New Data Commission tightens compliance oversight
Pauline Dikuelo | Wednesday February 11, 2026 11:27
The newly appointed Information and Data Protection Commissioner, Kepaletswe Somolekae, has vowed to take a firmer stand against Non-Bank Financial Institutions (NBFI) that fail to comply with the Data Protection Act (DPA).
The Act, which came into force in January last year after years of a grace period, seeks to ensure that personal data is processed lawfully, fairly, transparently and with accountability, while also strengthening Botswana’s capacity to regulate cross-border data flows. The Act applies to all organisations that process personal data, including public entities, foreign data controllers offering goods or services in Botswana, and private sector institutions such as NBFIs.
Under the Act, NBFIs are required to embed data protection and privacy principles into their day-to-day operations as business entities that routinely handle large volumes of sensitive personal data.
These obligations include appointing Data Protection Officers, conducting Data Protection Impact Assessments (DPIA) for high-risk processing activities, maintaining records of processing activities, implementing appropriate technical and organisational security measures and notifying both the commission and affected individuals in the event of personal data breaches.
Speaking recently at a stakeholder symposium, Somolekae emphasised that NBFIs must strengthen compliance and institutional resilience, particularly where innovation and emerging technologies are involved. Although the commission did not issue fines in the first year of the DPA’s operation, the new commissioner warned that enforcement action would follow continued non-compliance.
“We have been working with the NBFIs to help them understand what they are required to do and assist them to complying. We have also realised that most of the well-established organisations are generally doing that, and our intention is to have compliance across the board.
“We will soon start charging,” she said.
According to Somolekae, DPIAs are mandatory for high-risk processing activities, including large-scale processing of sensitive personal data and systematic or extensive evaluations based on automated processing, such as credit underwriting and profiling.
“Under the Act, compliance is not optional. NBFIs must ensure that consumers can exercise their data protection rights, including the right to access, rectify, or erase personal data, object to processing, and not be subjected to solely automated decision-making,” she said.
The Commissioner further highlighted requirements governing cross-border data transfers. Data controllers intending to transfer personal data outside Botswana must rely on adequacy decisions commonly referred to as a ‘white’ list where the commission has determined that the receiving country provides an adequate level of protection. In the absence of such decisions, transfers must be supported by appropriate safeguards, including standard data protection clauses, legally binding instruments, approved codes of conduct, or binding corporate rules approved by the commission.
She said the increasing reliance on digital onboarding, mobile platforms, automated decision-making and artificial intelligence has heightened exposure to data protection and cybersecurity risks.
“Safeguarding customer and employee data has therefore become a regulatory and market conduct imperative.”
In November, David Tshere, the Minister of Communications and Innovation, said he plans to further amend the Data Protection Act to compel all businesses in Botswana to store their data in the country.
“I want the Act to compel businesses operating in Botswana to store their data in Botswana. This is the data sovereignty of the people.”