In the age of information technology, where the lifeline of a business is storing information in servers and the cloud, hackers are now increasingly accessing millions of data belonging to businesses and demanding ransom payments. This is now a growing trend in Botswana, with a few businesses having been on the receiving end of extortion by hackers.
We hope that will soon be combated as the Botswana business landscape braces for a new dawn once the Data Protection Act of Botswana (“DPA”), which was passed into law on 15 October 2021, becomes fully in force after 14 October 2024.
The DPA’s main objective is to ensure that personal data is processed in a lawful manner. In this regard, personal data is defined as information relating to an identified or identifiable individual, which can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural, or social identity.
The DPA also seeks to protect individuals against unlawful processing of their sensitive personal data. This includes personal data that reveals, among other things, an individual’s racial or ethnic origin, physical or mental health, membership of a trade union, personal financial information, political opinions, genetic data, biometric data, and personal data of minors, among others.
With this in mind, businesses, especially those which deal with a great deal of people’s information, have a few months to ensure that they will be compliant with the DPA.
The big question, however, is how can a business accomplish this. First of all, you need an experienced team of lawyers with commanding experience in dealing with data protection law solutions and also to elect an internal resource which will lead the implementation project for your business.
At a very high level, the process essentially comprises:
- The starting point is a risk assessment exercise which will be conducted on the business, particularly the business activities that pertain to the processing of personal data. This includes assessing information provided from completed data protection information gathering surveys and related documentation. This is typically called the gap analysis stage;
- The purpose is to determine existing compliance levels and risks in regard to non-compliance in the business operations. The results of the process are captured in a report that breaks down the business’s level of compliance as it relates to the 8 principles of the data lifecycle;
- Preparation of all relevant data processing policies (internal and external privacy policies, records retention and destruction policies, cookie policy, information security policies), procedures (privacy impact assessment procedures, data breach response procedure), agreements (data processing agreements, cross-border data transfer agreements), privacy forms and templates, and other compliance documentation required to embed DPA compliance in the business, and assistance with the setup of relevant governance forums and procedures/terms of reference for various governance structures to manage ongoing data protection compliance;
- Addressing and managing all key compliance and legal risks to the business with the implementation and operationalization of the DPA; and
- Setting up an information repository along with preparation of an overall compliance manual and compliance documentation and procedures to manage ongoing DPA compliance within the business, including conducting ongoing data privacy impact assessments.
To this end, we urge your business (especially if you handle large amounts of personal data) to do the needful to become exemplary in data protection compliance.
For more information on the above, please contact Mr. Simon Bathusi at simon@armstrongs.bw or call +267 395 3481.
