvement from 38% last year, while NBC Bank maintained its previous performance level. These results reflect stronger disclosures regarding purposes of data collection, categories of personal data processed, and recognition of key data subject rights. Nevertheless, gaps in advertiser transparency and consent mechanisms limit full compliance and expose users to uncertainty regarding how their personal data is further processed.
Despite modest improvements, third-party data sharing remains one of the weakest areas across the sector and continues to pose significant compliance risks. All assessed banks share personal data with third parties but demonstrate very low levels of compliance. NMB Bank leads with 40%, a notable increase from 10% last year, followed by Equity Bank Tanzania at 30% (up from 10%). NBC Bank Tanzania maintained a low score of 24%, showing no improvement since the previous assessment. The continued lack of detailed disclosure regarding third-party recipients, specific categories of shared data, consent mechanisms, and lawful bases for transfer constitutes a violation of core data protection principles. These deficiencies undermine data subject rights and weaken the duties of data controllers and processors to ensure lawful and fair data sharing.
Data security practices show mixed but generally positive trends when compared to last year. NMB Bank, Stanbic Bank Tanzania, and Equity Bank Tanzania each scored 78%. For NMB Bank, this reflects an improvement from 72%, while Stanbic Bank maintained its previous strong performance and Equity Bank Tanzania improved from 61%. In contrast, NBC Bank Tanzania scored 56%, representing a decline from 72% last year.
These results suggest that most banks have strengthened or maintained technical and organisational security measures such as encryption, secure transmission, and access controls. However, the decline at NBC Bank Tanzania raises concerns about the sustainability of data security practices and highlights the need for continuous monitoring and investment to meet legal standards for data protection.
Accountability through transparency reporting has improved slightly but remains uneven across the sector. Only NMB Bank and Equity Bank Tanzania have published transparency reports on their websites, each achieving a 100% score under this metric. This marks a significant improvement from last year, when none of the assessed banks had published transparency reports. Stanbic Bank Tanzania and NBC Bank Tanzania continue to lack transparency reports, limiting public insight into government data requests, third-party disclosures, and internal oversight mechanisms.
Internal data breach resolution remains a critical area of weakness, despite marginal improvements across all institutions. All banks recorded very low compliance levels. NMB Bank, Equity Bank Tanzania, and Stanbic Bank Tanzania each scored 25%, while NBC Bank Tanzania scored 17%. Although these scores are low, they represent an improvement from 0% across all banks last year, indicating early recognition of the need for breach response mechanisms. Nonetheless, the absence of clear internal procedures, defined reporting timelines, guaranteed user notification, and accessible reporting channels suggests that banks may struggle to detect, report, and remedy data breaches in a timely and lawful manner, as required under data protection laws.
Compared to last year, the Tanzanian banking sector demonstrates incremental progress in privacy governance, particularly in data subject rights, data security, and limited transparency reporting. However, improvements remain uneven and largely procedural. Persistent shortcomings in third-party data transfers and internal data breach resolution indicate that full compliance with data protection laws has not yet been achieved. To strengthen privacy practices and regulatory alignment, banks must move beyond accessible policies and technical safeguards toward comprehensive accountability frameworks, including lawful data-sharing controls, effective breach management systems, and consistent transparency reporting.
The current assessment of Tanzanian banks indicates measured progress in several areas of privacy governance, particularly in data subject rights, data security, and limited accountability mechanisms, when compared to last year's findings. However, despite these improvements, systemic weaknesses persist, especially in third-party data transfers and internal data breach resolution, which continue to undermine full compliance with data protection laws.
All assessed banks continue to demonstrate strong performance in the accessibility of their privacy policies, reflecting stability and sustained commitment in this foundational area. NMB Bank, Equity Bank Tanzania, and NBC Bank Tanzania each maintained a score of 88%, consistent with last year's results, while Stanbic Bank Tanzania again scored 75%. This consistency indicates that the banks' privacy policies remain publicly available, easily noticeable on their websites, and written in fairly readable language, as confirmed by favourable readability grades using the Hemingway Editor. From a compliance perspective, this supports baseline transparency requirements under data protection laws. However, as in previous assessments, accessibility does not necessarily translate into substantive compliance across all privacy obligations.
The observance of data subject rights shows clear improvement overall, suggesting increasing awareness of statutory obligations relating to lawful processing, transparency, and user control. Equity Bank Tanzania leads with a score of 82%, up from 78% last year, although it still falls short by permitting data sharing with third-party advertisers without providing a comprehensive list of those entities. NMB Bank and NBC Bank Tanzania each scored 76%. Notably, NMB Bank recorded a substantial improvement from 38% last year, while NBC Bank maintained its previous performance level. These results reflect stronger disclosures regarding purposes of data collection, categories of personal data processed, and recognition of key data subject rights. Nevertheless, gaps in advertiser transparency and consent mechanisms limit full compliance and expose users to uncertainty regarding how their personal data is further processed.
Despite modest improvements, third-party data sharing remains one of the weakest areas across the sector and continues to pose significant compliance risks. All assessed banks share personal data with third parties but demonstrate very low levels of compliance. NMB Bank leads with 40%, a notable increase from 10% last year, followed by Equity Bank Tanzania at 30% (up from 10%). NBC Bank Tanzania maintained a low score of 24%, showing no improvement since the previous assessment. The continued lack of detailed disclosure regarding third-party recipients, specific categories of shared data, consent mechanisms, and lawful bases for transfer constitutes a violation of core data protection principles. These deficiencies undermine data subject rights and weaken the duties of data controllers and processors to ensure lawful and fair data sharing.
