The Botswana Data Protection Act has finally come in to effect, effective today, 14 January 2025.
The Act was enacted in 2018 and aims to protect individuals’ personal data by regulating its collection, processing, storage, and use. It establishes legal standards for data controllers and processors, providing individuals with rights concerning their personal information.
Giving an overview of its key elements, Cybersmart Botswana noted that:
The Data Protection Act seeks to: Safeguard the privacy of individuals, Regulate the collection and processing of personal data, prevent the misuse of personal information, promote transparency and accountability in data handling.
Key Provisions of the Act include:
1. Scope of Application: Applies to data controllers and processors operating within Botswana or handling personal data of individuals in Botswana, covers both automated and non-automated data processing.
2. Consent Requirement; Personal data must be collected with the individual’s consent, except in specific legal circumstances.
3. Data Subject Rights
Individuals have the right to: Access their personal data, Request correction or deletion of inaccurate or outdated data, Object to data processing in certain situations.
4. Obligations of Data Controllers and Processors, ensure the data is processed lawfully, fairly, and transparently, collect data for specific, legitimate purposes and limit its use to those purposes.
– Implement appropriate security measures to protect data from unauthorized access, loss, or breaches.
5. Data Breach Notification
– Data controllers must report data breaches to the Information and Data Protection Commissioner and affected individuals.
6. Cross-Border Data Transfer
– Transfers of personal data outside Botswana are restricted unless the destination country ensures an adequate level of data protection.
7. Penalties and Sanctions
– Non-compliance may result in fines, imprisonment, or both, depending on the severity of the violation. Fines can reach up to P1 milion.
In a previous comment on the piece of legislation, legal experts at Peo Legal said Some of the key provisions of the Act include requirements for data to be processed, privacy protection of personal data and set criteria for processing of data for various different purposes. There are also additional safeguards for dealing with “Sensitive Personal Data”. The Act prescribes hefty penalties in the form of monetary fines and imprisonment for violations of its provisions. Although the Act has not yet commenced, there is a transition period of 12 months from commencement within which all processing of personal data must be made compliant with the Act.
This Act is a welcome addition to the current laws in force in Botswana, and collectively with other laws in the process of being promulgated on other affected areas of information and communications technology and e-commerce, will increase the effectiveness of Government departments and encourage investor confidence in the country
