Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Botswana's Data Protection Act took effect 14 Jan. 2025 and organizations are working to implement a program that will ensure compliance.
There is excitement around the newly enacted law and an eagerness to understand and comply with the regulation, leading to daily job postings for data protection officers and managers during what is a subdued economy with a nearly 30% unemployment rate as of the first quarter of 2024.
Operationalizing the DPA, with its new data protection requirements, is a complex challenge. While many have begun the work, there remains a gap in reaching a level of maturity sufficient for the data protection authority, the Information and Data Protection Commission.
The DPA mandates, among other things, that data controllers process personal data in accordance with the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimization, information quality, storage limitation, integrity, and confidentiality and accountability.
Data controllers must also implement appropriate technical and organizational measures to safeguard personal data, considering the nature, scope, context and purposes of processing, as well as risks to rights and freedoms of data subjects. The act states data controllers must designate a data protection officer when personal data is processed on a large scale, core activities consist of processing sensitive personal data on a large scale, or personal data is processed relating to criminal convictions and offences regarding compliance with the act.
Fines for violating the act can reach as high as BWP50 million or the equivalent of 4% of the previous year's turnover. Anyone has a right to lodge a complaint with any competent court if they feel their data protection rights have been breached and can claim damages.
The following guidance can help ensure a DPA-compliant program, based on my experience implementing a data protection program in 2022 in Botswana — when the DPA still seemed ages away. This program implementation was completed as part of a two-year project.
The project team. Ensure a wholistic team is in place with members from the departments that hold or process personal data in the organization, including information technology, marketing and human resources. These individuals will help to identify organizational processes with DPA-related gaps that need to be brought into compliance and to draft a database of solid processing activities within the organization.
Work breakdown structure. Ensure all project activities are identified and mapped for systematic monitoring, for example, through a project scheduling software.
Risks. Identify, monitor and implement controls to effectively manage risks that can hinder success of the project.
Gap analysis. Identify DPA compliance gaps and ensure processes are put in place to reach compliance.
Leadership. Get the organization's leadership team onboard to offer strategic support and ensure availability of necessary resources — whether people or financial allocations, system acquisitions, or consultancy services for validating drafted documents.
Schedule. Plan and execute the project according to an established schedule.
Frameworks. Identify frameworks necessary to ensure a successful program and determine if a data protection officer or privacy manager is needed. Systems that already exist in the market can be explored to find one that is most suitable to the organization based on its size, and its data processing activities
Training. A robust training program is necessary for compliance. It should be tailored to all stakeholders within the organization, including employees, leaders and business partners.
A holistic project management process can assist in ensuring a program is built with privacy by design. Evaluating and implementing these suggestions is a step in the right direction for creating a DPA-compliant program.
Naledi Comet Mokgwathi, CIPP/E, is a legal administrator at Debswana Diamond Company.
