Botswana's Data Protection Act, officially enacted in 2018, has come into effect as of 14 January 2025, ushering in a new age of data protection in the country.
This follows several delays as the Act was at one point significantly amended by Parliament and the government also gave entities extension periods to work on their compliance.
The Data Protection Act defines what constitutes personal data, as well as outlines the rights and obligations of parties involved in the processing of personal data, including the data subject, data controller and data processor.
Further, the Data Protection Act establishes the Information and Data Protection Commission, which will be responsible for ensuring the effective application of the Data Protection Act after its commencement.
According to seasoned data privacy and protection attorney Lebogang George, the Act will require businesses to be ethical, transparent and accountable in how they deal with clients, customers and employees' personal data.
"To data subjects, who are individuals whom the data concerns, know your rights and your powers in terms of the DPA. It’s actually designed to protect individuals and gives them the power to control what happens with their personal data," George said.
"To the Commission, lead by example. Guide, teach and impart knowledge to the business community, government and civil society. Ensure equal and proper adherence and adequate enforcement of the law."
Some of the fines associated with non-compliance include an administrative fine not exceeding P10 000 000, or in the case of an undertaking, not exceeding 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
There is also an administrative fine not exceeding P50 000 000, or in the case of an undertaking, not exceeding 4% of the total value worldwide annual turnover of the preceding financial year, whichever is higher.
These all depend on the severity of the non-compliance.