Implementing a DPA program: A perspective from Botswana

Botswana's Data Protection Act took effect 14 Jan. 2025 and organizations are working to implement a program that will ensure compliance.

There is excitement around the newly enacted law and an eagerness to understand and comply with the regulation, leading to daily job postings for data protection officers and managers during what is a subdued economy with a nearly 30% unemployment rate as of the first quarter of 2024.

Operationalizing the DPA, with its new data protection requirements, is a complex challenge. While many have begun the work, there remains a gap in reaching a level of maturity sufficient for the data protection authority, the Information and Data Protection Commission.

The DPA mandates, among other things, that data controllers process personal data in accordance with the data protection principles of lawfulness, fairness, transparency, purpose limitation, data minimization, information quality, storage limitation, integrity, and confidentiality and accountability.

Data controllers must also implement appropriate technical and organizational measures to safeguard personal data, considering the nature, scope, context and purposes of processing, as well as risks to rights and freedoms of data subjects. The act states data controllers must designate a data protection officer when personal data is processed on a large scale, core activities consist of processing sensitive personal data on a large scale, or personal data is processed relating to criminal convictions and offences regarding compliance with the act.