What the Personal Data Protection Proclamation Means for Your Organization — and What to Do First

Data & Privacy
Written By Prime Law LLP

In 2024, Ethiopia adopted its first comprehensive data protection law — the Personal Data Protection Proclamation No. 1321/2024. The law marks a fundamental shift in how organizations operating in Ethiopia must collect, store, share, and protect personal information. It applies broadly: to private companies, public institutions, NGOs, financial services providers, healthcare organizations, and any entity that processes personal data of individuals in Ethiopia.

The compliance gap is wide. In conversations with clients across sectors, we have found that most organizations are aware the law exists but have not yet built the practical infrastructure it requires. This article outlines what the Proclamation actually obliges you to do, why the timeline matters, and the three first steps every organization should take now.

What the law covers

The Proclamation establishes a set of obligations familiar from international data protection regimes such as the EU's GDPR, but tailored to the Ethiopian legal context. In broad terms, organizations that process personal data must:

  • Have a lawful basis for processing. Every collection and use of personal data must be grounded in one of the legal bases the Proclamation recognizes — typically consent, contractual necessity, legal obligation, or legitimate interest.

  • Be transparent. Individuals whose data you hold have the right to know what you collect, why, how long you keep it, and with whom you share it. Privacy notices are no longer optional.

  • Respect data subject rights. Individuals can request access to their data, correction of inaccuracies, deletion in certain circumstances, and restriction of further processing.

  • Secure the data. Organizations must implement appropriate technical and organizational measures to prevent unauthorized access, loss, or disclosure.

  • Manage onward sharing carefully. Sharing data with third parties — including processors, vendors, and cross-border recipients — requires defined safeguards and, in many cases, written agreements.

  • Notify breaches. Where a personal data breach occurs, the Proclamation imposes notification obligations both to the supervisory authority and, in serious cases, to affected individuals.

Why it matters now

Three reasons make the present moment the right time to act, not next year:

First, the regulatory ramp-up has begun. Supervisory infrastructure is being put in place, and enforcement attention will follow. Organizations that wait for the first enforcement action to take the law seriously will find themselves in a reactive — and expensive — position.

Second, clients, partners, and donors are already asking. International companies, multilateral institutions, and donor organizations increasingly include data protection due diligence in their procurement and partnership processes. Ethiopian organizations without a credible compliance posture are starting to lose opportunities, quietly.

Third, the obligations take time to build properly. A data protection programme is not a document — it is a set of policies, contracts, technical safeguards, training, and ongoing oversight. Building it well takes months. Doing it under pressure after an incident or audit takes far longer and costs more.

Three first steps every organization should take

If your organization has not yet begun PDPP compliance work, start here:

1. Conduct a data inventory. Map the personal data your organization actually collects, where it is stored, who has access, who you share it with, and how long you keep it. You cannot protect what you do not know you have. A practical inventory usually takes two to four weeks and is the foundation of every other compliance step.

2. Publish a clear privacy notice. Every organization handling personal data should have a privacy notice that tells individuals — in plain language — what data you collect, why, how it is used, and what their rights are. This is one of the most visible compliance obligations and one of the easier early wins.

3. Put written data-sharing agreements in place. Wherever you share personal data with a third party — a payroll provider, an IT vendor, a cloud platform, a sub-contractor — the relationship should be governed by a written data processing agreement that allocates responsibilities and protects your organization if the third party causes a breach.

These three steps will not make your organization fully compliant, but they will establish the foundation. From there, more advanced work follows: training, breach response procedures, vendor due diligence, and ongoing oversight.

How we can help

Prime Law advises organizations across sectors on practical PDPP compliance — from initial gap assessments and policy development through to data processing agreements, breach response procedures, and staff training. We offer fixed-fee compliance packages designed to make compliance straightforward for organizations of any size, as well as bespoke advisory for complex situations.

If you would like to discuss your organization's data protection posture, write to us at info@primelaw.law.

______________

This article is provided for general information only and does not constitute legal advice. For advice on your specific situation, please consult qualified legal counsel.

Prime Law LLP
Previous

Bringing a Medicine to Market in Ethiopia: A Step-by-Step Guide to EFDA Marketing Authorization