Data protection as a compliance and risk imperative
TAPOLOGO SELEKA | Tuesday July 8, 2025 09:34
Not long ago, if you told someone in finance that personal data would one day be as important to protect as capital, they might have raised their eyebrows.
However, today, it is a reality that we all live in. Across financial services and even the investment landscape, entities rely on data to do almost everything; from understanding client needs to making decisions that shape financial futures. Companies collect an enormous amount of data for every client/individual, every onboarding form, and every analytical report.
The Botswana Data Protection Act, 2024 (“the Act') refers to individuals whom personal data is collected as data subjects. Since personal data is so critical in understanding data subjects, and their most likely behavior, the Act aims to protect their rights to ensure that there is no misuse of any information collected during their interaction with entities that collect their data.
Importantly, the Act aligns with international best practices such as the EU General Data Protection Regulation (GDPR), positioning it as a progressive piece of legislation aimed at promoting responsible data governance in Botswana.
One the other hand, companies can either be data controllers or data processors. A data controller is the party that decides why and how personal data is collected and used. They are essentially the “boss” of the data. In contrast, a data processor handles personal data only on behalf of the controller and follows their instructions.
They act like an assistant to the boss. For example, if a bank collects customer information such as KYC to open accounts, it is the data controller because it determines the purpose and method of processing the data. If the bank hires a cloud service provider to store that information, the cloud provider is the data processor because it simply processes the data as instructed by the bank.
In short, the controller has the decision-making power of the method and purpose of the data collected, while the processor supports by carrying out tasks under the controller’s direction. The Act applies equally to both the data controller and data processor.
Botswana’s Data Protection Act, 2024 is not just a compliance checkbox. It reflects how far we have come and is a sign of what’s now expected from us as stewards of capital and trust.
Making sense of the Data Protection Act, 2024
The new act updates and replaces Botswana’s old Data Protection law of 2018, bringing it in line with modern standards and expectations. So, what does it mean?
In short, it describes how personal information is collected, used, stored, and protected. It also gives individuals rights over their own data: the right to know what we hold, correct it, delete it, and say “no thanks” to certain uses, such as direct marketing or profiling.
While these rights were also present under the 2018 Act, they were previously embedded within broader provisions and lacked detailed procedural guidance. The Act strengthens individual data rights by clearly outlining what they are and how they can be exercised. It also places stricter responsibilities on organizations (data controllers) to respond within set timeframes.
For example, individuals now have a more clearly defined right to object to how their data is used, especially for purposes such as marketing or automated decision-making. The right to have personal data deleted, also known as the 'right to be forgotten,' now includes clearer rules and conditions. These updates make it easier for people to understand and exercise their rights, while ensuring organizations are more accountable.
The interesting thing about the Act is that it is extraterritorial, meaning that even companies without a physical presence in Botswana must comply if they collect, or process personal data of data subjects based in Botswana. In doing so, the Act reinforces Botswana’s commitment to progressive, globally-aligned data governance.
The Commission that oversees compliance is not merely symbolic; it has teeth. It can investigate, demand corrective action, and issue very significant fines. However, this law is not just about punishment; it is about building a culture of transparency and accountability where people feel safe doing business with companies. In a world where data can be easily misused and abused, it is important that companies that collect and process personal data, do so responsibly with appropriate protections
Why this should matter to every company
Let us now consider the legal requirements for a moment. People are at the heart of every transaction and behind each person is a story, often told through data, names, contact details, employment history, salaries, Omang numbers, and beyond. This data allowed institutions to serve them. However, mishandling it, whether through a cyber breach, negligence, or even accidental exposure, can erode trust faster than it took to build. In financial institutions and any other industry, trust underpins everything else.
Customers, do not simply evaluate the returns, they also evaluate trustworthiness and integrity of institutions. When data is mishandled, the fallout can be reputational, operational, legal and strategic. Therefore, compliance with the Data Protection Act is no longer optional, it is a pillar of risk management and can provide a source of competitive edge.
Examples of data mishandling and its consequences:
Meta (Facebook) & Cambridge Analytica – Global In 2018, it was revealed that Cambridge Analytica improperly accessed data from millions of Facebook users without their consent. The data was allegedly used to influence political outcomes, including elections. This scandal led to global outrage, significant regulatory scrutiny, and a massive erosion of trust in Facebook, not to mention billions lost in market value (BBC News, 2018).
