The deadline for compliance with the provisions of the Data Protection Act (DPA) has been extended from the original date of 15 October 2022 to a new date being 15 September 2023. In this opinion article, Lebogang George, a data and privacy lawyer with one of the leading law firms in Botswana, explains what this extension means for data processors, data controllers, data subjects as well as for the DPA Commission.
Extra-time- What does the Extension Really mean for stakeholders?
When your favourite team is playing and the 90-minute mark has passed, you’re looking forward to the extra time given, hoping that your team will outperform and score at the last stretch. Those final minutes of extra time are nerve-wracking and players always seem to have lost their flair and finesse, no longer playing that quality football but only determined to just score in that added time they’ve been allocated.
Like this analogy, in the days leading up to the deadline for the enactment of the Data Protection Act, law firms were inundated with calls as panic-stricken clients were hoping to find out whether there has been an extension to allow some extra time for them to essentially get their house in order and get a “score” for being data compliant, while some, at the eleventh hour wanted to enquire whether they had done enough for their technical and organizational efforts to pass muster. The goal here was not about the quality of policies or structures and systems in place but rather to just tick the compliance box and look to be compliant by the time the deadline approached. So, there was a huge sigh of relief when the Minister of State President exercised his powers and added “extra time” to the initial compliance deadline.
In the weeks leading up to the initial compliance deadline, organizations were scrambling to ensure that they have their ducks in a row so that come 15 October 2022, they would be compliant with the Botswana Data Protection Act No.32 of 2018 (the DPA).
But what does this extra time really mean for stakeholders?
Exactly that- Extra-Time! extra time to ensure that they are perfecting and refining their internal strategies and systems to align with the processing requirements and processing criteria set out in the DPA. This lifeline has allowed data controllers and processors to place their data compliance processes in order.
Where data controllers and processors were lagging behind and were far from being compliant with the DPA by the end of the initial compliance period, this has allowed them to start implementing processes and they have been afforded the time to test their strategies and systems as well as setting up measures that will align with the DPA.
What we know is that the extension is a 12 months extension with the new compliance deadline being 15 September 2023. The Ministry has exercised its powers under section 2 of the Data Protection (Amendment) Act No. 33 of 2022 to extend the transitional period. Further, the Data Protection Act (Transitional Period) Order, 2022 was published, confirming that the Minister, in exercising his powers, had extended the compliance deadline.
This extension also affords the Commission time to recruit skilled personnel to the Commission to enable it to discharge its functions adequately and with the precision demanded of it by the DPA.
Another thing that’s beneficial about this extension is that it allows for the Commission to have consultations regarding the DPA with critical stakeholders – consultations that would seek to close the gaps that have been identified in the DPA, possibly also identify more gaps, and ensure that the DPA is really up to par with international standards. In addition, these consultations will assist with allaying any concerns and uncertainties within the public and private sectors.
What we also hope and would like to see is this time being used effectively not only by data controllers and processors but by the Commission itself to educate all stakeholders and those who will be affected by the DPA about the DPA, the implications of non-compliance, the organizational and technical measures expected to be taken by them (what these look like etc.…) as well as practical examples of managing data and protecting/securing data. The Commission as a public office and a custodian of the DPA have the responsibility to empower and educate the public about the DPA and the Commission’s functions and powers. Data subjects have the right to know of their rights under the DPA, i.e. when to institute an action for damages against a data controller who processes data in contravention of the DPA as well as revoking their consent to process data where they had initially agreed to the processing of its data.
It would be great to see the Commission use this time to be more hands-on. We’ve seen regulatory authorities doing roadshows to educate the public. We need to see the Commission facilitating free DPA workshops and training across the country during this new transitional period. This extension can be used by the Commission to set up a website, again, to create awareness, impart knowledge, share any developments and updates, post Government Gazettes, post important announcements and t issue codes of conduct for the relevant authorities and regulatory bodies for the lawful processing of personal data- these codes should be easily accessed by the public at large.
Essentially, we need a Commission that is proactive in equipping the public with the necessary information and tools to comply with the DPA.
Personally, I welcome this extra time- it is a win for those affected by the DPA as this added time, used effectively can bear fruitful results.