Data security practices show mixed but generally positive trends when compared to last year. NMB Bank, Stanbic Bank Tanzania, and Equity Bank Tanzania each scored 78%. For NMB Bank, this reflects an improvement from 72%, while Stanbic Bank maintained its previous strong performance and Equity Bank Tanzania improved from 61%. In contrast, NBC Bank Tanzania scored 56%, representing a decline from 72% last year.
These results suggest that most banks have strengthened or maintained technical and organisational security measures such as encryption, secure transmission, and access controls. However, the decline at NBC Bank Tanzania raises concerns about the sustainability of data security practices and highlights the need for continuous monitoring and investment to meet legal standards for data protection.
Accountability through transparency reporting has improved slightly but remains uneven across the sector. Only NMB Bank and Equity Bank Tanzania have published transparency reports on their websites, each achieving a 100% score under this metric. This marks a significant improvement from last year, when none of the assessed banks had published transparency reports. Stanbic Bank Tanzania and NBC Bank Tanzania continue to lack transparency reports, limiting public insight into government data requests, third-party disclosures, and internal oversight mechanisms.
Internal data breach resolution remains a critical area of weakness, despite marginal improvements across all institutions. All banks recorded very low compliance levels. NMB Bank, Equity Bank Tanzania, and Stanbic Bank Tanzania each scored 25%, while NBC Bank Tanzania scored 17%. Although these scores are low, they represent an improvement from 0% across all banks last year, indicating early recognition of the need for breach response mechanisms. Nonetheless, the absence of clear internal procedures, defined reporting timelines, guaranteed user notification, and accessible reporting channels suggests that banks may struggle to detect, report, and remedy data breaches in a timely and lawful manner, as required under data protection laws.
Compared to last year, the Tanzanian banking sector demonstrates incremental progress in privacy governance, particularly in data subject rights, data security, and limited transparency reporting. However, improvements remain uneven and largely procedural. Persistent shortcomings in third-party data transfers and internal data breach resolution indicate that full compliance with data protection laws has not yet been achieved. To strengthen privacy practices and regulatory alignment, banks must move beyond accessible policies and technical safeguards toward comprehensive accountability frameworks, including lawful data-sharing controls, effective breach management systems, and consistent transparency reporting.
Banks & FInance - Mauritius
ABSA Bank Mauritius, Swan Life Limited, SBM Bank (Mauritius) Limited and Bank of Baroda Mauritius in Mauritius
The current assessment of banks and financial institutions in Mauritius reflects a mixed trajectory in privacy governance when compared with last year's findings. While strong performance in the accessibility of privacy policies has largely been sustained, progress in other critical areas — particularly third-party data transfers, transparency reporting, and internal data breach resolution — remains uneven and, in some cases, has deteriorated. These patterns have direct implications for compliance with Mauritius' data protection framework and for institutional accountability.
All assessed institutions (Absa Bank Mauritius, Swan Life Limited, SBM Bank, and Bank of Baroda) continue to demonstrate effort in maintaining accessible privacy policies. Absa Bank Mauritius, Swan Life Limited, and Bank of Baroda each maintained a high score of 88%, consistent with last year's results, indicating sustained compliance with baseline transparency obligations. In contrast, SBM Bank's score declined to 63% from 75% last year, suggesting reduced accessibility or clarity of its published privacy information. While overall policy availability remains strong across the sector, this decline highlights the need for consistent maintenance and updating of privacy disclosures to meet legal transparency standards.
Observance of data subject rights shows both improvement and regression across institutions, resulting in an uneven compliance landscape. Swan Life Limited leads with a score of 77%, improving from 66% last year, reflecting stronger disclosure of lawful processing bases, clearer articulation of user rights, and improved complaint mechanisms. SBM Bank also demonstrated notable progress, scoring 69%, up from 52%, positioning it as one of the stronger performers in this category. Absa Bank Mauritius recorded a slight decline to 68% from 71%, while Bank of Baroda scored 20%, down from 25%, indicating persistent weaknesses in rights recognition and user redress mechanisms. These findings suggest that while some institutions are strengthening alignment with data protection principles such as lawfulness, fairness, and transparency, others risk non-compliance by failing to adequately inform users of their rights or provide effective means of exercising them.
All assessed institutions share personal data with third parties; however, compliance levels remain low, despite incremental improvements by some banks. Swan Life Limited leads with 38%, improving from 24%, followed closely by SBM Bank at 36%, also up from 24%. Absa Bank Mauritius improved to 34% from 14%, reflecting better disclosure and safeguards, though still below acceptable compliance thresholds. Bank of Baroda again scored 0%, unchanged from last year, indicating a complete lack of transparency or safeguards around third-party data sharing. The continued inadequacy in this area poses significant compliance risks, as data protection laws require clear disclosure of third-party recipients, lawful bases for sharing, and appropriate safeguards. Weak performance undermines data subject trust and increases regulatory exposure.
Performance in data security reflects stagnation and regression, rather than consistent improvement. Bank of Baroda again leads with a score of 78%, maintaining its performance from last year. Swan Life Limited maintained 72%, indicating stable implementation of technical and organisational safeguards. In contrast, SBM Bank's score declined to 61% from 72%, and Absa Bank Mauritius fell to 56% from 72%, raising concerns about the adequacy and consistency of their security practices. These declines suggest that while some institutions maintain robust safeguards, others may not be sufficiently updating or documenting security measures to meet evolving legal and operational risks.
Transparency reporting remains a major area of divergence across the sector. All institutions except SBM Bank lack transparency reports. SBM Bank scored 100%, a significant improvement from 0% last year, demonstrating enhanced accountability regarding data disclosures and oversight. Absa Bank Mauritius, Swan Life Limited, and Bank of Baroda continue to provide no transparency reports, mirroring last year's shortcomings and limiting public insight into data access requests and disclosure practices.
