The Data Protection Act 18 of 2024, published on 29 October 2024 following presidential assent, represents a step forward in Botswana’s approach to personal data privacy. It replaces the Data Protection Act 32 of 2018, which came into force in 2021 but was criticised for insufficiently addressing emerging data protection challenges. This new act enhances the regulatory framework for data protection, introduces stronger penalties for non-compliance, and positions Botswana as a leader in safeguarding individual privacy rights in Africa.
Why the Act matters
The Act ensures that personal data is processed with integrity, transparency, and accountability. It addresses modern challenges such as cross-border data transfers, data breaches, and automated decision-making, all of which are increasingly relevant in today’s digital landscape. For individuals, it provides robust rights over their personal information, including access, correction, and erasure. For organisations, it sets clear standards for lawful data processing, secure handling of sensitive data, and compliance with global best practices.
Who needs to comply?
The act applies to:
- organisations and entities in Botswana processing personal data, whether automated or manual
- international organisations or data controllers outside Botswana, if they offer goods or services to individuals in Botswana or monitor their behaviour within the country
- public authorities and private entities alike, as the act binds the state
Exemptions apply to:
- personal or household data processing
- processing related to national security, defence, or public safety, provided adequate safeguards exist in specific legislation
Specific deadlines and transitional provisions
The act will come into force on a date to be gazetted by the minister. Organisations should use the interim period to:
- review existing data processing activities
- update policies and procedures to align with the act’s requirements
- appoint data protection officers (DPOs) where necessary
- implement technical and organisational measures to secure personal data
Outline of the Act
1. Core principles
- lawfulness, fairness, and transparency: personal data must be processed in a clear and just manner
- purpose limitation: data should only be collected for specified purposes
- data minimisation: collect and process only what is necessary
- accuracy and security: ensure data is accurate, securely stored, and protected from unauthorised access
2. Rights of individuals
- access, rectification, and erasure of personal data
- data portability and the right to object to processing
- protection from decisions made solely through automated processing
3. Responsibilities for organisations
- conduct data protection impact assessments (DPIAs) for high-risk processing activities
- appoint DPOs for large-scale or sensitive data processing
- notify the commission and affected individuals of data breaches
4. Cross-border data transfers
- allowed to countries with adequate data protection frameworks or under contractual safeguards
5. Penalties for non-compliance:
- fines of up to BWP 50 million or 4% of global turnover, whichever is higher
- potential imprisonment for breaches of confidentiality or unauthorised data use
How ITLawCo can help
At ITLawCo, we specialise in data protection and IT compliance, offering tailored services to help organisations navigate the complexities of Botswana’s Data Protection Act 18 of 2024. Our expertise ensures your compliance journey is efficient, cost-effective, and aligned with your business objectives. Here’s how we can assist:
Compliance readiness assessments
- identify gaps in your current data protection practices
- provide actionable recommendations to achieve compliance
Policy and procedure development
- draft or revise privacy policies, data processing agreements, and incident response plans
- ensure your contracts meet international standards for cross-border data transfers
Data protection officer (DPO) services
- outsource your DPO function to our experts for ongoing compliance support
Training and awareness
- conduct workshops for employees to understand their roles in protecting personal data
- offer executive-level briefings on the strategic implications of the act
Incident response
- assist with breach notification requirements and mitigate the impact of data breaches
Why choose ITLawCo?
With a proven track record in data protection and IT governance across Africa, ITLawCo combines legal expertise with technical know-how. Whether you’re a local business or an international organisation operating in Botswana, our team is equipped to guide you through every aspect of compliance. Contact us today to ensure you’re not only meeting regulatory requirements but also building trust with your customers through robust data protection practices.