Malawi’s Data Protection Act (the Act) officially came into force on 3 June 2024, providing a comprehensive regulatory framework for protecting personal data.
The Act designates the Malawi Communications Regulatory Authority (MACRA) as the data protection authority overseeing its implementation. IT also aligns with provisions of Malawi’s Constitution on the right to privacy and replaces Part IV of the Electronic Transactions and Cyber Security Act as the primary data protection regulation. Following the Act’s enforcement, MACRA published a Data Protection Handbook to guide compliance.
This page is relevant to businesses, data controllers, data processors, legal professionals, and organisations operating in or targeting individuals in Malawi. It is especially pertinent for those involved in handling personal data and needing to comply with the new data protection regulations set forth by Malawi’s Data Protection Act 2024.
Key provisions of Malawi’s Data Protection Act
Scope of application (section 3)
The Act applies to personal data processing by controllers and processors based in Malawi, processing data within Malawi, or targeting individuals in Malawi. This includes both automated and non-automated data processing.
Data protection authority (sections 4-6)
MACRA is designated as the authority responsible for implementing and enforcing the Act. MACRA’s mandate includes regulating personal data processing and ensuring compliance with the Act.
Principles of processing (sections 8-13)
The Act mandates principles such as lawfulness, transparency, fairness, purpose limitation, data minimisation, accuracy, storage limitation, data integrity, and confidentiality. Data controllers and processors must adhere to these principles.
Lawful bases for processing (section 8)
The Act outlines lawful bases for processing personal data, including consent, performance of a contract, legal obligation, vital interest, public interest, and legitimate interest. Additional grounds include authorisation under written law and the legal mandate of public authorities.
Processing sensitive personal data (section 16)
Processing sensitive data requires explicit consent or must meet specific conditions such as protecting the data subject’s interests, public health, or public interest. Appropriate measures must be implemented to safeguard data subject rights.
Processing children’s data (section 17)
Consent for processing a child’s data must be obtained from a parent or legal guardian, with mechanisms to verify age and guardian identity.
Rights of data subjects (sections 19-26)
Data subjects have rights including access to their data, objection to processing, data portability, erasure, rectification, and restriction of processing. Exceptions include national security and public health considerations.
Record of processing activities (RoPA) (section 29)
Controllers and processors must maintain records of all processing activities, available for inspection by MACRA.
Data protection impact assessment (DPIA) (section 30)
DPIAs are required for processing activities posing high risks to data subjects’ rights. These assessments must be submitted to MACRA prior to processing.
Data protection officer (section 33)
Organisations engaged in large-scale data processing must appoint a data protection officer (DPO) to ensure compliance with the Act.
Data security (section 35)
The Act mandates technical and organisational measures for data security, including pseudonymisation, encryption, and regular risk assessments.
Breach notification (sections 36-37)
Data controllers must notify MACRA of data breaches within 72 hours. Affected data subjects must also be notified within 72 hours if the breach poses a high risk to their rights.
Cross-border data transfer (sections 38-40)
Transfers of personal data outside Malawi are restricted unless the receiving country has adequate data protection laws or specific mechanisms such as binding corporate rules are in place.
Mandatory registration (sections 41-42)
Significant data controllers and processors must register with MACRA. This includes those processing data of more than 10,000 subjects or data of national importance.
Complaint lodging and compliance orders (sections 44-45)
Data subjects can lodge complaints with MACRA, which will investigate and issue compliance orders as necessary.
Data Protection Handbook
Following the Act’s enforcement, MACRA published a Data Protection Handbook to guide compliance. The Handbook summarises key provisions of the Act and outlines essential steps for data controllers and processors to follow. Key areas covered include:
- Registration with the data protection authority: Data controllers and processors of significant importance must register before processing personal data. The Handbook provides detailed guidance on the documentation required and the registration process.
- Appointment of a data protection officer: The Handbook specifies the qualifications and responsibilities of a DPO, ensuring businesses comply with the Act’s mandates.
- Implementation of data protection principles: It outlines measures for operationalising principles such as data minimisation, accuracy, transparency, and lawfulness of processing.
- Conducting data protection impact assessments (DPIA): The Handbook provides a framework for conducting DPIAs, including identifying high-risk processing activities and submitting reports to MACRA.
- Data security measures: It recommends technologies and procedures such as encryption, access controls, and pseudonymisation to ensure data security.
- Breach notification protocols: The Handbook outlines protocols for notifying MACRA and affected data subjects of data breaches within the required timeframe.
- International data transfers: It details safeguards for transferring personal data outside Malawi, including documentation and approval processes.
- Data subject rights: It provides guidance on implementing processes for data subjects to exercise their rights under the Act.
How ITLawCo can help
Compliance consulting
- Registration assistance: We help businesses complete the necessary documentation and register with MACRA.
- DPO appointment: We assist in appointing qualified data protection officers (DPO) and ensure their duties align with the Act’s requirements.
Data protection impact assessments (DPIA)
- DPIA conducting and reporting: Our experts conduct comprehensive DPIAs for high-risk processing activities and assist in submitting the required reports to MACRA.
- Ongoing risk assessments: We provide continuous risk assessment services to ensure compliance as risks evolve.
Data security and breach management
- Security measures implementation: We guide the implementation of data security measures such as encryption, pseudonymisation, and access controls.
- Breach notification protocols: We develop breach notification protocols to ensure timely reporting to MACRA and affected data subjects.
Policy development and training
- Data protection policies: We draft and review data protection policies to ensure they meet the Act’s standards.
- Employee training: We offer training programmes to educate employees on data protection principles and compliance requirements.
Cross-border data transfer
- Transfer mechanisms: We assist in establishing appropriate safeguards for cross-border data transfers and ensure compliance with MACRA’s approval process.
Data subject rights management
- Rights implementation: We develop processes for managing data subject rights, including access, rectification, and erasure requests.
Ongoing compliance support
- Regular audits: We conduct regular compliance audits to ensure continuous adherence to the Act.
- Compliance updates: We keep businesses informed of any updates or changes to data protection regulations.
Contact us
Feel free to reach out to us for help.