Internal data breach resolution remains critically underdeveloped across the sector. All institutions registered very low compliance levels. Swan Life Limited scored 8%, while Absa Bank Mauritius, SBM Bank, and Bank of Baroda each scored 0%, showing no improvement from last year. The absence of clear internal procedures, reporting timelines, and guaranteed user notification mechanisms indicates weak accountability and exposes institutions to legal and reputational risks in the event of a data breach.
A closer review of policy content reinforces these findings. Absa Bank's policy is comprehensive in scope, clearly defining data categories, processing purposes, lawful bases, and data subject rights, including complaint mechanisms, although its slight decline in scores suggests potential gaps in implementation or clarity. Swan Life Limited's policy is detailed and rights-forward, particularly regarding consent, cross-border transfers, and protections against automated decision-making. SBM Bank's policy demonstrates strong safeguards and clearly articulated user rights, supported by full Data Protection Officer contact details, aligning well with legal requirements. By contrast, Bank of Baroda's policy lacks essential elements such as contact details, complaint mechanisms, and consent withdrawal rights, contributing to its persistently low performance in key compliance areas.
Compared to last year, the Mauritian banking sector shows selective progress rather than systemic improvement. Gains in data subject rights and transparency reporting by certain institutions are offset by declines in data security and persistent weaknesses in third-party data sharing and breach management. While most institutions meet baseline transparency requirements through accessible privacy policies, full compliance with data protection laws remains uneven. To strengthen privacy governance, banks must prioritise robust third-party data controls, comprehensive breach response frameworks, and consistent transparency reporting to enhance accountability, regulatory compliance, and customer trust.
The current assessment of banks and financial institutions in Mauritius reflects a mixed trajectory in privacy governance when compared with last year's findings. While strong performance in the accessibility of privacy policies has largely been sustained, progress in other critical areas — particularly third-party data transfers, transparency reporting, and internal data breach resolution — remains uneven and, in some cases, has deteriorated. These patterns have direct implications for compliance with Mauritius' data protection framework and for institutional accountability.
All assessed institutions (Absa Bank Mauritius, Swan Life Limited, SBM Bank, and Bank of Baroda) continue to demonstrate effort in maintaining accessible privacy policies. Absa Bank Mauritius, Swan Life Limited, and Bank of Baroda each maintained a high score of 88%, consistent with last year's results, indicating sustained compliance with baseline transparency obligations. In contrast, SBM Bank's score declined to 63% from 75% last year, suggesting reduced accessibility or clarity of its published privacy information. While overall policy availability remains strong across the sector, this decline highlights the need for consistent maintenance and updating of privacy disclosures to meet legal transparency standards.
Observance of data subject rights shows both improvement and regression across institutions, resulting in an uneven compliance landscape. Swan Life Limited leads with a score of 77%, improving from 66% last year, reflecting stronger disclosure of lawful processing bases, clearer articulation of user rights, and improved complaint mechanisms. SBM Bank also demonstrated notable progress, scoring 69%, up from 52%, positioning it as one of the stronger performers in this category. Absa Bank Mauritius recorded a slight decline to 68% from 71%, while Bank of Baroda scored 20%, down from 25%, indicating persistent weaknesses in rights recognition and user redress mechanisms. These findings suggest that while some institutions are strengthening alignment with data protection principles such as lawfulness, fairness, and transparency, others risk non-compliance by failing to adequately inform users of their rights or provide effective means of exercising them.
All assessed institutions share personal data with third parties; however, compliance levels remain low, despite incremental improvements by some banks. Swan Life Limited leads with 38%, improving from 24%, followed closely by SBM Bank at 36%, also up from 24%. Absa Bank Mauritius improved to 34% from 14%, reflecting better disclosure and safeguards, though still below acceptable compliance thresholds. Bank of Baroda again scored 0%, unchanged from last year, indicating a complete lack of transparency or safeguards around third-party data sharing. The continued inadequacy in this area poses significant compliance risks, as data protection laws require clear disclosure of third-party recipients, lawful bases for sharing, and appropriate safeguards. Weak performance undermines data subject trust and increases regulatory exposure.
Performance in data security reflects stagnation and regression, rather than consistent improvement. Bank of Baroda again leads with a score of 78%, maintaining its performance from last year. Swan Life Limited maintained 72%, indicating stable implementation of technical and organisational safeguards. In contrast, SBM Bank's score declined to 61% from 72%, and Absa Bank Mauritius fell to 56% from 72%, raising concerns about the adequacy and consistency of their security practices. These declines suggest that while some institutions maintain robust safeguards, others may not be sufficiently updating or documenting security measures to meet evolving legal and operational risks.
Transparency reporting remains a major area of divergence across the sector. All institutions except SBM Bank lack transparency reports. SBM Bank scored 100%, a significant improvement from 0% last year, demonstrating enhanced accountability regarding data disclosures and oversight. Absa Bank Mauritius, Swan Life Limited, and Bank of Baroda continue to provide no transparency reports, mirroring last year's shortcomings and limiting public insight into data access requests and disclosure practices.
Internal data breach resolution remains critically underdeveloped across the sector. All institutions registered very low compliance levels. Swan Life Limited scored 8%, while Absa Bank Mauritius, SBM Bank, and Bank of Baroda each scored 0%, showing no improvement from last year. The absence of clear internal procedures, reporting timelines, and guaranteed user notification mechanisms indicates weak accountability and exposes institutions to legal and reputational risks in the event of a data breach.