Experian Breach – South Africa In 2020, credit bureau Experian suffered a breach in South Africa that exposed the personal details of about 24 million people and nearly 800,000 businesses. The data was reportedly used for marketing and might have been sold on the dark web. This incident became a key case study in the importance of compliance with POPIA (Protection of Personal Information Act), South Africa’s equivalent of data protection laws. It enhanced both public awareness and regulatory enforcement (TechTimes, 2020).
These incidents are reminders that data protection is not optional but essential to business integrity. Institutions that protect personal data not only comply with the law, but also earn lasting trust.
Lawful basis for processing personal data
The Data Protection Act is intended to prevent businesses from misusing personal data. It ensures that such use is lawful, responsible, and respectful of individuals’ rights over their personal information. So, when is it actually legal to collect or use someone’s data? The law sets out a number of clear conditions under which processing is permitted:
Consent – This is the most well-known condition. It is key to obtain explicit, informed, and voluntary consent from individuals before processing their personal data. This consent can be withdrawn at any time and mostly applies to using data for marketing, promotions cross and upselling
Contractual Necessity – If data processing is essential to fulfill a contract or take steps at the request of the data subject before entering into a contract, it is deemed lawful.
Legal Obligation – Companies can process data when required to comply with legal obligations, excluding contractual obligations. This includes instances such as requests for “KYC” information to comply with the requirements of the Financial Intelligence Act.
Vital Interests – Processing is justified when necessary to protect the life or health of the data subject or another individual. This would be required predominantly in the healthcare industry to ensure preservation of life. This could also apply in instances such as health related pandemics where personal data may be processed for contact tracing so as to contain any spread of pathogens.
Public Interest or Official Authority – Data processing is lawful when carried out in the public interest or as part of official duties vested in the data controller. This is mostly applicable to public entities. An example would be a population census exercise to assist government with planning and improve efficiency looking at demographic data.
Special Categories of Personal Data
The Botswana Data Protection Act, 2024 clearly distinguishes between Personal Data and Sensitive Personal Data, with the latter requiring heightened protection due to its nature and potential impact on individuals' rights and freedoms.
Sensitive Personal Data includes: • Racial or ethnic origin • Political opinions • Religious or philosophical beliefs • Biometric or genetic data • Health status • Sexual orientation
Processing such data is generally prohibited unless it falls within specific exceptions, such as obtaining explicit consent, fulfilling legal obligations, or meeting requirements under employment law. Entities must implement stricter safeguards when handling this category of data to ensure compliance and protect individual privacy.
Protection of Children's Data
The Act also prioritises the protection of children’s data. Processing personal data of individuals under 18 years requires parental or guardian consent. However, children aged 16 and above may provide consent for digital services, provided reasonable steps are taken to verify authorization by a parent or legal guardian.
So, what does a data-secure company look like?
It is not just compliant, it is confident, proactive, and trusted. Here's the blueprint: • Appoint a Data Protection Officer or lead. Someone must champion or be responsible for data compliance and maintain it on their radar daily. • Your data policies should not be outdated. They must align with the Data Protection Act, 2024, be clear, and be followed by everyone. These should not be just documents, they should be alive and practiced by organisations and the people within. • If third parties touch client personal data, they have to follow the same rules. Build data obligations into every contract and audit for follow-through. • People are your strongest defence or your weakest link. Build a culture in which staff handle data with the same care and importance as handling financial capital. • Breaches may happen. Be ready. Have a response and communication plan that you can launch at a moment’s notice before damage is done. • Ensure that all your clients are aware of their rights as they relate to how their data is processed, transparency is vital. It is also key to ensure that once data is collected, it is adequately protected and is not kept for longer than is necessary.
Consequences of non-compliance
Failure to comply with the Data Protection Act can result in severe penalties, including fines of up to P50 million or four percent of the company’s global annual revenue, whichever is greater. In extreme cases, responsible individuals may face imprisonment.
Do not wait for enforcement action, or, worse, a breach that damages confidence in your brand. Start by asking: Are we compliant with the Data Protection Act, 2024? Are our partners and portfolio companies aligned?
At Bifm, we have embedded data protection into our risk and governance structures because we understand this simple truth: protecting data is protecting people, and in the investment world, nothing matters more.
*Tapologo Seleka is a Risk and Compliance Officer at Bifm