The long-delayed Data Protection Act sparked a scramble amongst the targeted entities who now have to guarantee the protection of consumers’ information, under threat of hefty penalties of up to P1 million and/or 12 years behind bars.
This week, consultants, including those in the legal fraternity, stepped up their calls for affected entities to engage them to conduct risk assessments and develop compliance strategies, as the Act finally kicked off after several extensions.
The Act, which dates back to 2018, grants consumers power over the use, storage and sharing of their personal information. The Act prohibits the sharing of consumer information to third parties without explicit consent from consumers, a move that is expected to create a compliance nightmare for banks, insurance, and telecom companies in particular.
The legislation more clearly defines what constitutes personal data, which definition includes not only information by which persons can be identified but even that which makes them potentially identifiable whether directly or indirectly.
On Wednesday, intellectual property and copyright lawyer Topiwa Chilume told Businessweek that the Act is not limited to banks, telecoms companies and similar large entities but covers any institution or business that generates or keeps consumers' personal data.
“The Act applies to any business that generates or consumes personal data as defined. “Affected entities are supposed to develop a data privacy policy and appoint data controllers,” he said.
Under the Act, data controllers determine the purposes and means by which personal data is to be processed, “regardless of whether or not such data is processed by such person or agent on that person’s behalf”.
The new law places weight on the shoulders of data controllers, who oversee data processors who process data on behalf of the data controller, as well as data protection representatives who are appointed by the data controller to “independently ensure that personal data is processed in a correct and lawful manner”.
Data controllers face stiff fines if they drop the ball under the new Act.
“A data controller who processes personal data in contravention of this Act commits an offence and is liable to a fine not exceeding P500,000 or to imprisonment for a term not exceeding nine years, or to both. “A data controller who processes sensitive personal data in contravention of this Act commits an offence and is liable to a fine not exceeding P1,000,000 or to imprisonment for a term not exceeding 12 years, or to both. “A data controller who does not inform a data subject of the rights conferred on the data subject under this Act commits an offence and is liable to a fine not exceeding P100,000 or to imprisonment for a term not exceeding three years, or to both,” reads the Act.
Banks, telecom firms and insurance companies have an additional burden as they mainly keep large databases of consumer information on servers outside the country. This is mainly because most of the operating entities in the financial services space and telecoms space are owned by other companies outside the country.
However, Section 48 of the new Act prohibits the transfer of personal data from Botswana to another country and also specifies the conditions under which extraordinary requests may be made for this transfer.
The Act also seeks to protect individuals against unlawful processing of their sensitive personal data. This includes personal data that reveals, among other things, an individual’s racial or ethnic origin, physical or mental health, membership of a trade union, personal financial information, political opinions, genetic data, biometric data, and personal data of minors, among others.
The new law also places restrictions on direct marketing, which involves “directly reaching a market, customers or potential customers on a personal basis or mass media basis, and includes attempting to locate, contact, offer and make incentives to consumers, through communication medium such as phone calls, private meetings infomercials, magazines or advertisements”.
Under the new statutes, data controllers are required, at no cost, to inform the data subjects of their right to oppose data processing, where this processing is being done for direct marketing.
Stanbic Bank Botswana Data Protection Officer Boitumelo Motshobedi said for businesses, compliance is not merely a legal obligation but a foundational element that builds trust with customers.
“The Data Protection Act represents more than just a set of regulations; it’s an opportunity for businesses to reinforce their commitment to ethical practices and customer trust,” she said, in an emailed statement.