A closer review of policy content reinforces these findings. Absa Bank's policy is comprehensive in scope, clearly defining data categories, processing purposes, lawful bases, and data subject rights, including complaint mechanisms, although its slight decline in scores suggests potential gaps in implementation or clarity. Swan Life Limited's policy is detailed and rights-forward, particularly regarding consent, cross-border transfers, and protections against automated decision-making. SBM Bank's policy demonstrates strong safeguards and clearly articulated user rights, supported by full Data Protection Officer contact details, aligning well with legal requirements. By contrast, Bank of Baroda's policy lacks essential elements such as contact details, complaint mechanisms, and consent withdrawal rights, contributing to its persistently low performance in key compliance areas.
Compared to last year, the Mauritian banking sector shows selective progress rather than systemic improvement. Gains in data subject rights and transparency reporting by certain institutions are offset by declines in data security and persistent weaknesses in third-party data sharing and breach management. While most institutions meet baseline transparency requirements through accessible privacy policies, full compliance with data protection laws remains uneven. To strengthen privacy governance, banks must prioritise robust third-party data controls, comprehensive breach response frameworks, and consistent transparency reporting to enhance accountability, regulatory compliance, and customer trust.
Banks & Finance - Zimbabwe
Empower Bank, CBZ Bank, Stanbic Bank Zimbabwe and NMB Bank in Zimbabwe
The current assessment of Zimbabwean banks shows measurable improvement in several areas of privacy governance compared to last year, while also revealing persistent structural weaknesses that continue to limit full compliance with data protection laws. Overall, banks demonstrate growing awareness of privacy obligations, but accountability mechanisms remain underdeveloped.
As was the case last year, all assessed banks continue to demonstrate strong performance in the accessibility of their privacy policies. CBZ Bank again leads with a perfect score of 100%, while Empower Bank and NMB Bank each maintained scores of 88%, and Stanbic Bank Zimbabwe maintained 75%. This consistency indicates that privacy policies remain publicly available, visible on institutional websites, and generally readable. From a compliance perspective, this satisfies baseline transparency requirements under data protection laws. However, as in previous assessments, policy accessibility alone does not ensure substantive compliance across other dimensions of data protection.
The observance of data subject rights shows significant improvement across all institutions, representing one of the most notable areas of progress since last year. NMB Bank leads with 81%, a substantial increase from 36%, indicating enhanced disclosure of processing purposes and stronger recognition of user rights. Stanbic Bank Zimbabwe follows with 77%, improving from 72%, while Empower Bank scored 47%, up from 37%, and CBZ Bank scored 41%, up from 36%. These improvements suggest increasing alignment with legal requirements relating to lawful processing, transparency, and user control. Nevertheless, moderate-to-low scores for some institutions indicate that gaps remain in areas such as complaint mechanisms, detailed retention practices, and clarity of consent withdrawal procedures.
Despite modest gains, third-party data sharing remains a critical area of weakness, with all banks recording low compliance levels. NMB Bank leads with 44%, up from 24%, followed by Stanbic Bank Zimbabwe at 36%, a notable increase from 10%. CBZ Bank scored 16%, reflecting a decline from 24%, while Empower Bank maintained a score of 0%, unchanged from last year. These results indicate that although some institutions have improved disclosure and safeguards, third-party data transfers continue to fall short of data protection standards. Insufficient transparency around third-party recipients, data categories shared, and lawful bases for transfer undermines data subject rights and exposes banks to regulatory and reputational risk.
Data security practices remain relatively strong overall, though performance is uneven compared to last year. Stanbic Bank Zimbabwe and NMB Bank jointly lead with 78%. Stanbic Bank maintained its score, while NMB Bank improved from 72%. CBZ Bank maintained a stable score of 67%, indicating consistency in security practices. In contrast, Empower Bank's score declined to 50% from 78%, raising concerns about the sustainability or documentation of its technical and organisational safeguards. These findings suggest that while most banks recognise their obligation to protect personal data, continuous investment and transparency around security measures are necessary to ensure ongoing compliance.
Transparency reporting remains largely unchanged and limited. As in last year's assessment, CBZ Bank is the only institution with a transparency report, maintaining a perfect score of 100%. NMB Bank, Stanbic Bank Zimbabwe, and Empower Bank continue to publish no transparency reports. The absence of transparency reports restricts public and regulatory insight into data access requests, third-party disclosures, and internal oversight, weakening accountability across the sector.
Internal data breach resolution shows incremental improvement, though compliance levels remain low overall. All banks recorded scores above zero for the first time. Stanbic Bank Zimbabwe leads with 42%, followed by NMB Bank at 25%, CBZ Bank at 17%, and Empower Bank at 8%. While these scores are modest, they represent a clear improvement from 0% across all institutions last year. This progress suggests emerging recognition of breach management obligations. However, the continued absence of clear internal procedures, defined reporting timelines, guaranteed user notification, and accessible reporting channels indicates that breach response frameworks remain insufficient to meet legal standards.
Compared to last year, Zimbabwe's banking sector demonstrates meaningful progress in data subject rights and internal breach awareness, alongside stable performance in privacy policy accessibility and data security. However, third-party data transfers and transparency reporting remain persistent areas of non-compliance, and improvements in breach resolution mechanisms are still at an early stage. Overall, while banks have strengthened certain aspects of their privacy practices, full compliance with data protection laws remains uneven. To advance toward stronger privacy governance, institutions must prioritise lawful and transparent third-party data sharing, institutionalise effective breach response systems, and expand transparency reporting to reinforce accountability and public trust.
The current assessment of Zimbabwean banks shows measurable improvement in several areas of privacy governance compared to last year, while also revealing persistent structural weaknesses that continue to limit full compliance with data protection laws. Overall, banks demonstrate growing awareness of privacy obligations, but accountability mechanisms remain underdeveloped.
