Understand Your Responsibilities. Comply with the Law. Build Trust.
Organizations that collect, store, or process personal data in Somalia are legally required to comply with the Data Protection Act (Law No. 005 of 2023).
The DPA provides oversight, guidance, and enforcement to help organizations meet their obligations.
Who Must Comply?
- Government institutions
- Private companies
- NGOs and civil society organizations
- Educational institutions
- Healthcare providers
- Telecom operators
- Any entity processing personal data in Somalia
The law applies to:
Core Organizational Obligations
- Process data lawfully, fairly, and transparently
- Obtain valid consent where required
- Protect personal data with appropriate safeguards
- Respect data subject rights
- Report data breaches within legal timelines
- Register with the DPA as a controller or processor
Organizations must:
Sector-Specific Responsibilities
- Education – Protect student records and IDs
- Health – Safeguard patient health information
- Banking & Finance – Secure financial and transactional data
- Telecommunications – Protect communications and location data
- E-Government – Ensure secure online data collection and transparency
Different sectors face unique obligations, including:
DPIAs & Privacy by Design
Organizations must conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities and embed Privacy by Design and by Default into systems, services, and workflows.
Compliance & Risk Management
- Maintain data processing records
- Train staff on data protection
- Establish breach response procedures
- Conduct regular audits
- Cooperate with DPA oversight
A compliant organization should:
Take Action
- Register with the DPA
- Request guidance or training
- Report data breaches
- Seek compliance consultations
Organizations are encouraged to: