Data Privacy Laws are Emerging in Africa - Botswana’s New Law

The Recap

Botswana’s new data privacy law, officially titled the Data Protection Act, 2021, came into effect in 2024. This law aims to regulate the collection, use, and processing of personal data in Botswana, establishing a comprehensive framework for data protection in line with international standards.

Botswana’s Data Protection Act, 2021 brings the country’s data privacy framework in line with international standards such as the EU General Data Protection Regulation (GDPR), providing robust protections for individual privacy while placing clear responsibilities on businesses.

Here's an overview of its key provisions:

1. Rights of Data Subjects

Consent: The law emphasizes the need for explicit and informed consent before collecting or processing personal data. Data subjects (individuals) must be fully aware of how their personal information will be used.

Access and Correction: Individuals have the right to access their personal data held by organizations and to request corrections if the data is inaccurate.

Right to Erasure: Data subjects can request the deletion of their personal data, subject to specific conditions, such as compliance with legal obligations or contracts.

Data Portability: Individuals can request their data to be transferred to another service provider in a usable format.

2. Obligations of Data Controllers and Processors

Data Minimization: Organizations must only collect data that is necessary for the specified purpose, and they must avoid excessive data collection.

Purpose Limitation: Personal data can only be used for the purpose for which it was originally collected, and any new processing must align with this purpose.

Data Security: Organizations are required to implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or damage.

Data Protection Impact Assessments (DPIA): Organizations must conduct DPIAs for high-risk processing activities to assess and mitigate potential privacy risks.

3. Data Protection Authority

The law establishes a Data Protection Authority (DPA) responsible for overseeing and enforcing compliance with the Data Protection Act.

The DPA has the authority to investigate complaints, issue fines, and enforce corrective actions for non-compliance with the law.

The DPA also provides guidance to businesses and individuals on data privacy best practices.

4. Cross-Border Data Transfers

International Transfers: The law regulates the transfer of personal data outside of Botswana. Personal data can only be transferred to countries or organizations that provide an adequate level of data protection.

Safeguards: Organizations transferring data abroad must implement appropriate safeguards, such as contractual clauses or binding corporate rules, to ensure the protection of personal data.

5. Penalties and Enforcement

Fines and Sanctions: Organizations found in violation of the law may face significant penalties, including fines or orders to suspend processing activities.

Criminal Liability: In cases of serious violations (such as data breaches caused by negligence or unlawful data processing), individuals responsible for the breach may be subject to criminal prosecution.

6. Special Categories of Data

The law recognizes the sensitive nature of certain types of data, such as racial or ethnic origin, health information, and religious beliefs, and imposes stricter requirements for processing these types of data.

Special consent requirements and additional safeguards are mandated for processing sensitive personal data.

7. Transparency and Accountability

Organizations are required to be transparent about their data processing practices. This includes clear privacy notices that inform data subjects about how their data will be collected, used, and retained.

Businesses must maintain records of processing activities and demonstrate accountability for their data handling practices.

8. Data Breach Notification

The law mandates that organizations report any personal data breaches to the Data Protection Authority and affected individuals within a specified time frame (typically 72 hours) if the breach poses a risk to the rights and freedoms of data subjects.

The Game Plan

1. Update Your Data Protection Practices. Businesses operating in Botswana or processing the data of Botswana residents will need to update their data protection practices to comply with the new law.

2. Make Sure Your Cross-Border Data Transfers are Compliant. International businesses with ties to Botswana must ensure that their data transfer practices comply with the new cross-border data regulations.

3. Check to See if You are Processing Sensitive Data. The law also introduces a new compliance burden for companies, especially those in sectors like healthcare, finance, and telecommunications, where sensitive data is commonly processed.

Need Help?

Tap in Three-Point Law by emailing consult@threepointlaw.com.