As was the case last year, all assessed banks continue to demonstrate strong performance in the accessibility of their privacy policies. CBZ Bank again leads with a perfect score of 100%, while Empower Bank and NMB Bank each maintained scores of 88%, and Stanbic Bank Zimbabwe maintained 75%. This consistency indicates that privacy policies remain publicly available, visible on institutional websites, and generally readable. From a compliance perspective, this satisfies baseline transparency requirements under data protection laws. However, as in previous assessments, policy accessibility alone does not ensure substantive compliance across other dimensions of data protection.
The observance of data subject rights shows significant improvement across all institutions, representing one of the most notable areas of progress since last year. NMB Bank leads with 81%, a substantial increase from 36%, indicating enhanced disclosure of processing purposes and stronger recognition of user rights. Stanbic Bank Zimbabwe follows with 77%, improving from 72%, while Empower Bank scored 47%, up from 37%, and CBZ Bank scored 41%, up from 36%. These improvements suggest increasing alignment with legal requirements relating to lawful processing, transparency, and user control. Nevertheless, moderate-to-low scores for some institutions indicate that gaps remain in areas such as complaint mechanisms, detailed retention practices, and clarity of consent withdrawal procedures.
Despite modest gains, third-party data sharing remains a critical area of weakness, with all banks recording low compliance levels. NMB Bank leads with 44%, up from 24%, followed by Stanbic Bank Zimbabwe at 36%, a notable increase from 10%. CBZ Bank scored 16%, reflecting a decline from 24%, while Empower Bank maintained a score of 0%, unchanged from last year. These results indicate that although some institutions have improved disclosure and safeguards, third-party data transfers continue to fall short of data protection standards. Insufficient transparency around third-party recipients, data categories shared, and lawful bases for transfer undermines data subject rights and exposes banks to regulatory and reputational risk.
Data security practices remain relatively strong overall, though performance is uneven compared to last year. Stanbic Bank Zimbabwe and NMB Bank jointly lead with 78%. Stanbic Bank maintained its score, while NMB Bank improved from 72%. CBZ Bank maintained a stable score of 67%, indicating consistency in security practices. In contrast, Empower Bank's score declined to 50% from 78%, raising concerns about the sustainability or documentation of its technical and organisational safeguards. These findings suggest that while most banks recognise their obligation to protect personal data, continuous investment and transparency around security measures are necessary to ensure ongoing compliance.
Transparency reporting remains largely unchanged and limited. As in last year's assessment, CBZ Bank is the only institution with a transparency report, maintaining a perfect score of 100%. NMB Bank, Stanbic Bank Zimbabwe, and Empower Bank continue to publish no transparency reports. The absence of transparency reports restricts public and regulatory insight into data access requests, third-party disclosures, and internal oversight, weakening accountability across the sector.
Internal data breach resolution shows incremental improvement, though compliance levels remain low overall. All banks recorded scores above zero for the first time. Stanbic Bank Zimbabwe leads with 42%, followed by NMB Bank at 25%, CBZ Bank at 17%, and Empower Bank at 8%. While these scores are modest, they represent a clear improvement from 0% across all institutions last year. This progress suggests emerging recognition of breach management obligations. However, the continued absence of clear internal procedures, defined reporting timelines, guaranteed user notification, and accessible reporting channels indicates that breach response frameworks remain insufficient to meet legal standards.
Compared to last year, Zimbabwe's banking sector demonstrates meaningful progress in data subject rights and internal breach awareness, alongside stable performance in privacy policy accessibility and data security. However, third-party data transfers and transparency reporting remain persistent areas of non-compliance, and improvements in breach resolution mechanisms are still at an early stage. Overall, while banks have strengthened certain aspects of their privacy practices, full compliance with data protection laws remains uneven. To advance toward stronger privacy governance, institutions must prioritise lawful and transparent third-party data sharing, institutionalise effective breach response systems, and expand transparency reporting to reinforce accountability and public trust.
Banks & Finance - Kenya
Stima Sacco, Equity Bank Kenya, ABSA Kenya and KCB Bank in Kenya
The current assessment indicates continued regulatory compliance and incremental progress in certain privacy dimensions, alongside persistent weaknesses that constrain full alignment with data protection laws. Compared to last year, improvements are evident in accessibility of privacy policies, observance of data subject rights, and data security for some institutions, while compliance relating to third-party data sharing remains weak and, in some cases, has deteriorated.
As in the previous assessment, all evaluated banks fulfilled registration requirements with the national data protection regulator, each scoring 100%. This consistency reflects strong baseline compliance with statutory obligations and demonstrates sector-wide awareness of regulatory oversight as a foundational requirement for lawful personal data processing.
There was demonstrable effort across all institutions to maintain accessible privacy policies. Stima Sacco emerged as the leading institution with a score of 100%, improving from 88% last year, indicating enhanced visibility and clarity of its privacy disclosures. Equity Bank Kenya, Absa Kenya, and KCB Kenya each maintained scores of 88%, unchanged from last year. These results suggest that privacy policies remain publicly available, easily noticeable, and generally readable, satisfying core transparency requirements under Kenya's Data Protection Act. However, accessibility alone does not necessarily equate to comprehensive compliance, particularly where substantive rights and safeguards are insufficiently implemented.
The observance of data subject rights shows mixed progress compared to last year. Stima Sacco leads with a score of 72%, improving from 60%, reflecting stronger disclosure of processing purposes and better recognition of user rights. Equity Bank Kenya scored 63%, representing a slight decline from 66% last year, suggesting stagnation or minor regression in this area. Overall, these scores indicate that institutions are increasingly acknowledging data subject rights such as access, correction, and objection. However, inconsistencies in facilitating these rights, including complaint mechanisms and clarity around consent withdrawal, limit full compliance and effective user empowerment.
