Botswana introduced a fresh Data Protection Bill on July 26 as the country struggled to fully get its long-awaited Data Protection Act (DPA) off the ground.
While the DPA – which sets out the requirements for lawful processing of personal and sensitive data – was passed into law in 2021, it has been beset by delays, with the compliance deadline, originally set for October 2022, pushed back several times to October 2024 as the government continues to amend and iron out the Act’s details.
The delays have been spurred by concerns that the Act does not adequately address the serious data privacy issues facing the country, including instances of data theft, financial fraud, hacking of business data and increased state surveillance.
In this episode of Decoder, admitted attorney Lebogang George breaks down some of the amendments as the date for compliance with the new DPA draws closer.
I’ve answered the clarion call to provide some highlights into the New DPA Bill. Below are just 20 of the noteworthy provisions, in no particular order but what my brain could recollect while penning down the new amendments:
1. What wasn’t so clear in the DPA was the applicability of the DPA when it comes to State Owned Entities / Government. It was inferred that the DPA would apply to them. The DPA Bill categorically provides and stipulates that the Act shall bind the State and thus extend the application of the DPA to the Government.
2. The mandate of the Commission has been extended to include access to information. This provides citizens with the right to access information about how government is performing. Batswana can access public activities, as well as access what is supposed to be public knowledge so they can judge for themselves whether the government is fulfilling its promises and can make informed decisions about issues that affect them. It’s a key component of democracy as it allows citizens to access public documents that are in their best interests.
3. The DPA Bill is prescriptive in that it stipulates that the data controller must facilitate the exercising of the rights of the data subject. This means a simple Data Subject Request Form will suffice to allow data subjects to make a formal written request to access their personal data.
4. The obligations of both the data controller and the data processor have been provided for, including the obligation to maintain a record of processing activities, cooperation with the Commission as well as entering into a contract together i.e. a data sharing agreement. The standard contractual clauses that must be included in the contract are contained in the DPA Bill.
5. What also stands out here is that the notification of breach is no longer done “without delay” but must be done “no later than 72 hours after having become aware of it”. The notification must be to the Commission and data subjects affected.
6. Further to the notification point above, notification is not always notifiable. There are instances where notification is not considered notifiable, i.e., the personal breach is unlikely to result in a risk to the rights and freedoms of the data subject. So a data controller must not jump to notify and cause unnecessary alarm. They must first confirm that the breach is not notifiable.
7. A data controller is mandated to conduct due diligence on new technologies to be used to assist it in processing personal data. This includes analyzing how the new technologies that the data controller wants to implement will affect the security of personal data.
8. The DPA Bill stipulates, amongst other things, that a data controller appoint a DPO when its core activities consist of processing sensitive personal data on a large scale and require regular and systematic monitoring of data subjects on a large scale. Some relief is that should the data controller or data processor carry out processing of sensitive data on a large scale or need to consistently monitor data subjects on a large scale, the DPA Bill offers an option of, either a DPO being appointed as a staff member or being appointed on a service contract basis (i.e. their services can be outsourced). The DPO who is a staff member has functional independence.
9. The DPA Bill states that transfers of personal data to third countries / across borders is no longer “prohibited” and are subject to the Minister publishing an Order in the Gazette to designate the transfer of personal data to any country listed in such Order. In simple terms, under the DPA Bill, the transfer of personal data to third countries or international organizations is done based on an adequacy decision.
10. The DPA Bill touches on children’s privacy rights as it addresses and makes reference to conditions applicable to children concerning information society services i.e. online activities such as online information, advertising, online shopping, apps, websites selling goods, search engines etc. Therefore it provides for lawful processing of children’s personal data and consent to be obtained from parent or person who has parental duties over the child in terms of the Children’s Act.
11. As data protection experts we often advise our clients to have a policy that talks to retention so it aligns with the DPA and ancillary legislation to justify the retention period. The DPA Bill talks about this and stipulates that further information must be provided to the data subject to ensure transparent processing. In terms of the DPA Bill the data controller shall, in addition to their obligations under the DPA, provide the data subject with the period personal data will be stored or if that is not possible the criteria that will be used to determine that period – it is therefore imperative that data controller have a Records and Retention Management Policy that satisfies this condition.
12. Where there was uncertainty on how compliance looks like the DPA Bill categorically stipulates that organizational measures such as the implementation of appropriate data protection policies must be updated and reviewed by the Data Controller and Data Processor.
13. In addition to what compliance looks like, from a technical point, the DPA Bill mentions what may sound nuanced but is borrowed from international data protection legislation namely the EU GDPR - the “Data Protection by design and by default” – this simply means that the data controller must implement technical measures such as adequate technology systems to ensure that the necessary safeguards and security are adopted to secure personal data.
14. The DPA Bill adds more obligations on the data processor (service provider, contractor, supplier etc.) who must guarantee that they have implemented appropriate technical and organizational measures as stipulated in DPA, they must guarantee this to the data controller.
15. What was also unclear were the security standards that were expected of data controllers to demonstrate compliance. The DPA Bill has a section on the security of personal data which lists the steps to take to ensure technical measures are implemented. Where appropriate, the technical measures include pseudonymization or encryption of personal data, as well as the data controller and data processor conducting regular testing, assessing and evaluating of IT systems and infrastructure.
16. An interesting addition is the definition of profiling something unique in the context of Botswana. The DPA Bill prohibits data processing when it leads to profiling that will negatively impact individuals by causing discrimination and/or marginalization.
17. The definition of a personal data breach has been added. What I have encountered is clients seeking definition and clarity on what constitutes a data breach. This includes any unlawful access, destruction, loss, or unauthorized disclosure of personal data. This could be done by simply losing a memory stick that contains personal data, sending an attachment via email to the wrong recipients with personal data and/or a stolen electronic device that contains personal data etc.
18. Rest assured that administrative fines aren’t just dished out willy-nilly. Under the DPA Bill, the general conditions for imposing administrative fines have been laid out. The Commission will therefore not jump to imposing an administrative fine and shall consider several factors first.
19. The DPA Bill gives the Commission “Corrective Powers” which means that before issuing an administrative fine, there are other steps that will be considered at the discretion of the Commission. A warning to a data controller or data processor may be issued, an order to comply with the DPA may be issued, a temporary ban on processing may be issued, as well as other appropriate corrective measures that the Commission deems appropriate.
20. The Commission doesn’t exist to be a punitive watchdog. So where there was fear of financially crippling entities for non-compliance, those fears are allayed by including a provision on the gravity of contravention and imposing harsh penalties on the gravest contravention. What is considered “grave” will include where a data controller or data processor intentionally or negligently contravenes the DPA.
The administrative fines are stipulated as follows: an administrative fine not exceeding P10 000 000, or in the case of an undertaking, not exceeding 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. An administrative fine not exceeding P50 000 000, or in the case of an undertaking, not exceeding 4% of the total value worldwide annual turnover of the preceding financial year, whichever is higher.
Lebogang's experience in Data Protection and Privacy Law spans across South Africa and the European Union and has advised clients in both public and private sectors. She has recently taken a keen interest in the Botswana Data Protection Act and provides advice on the Botswana DPA. She is a 2022 Women in Tech Africa nominee and has represented Botswana on various platforms including World Youth Forum in Egypt in 2019. She was also amongst the Top 100 Barclays Bank Brightest Young Minds in South Africa and Top 50 Mail & Guardian Africa - Botswana Change Maker award recipient, to name a few.