All assessed institutions continue to share personal data with third parties, but compliance levels remain low and, in several cases, have declined. Stima Sacco leads with 34%, down from 44% last year, followed by KCB Kenya at 16%, a decline from 30%. Equity Bank Kenya and Absa Kenya again scored 0%, unchanged from last year. These results highlight ongoing deficiencies in transparency regarding third-party recipients, categories of shared data, and lawful bases for transfer. Such shortcomings directly undermine data subject rights and contravene the duties of data controllers and processors under data protection laws, exposing institutions to regulatory and reputational risks.
Data security practices show gradual improvement overall, though performance varies across institutions. Equity Bank Kenya leads with 61%, maintaining its score from last year, followed by Absa Kenya at 56%, also unchanged. Stima Sacco improved to 45%, up from 28%, and KCB Kenya increased slightly to 28% from 22%. These trends indicate growing recognition of technical and organisational security obligations, particularly among smaller institutions. However, the relatively low scores for some banks suggest that security measures may still lack sufficient depth, documentation, or transparency to fully meet legal standards.
Beyond aggregate scores, institutional privacy frameworks reveal important distinctions. KCB Kenya demonstrates strong privacy compliance awareness, achieving 92% compliance through a comprehensive framework that includes explicit seven-year data retention periods, detailed third-party sharing disclosures (including credit bureaus and regulators), and structured procedures for facilitating data subject rights. Nonetheless, gaps remain in behavioural marketing consent mechanisms and transparency around law enforcement access.
Absa Bank Kenya, with an overall performance of 79%, reflects the application of international banking group standards within the Kenyan context. Its policy addresses cross-border data transfers, automated credit decision-making, and financial data security, though more specific retention disclosures and enhanced third-party transparency would strengthen compliance.
By contrast, Stima Sacco's overall performance of 50% highlights the challenges faced by cooperative financial institutions. While improvements are evident in policy accessibility and data subject rights, significant gaps remain in retention specificity, third-party transparency, and rights facilitation, underscoring the need for targeted guidance and capacity-building support for smaller institutions.
Compared to last year, the assessment shows incremental but uneven progress in privacy governance. Regulatory registration and policy accessibility remain strong, and some institutions have improved in data subject rights and security practices. However, third-party data sharing continues to represent a systemic compliance weakness, and improvements in this area have been limited or reversed.
Overall, while awareness of data protection obligations is evident, full compliance with data protection laws has not yet been achieved across the sector. Strengthening lawful third-party data governance, enhancing security implementation, and improving practical mechanisms for exercising data subject rights will be critical to advancing accountability, regulatory compliance, and public trust.
The current assessment indicates continued regulatory compliance and incremental progress in certain privacy dimensions, alongside persistent weaknesses that constrain full alignment with data protection laws. Compared to last year, improvements are evident in accessibility of privacy policies, observance of data subject rights, and data security for some institutions, while compliance relating to third-party data sharing remains weak and, in some cases, has deteriorated.
As in the previous assessment, all evaluated banks fulfilled registration requirements with the national data protection regulator, each scoring 100%. This consistency reflects strong baseline compliance with statutory obligations and demonstrates sector-wide awareness of regulatory oversight as a foundational requirement for lawful personal data processing.
There was demonstrable effort across all institutions to maintain accessible privacy policies. Stima Sacco emerged as the leading institution with a score of 100%, improving from 88% last year, indicating enhanced visibility and clarity of its privacy disclosures. Equity Bank Kenya, Absa Kenya, and KCB Kenya each maintained scores of 88%, unchanged from last year. These results suggest that privacy policies remain publicly available, easily noticeable, and generally readable, satisfying core transparency requirements under Kenya's Data Protection Act. However, accessibility alone does not necessarily equate to comprehensive compliance, particularly where substantive rights and safeguards are insufficiently implemented.
The observance of data subject rights shows mixed progress compared to last year. Stima Sacco leads with a score of 72%, improving from 60%, reflecting stronger disclosure of processing purposes and better recognition of user rights. Equity Bank Kenya scored 63%, representing a slight decline from 66% last year, suggesting stagnation or minor regression in this area. Overall, these scores indicate that institutions are increasingly acknowledging data subject rights such as access, correction, and objection. However, inconsistencies in facilitating these rights, including complaint mechanisms and clarity around consent withdrawal, limit full compliance and effective user empowerment.
All assessed institutions continue to share personal data with third parties, but compliance levels remain low and, in several cases, have declined. Stima Sacco leads with 34%, down from 44% last year, followed by KCB Kenya at 16%, a decline from 30%. Equity Bank Kenya and Absa Kenya again scored 0%, unchanged from last year. These results highlight ongoing deficiencies in transparency regarding third-party recipients, categories of shared data, and lawful bases for transfer. Such shortcomings directly undermine data subject rights and contravene the duties of data controllers and processors under data protection laws, exposing institutions to regulatory and reputational risks.
Data security practices show gradual improvement overall, though performance varies across institutions. Equity Bank Kenya leads with 61%, maintaining its score from last year, followed by Absa Kenya at 56%, also unchanged. Stima Sacco improved to 45%, up from 28%, and KCB Kenya increased slightly to 28% from 22%. These trends indicate growing recognition of technical and organisational security obligations, particularly among smaller institutions. However, the relatively low scores for some banks suggest that security measures may still lack sufficient depth, documentation, or transparency to fully meet legal standards.
Beyond aggregate scores, institutional privacy frameworks reveal important distinctions. KCB Kenya demonstrates strong privacy compliance awareness, achieving 92% compliance through a comprehensive framework that includes explicit seven-year data retention periods, detailed third-party sharing disclosures (including credit bureaus and regulators), and structured procedures for facilitating data subject rights. Nonetheless, gaps remain in behavioural marketing consent mechanisms and transparency around law enforcement access.
Absa Bank Kenya, with an overall performance of 79%, reflects the application of international banking group standards within the Kenyan context. Its policy addresses cross-border data transfers, automated credit decision-making, and financial data security, though more specific retention disclosures and enhanced third-party transparency would strengthen compliance.
By contrast, Stima Sacco's overall performance of 50% highlights the challenges faced by cooperative financial institutions. While improvements are evident in policy accessibility and data subject rights, significant gaps remain in retention specificity, third-party transparency, and rights facilitation, underscoring the need for targeted guidance and capacity-building support for smaller institutions.
Compared to last year, the assessment shows incremental but uneven progress in privacy governance. Regulatory registration and policy accessibility remain strong, and some institutions have improved in data subject rights and security practices. However, third-party data sharing continues to represent a systemic compliance weakness, and improvements in this area have been limited or reversed.
Overall, while awareness of data protection obligations is evident, full compliance with data protection laws has not yet been achieved across the sector. Strengthening lawful third-party data governance, enhancing security implementation, and improving practical mechanisms for exercising data subject rights will be critical to advancing accountability, regulatory compliance, and public trust.
Banks & Finance - Uganda
Stanbic Bank Uganda, Pride microfinance, ABSA Bank Uganda and Centenary Bank in Uganda
The current assessment of Ugandan banks shows overall stability in baseline compliance with data protection requirements, alongside incremental improvements in certain substantive areas and persistent weaknesses in accountability mechanisms. Compared with last year, banks continue to demonstrate awareness of privacy obligations, but progress remains uneven across key compliance indicators.
As in last year's assessment, all assessed banks fulfilled registration requirements with the national regulator (NITA-U), each scoring 100%. This reflects continued compliance with statutory registration obligations and confirms that all institutions remain under formal regulatory oversight for personal data processing. All banks again demonstrated effort to maintain accessible privacy policies, with each institution scoring 88%, except Pride Microfinance, whose score declined from 100% to 88%. The remaining institutions (Stanbic Bank Uganda, Centenary Bank, and Absa Bank Uganda) maintained their scores from last year. These results indicate that privacy policies remain publicly available, easily noticeable, and generally readable, supporting baseline transparency requirements under Uganda's data protection framework. However, as in previous assessments, accessibility alone does not guarantee comprehensive compliance in practice.
Observance of data subject rights shows mixed movement, with notable improvements by some institutions and declines by others. Stanbic Bank Uganda leads with a score of 75%, improving from 72%, reflecting clearer articulation of user rights and processing practices. Centenary Bank scored 67%, representing a decline from 77%, while Absa Bank Uganda improved slightly to 56% from 53%. Pride Microfinance also improved to 41%, up from 38%. These results suggest a general strengthening of recognition of data subject rights such as access, correction, deletion, and complaint mechanisms. However, uneven performance indicates that facilitation of these rights — particularly clarity of procedures, conditions, and timelines — remains inconsistent across institutions.
All assessed banks share personal data with third parties, but compliance levels remain low, despite some improvement compared to last year. Centenary Bank leads with 48%, up from 40%, followed by Pride Microfinance at 44%, a substantial increase from 10%. Stanbic Bank Uganda scored 30%, improving from 26%, while Absa Bank Uganda declined to 10% from 24%. While these improvements suggest growing awareness of disclosure obligations, the continued lack of detailed information on third-party recipients, categories of shared data, and lawful bases for transfer undermines data subject rights and remains inconsistent with data protection law requirements.
All banks demonstrated effort to comply with data security obligations, with performance remaining relatively stable overall. Stanbic Bank Uganda, Pride Microfinance, and Centenary Bank each scored 78%. Stanbic and Centenary maintained their scores from last year, while Pride Microfinance improved significantly from 45% to 78%. Absa Bank Uganda maintained a score of 56%, unchanged from last year. These scores indicate reasonable implementation of technical and organisational security measures. However, the lack of accompanying transparency and breach response detail limits the ability to assess the effectiveness of these safeguards in practice.
As in last year's assessment, none of the banks have published transparency reports. The continued absence of transparency reporting restricts public insight into government data requests, third-party disclosures, and internal oversight, weakening institutional accountability.
Internal data breach resolution shows incremental improvement, though compliance remains low overall. Stanbic Bank Uganda leads with 33%, up from 8%, followed by Pride Microfinance and Centenary Bank at 17% each, while Absa Bank Uganda scored 0%, unchanged from last year. Although these scores represent progress compared to last year's uniformly poor performance, the absence of clear breach notification requirements, defined investigation timelines, and guarantees of fair and impartial processes indicates that breach response frameworks remain inadequate under data protection laws.
Banks and financial institutions continue to perform better than most other sectors assessed. Stanbic Bank Uganda remains the strongest overall performer, with relatively high scores in pre-collection transparency and internal breach response. Its privacy policy is prominently displayed and fairly readable, provides multiple complaint channels, and recognises key data subject rights. However, it lacks a transparency report and does not clearly outline breach notification obligations, investigation timelines, or user notification requirements.
Centenary Bank performs well on third-party data transfer practices, allowing data sharing with defined categories of professional and regulatory entities and offering multiple reporting channels, including references to NITA-U. However, it does not specify the exact data types shared with third parties. Absa Bank Uganda records the lowest scores in third-party data transfer, data security transparency, and breach resolution. While its privacy policy clearly outlines purposes of data collection and recognises several data subject rights, it is largely silent on breach handling procedures and provides limited clarity on complaint escalation pathways.
Compared with last year, Uganda's banking sector demonstrates incremental progress in data subject rights recognition, data security, and early breach response awareness, while maintaining strong performance in regulatory registration and policy accessibility. However, persistent weaknesses remain in third-party data governance, transparency reporting, and comprehensive breach management.
Overall, while banks show growing awareness of data protection obligations, full compliance with Uganda's data protection laws has not yet been achieved. Strengthening lawful third-party data sharing controls, institutionalising clear and enforceable breach response frameworks, and improving transparency reporting will be critical to enhancing accountability, regulatory compliance, and public trust.
The current assessment of Ugandan banks shows overall stability in baseline compliance with data protection requirements, alongside incremental improvements in certain substantive areas and persistent weaknesses in accountability mechanisms. Compared with last year, banks continue to demonstrate awareness of privacy obligations, but progress remains uneven across key compliance indicators.
As in last year's assessment, all assessed banks fulfilled registration requirements with the national regulator (NITA-U), each scoring 100%. This reflects continued compliance with statutory registration obligations and confirms that all institutions remain under formal regulatory oversight for personal data processing. All banks again demonstrated effort to maintain accessible privacy policies, with each institution scoring 88%, except Pride Microfinance, whose score declined from 100% to 88%. The remaining institutions (Stanbic Bank Uganda, Centenary Bank, and Absa Bank Uganda) maintained their scores from last year. These results indicate that privacy policies remain publicly available, easily noticeable, and generally readable, supporting baseline transparency requirements under Uganda's data protection framework. However, as in previous assessments, accessibility alone does not guarantee comprehensive compliance in practice.
Observance of data subject rights shows mixed movement, with notable improvements by some institutions and declines by others. Stanbic Bank Uganda leads with a score of 75%, improving from 72%, reflecting clearer articulation of user rights and processing practices. Centenary Bank scored 67%, representing a decline from 77%, while Absa Bank Uganda improved slightly to 56% from 53%. Pride Microfinance also improved to 41%, up from 38%. These results suggest a general strengthening of recognition of data subject rights such as access, correction, deletion, and complaint mechanisms. However, uneven performance indicates that facilitation of these rights — particularly clarity of procedures, conditions, and timelines — remains inconsistent across institutions.
All assessed banks share personal data with third parties, but compliance levels remain low, despite some improvement compared to last year. Centenary Bank leads with 48%, up from 40%, followed by Pride Microfinance at 44%, a substantial increase from 10%. Stanbic Bank Uganda scored 30%, improving from 26%, while Absa Bank Uganda declined to 10% from 24%. While these improvements suggest growing awareness of disclosure obligations, the continued lack of detailed information on third-party recipients, categories of shared data, and lawful bases for transfer undermines data subject rights and remains inconsistent with data protection law requirements.
All banks demonstrated effort to comply with data security obligations, with performance remaining relatively stable overall. Stanbic Bank Uganda, Pride Microfinance, and Centenary Bank each scored 78%. Stanbic and Centenary maintained their scores from last year, while Pride Microfinance improved significantly from 45% to 78%. Absa Bank Uganda maintained a score of 56%, unchanged from last year. These scores indicate reasonable implementation of technical and organisational security measures. However, the lack of accompanying transparency and breach response detail limits the ability to assess the effectiveness of these safeguards in practice.
As in last year's assessment, none of the banks have published transparency reports. The continued absence of transparency reporting restricts public insight into government data requests, third-party disclosures, and internal oversight, weakening institutional accountability.
Internal data breach resolution shows incremental improvement, though compliance remains low overall. Stanbic Bank Uganda leads with 33%, up from 8%, followed by Pride Microfinance and Centenary Bank at 17% each, while Absa Bank Uganda scored 0%, unchanged from last year. Although these scores represent progress compared to last year's uniformly poor performance, the absence of clear breach notification requirements, defined investigation timelines, and guarantees of fair and impartial processes indicates that breach response frameworks remain inadequate under data protection laws.
Banks and financial institutions continue to perform better than most other sectors assessed. Stanbic Bank Uganda remains the strongest overall performer, with relatively high scores in pre-collection transparency and internal breach response. Its privacy policy is prominently displayed and fairly readable, provides multiple complaint channels, and recognises key data subject rights. However, it lacks a transparency report and does not clearly outline breach notification obligations, investigation timelines, or user notification requirements.
Centenary Bank performs well on third-party data transfer practices, allowing data sharing with defined categories of professional and regulatory entities and offering multiple reporting channels, including references to NITA-U. However, it does not specify the exact data types shared with third parties. Absa Bank Uganda records the lowest scores in third-party data transfer, data security transparency, and breach resolution. While its privacy policy clearly outlines purposes of data collection and recognises several data subject rights, it is largely silent on breach handling procedures and provides limited clarity on complaint escalation pathways.
Compared with last year, Uganda's banking sector demonstrates incremental progress in data subject rights recognition, data security, and early breach response awareness, while maintaining strong performance in regulatory registration and policy accessibility. However, persistent weaknesses remain in third-party data governance, transparency reporting, and comprehensive breach management.
Overall, while banks show growing awareness of data protection obligations, full compliance with Uganda's data protection laws has not yet been achieved. Strengthening lawful third-party data sharing controls, institutionalising clear and enforceable breach response frameworks, and improving transparency reporting will be critical to enhancing accountability, regulatory compliance, and public trust.