The Information and communications technology (“ICT”) revolution has made the world smaller and more interconnected, we exist within a global community in which multi-national organisations operate across the globe, cross-border transactions and transfer of data occurs on a daily basis. This revolution has necessitated the rising tide of stricter data privacy and security regulations.
What is personal data?
Simply put, personal data is all the various kinds of information that can be used to identify or distinguish an individual such as; the individuals name, national identification number, employee number, credit card details, postal and residential addresses, date of birth, images, medical records, IP address etc.
An overview of the General Data Protection Regulation
2018 ushered in the passing of the General Data Protection Regulation 2016/679 (“GDPR”); a regulation that has been dubbed the most significant change in data privacy regulation in 20 years – The Gold standard for data privacy and security.
The GDPR was drafted with the aim of:
- protecting the data privacy of all European Union (“EU”) data subjects;
- creating cohesion of data privacy and security laws across Europe; and
- reshaping the ways in which data is collected, managed, stored and transferred.
The GDPR applies to all EU data subjects, therefore it covers both individuals and corporations within the European Union (“EU”) and the European Economic Area (“EEA”). The regulation also applies to organisations outside the EU and the EEA that do business with EU data subjects to the extent that such organisations may provide goods or services, collect, process and store personal data or monitor the online foot prints of EU data subjects.
If an organisation collects, processes or stores personal data of any EU data subject the GDPR will apply to that organisation and failure to comply with the regulation could result in the offending organisation being liable to fines of up to €20 million or 4% of the organisation’s annual turnover, whichever the greater of the two. It is abundantly clear that this regulation is set to have far reaching legal consequences.
As a result of this global trend policy makers around the world have been scrambling to create legislation and various policies to bring their respective countries into compliance with the new data privacy and security standards. Over the last 2 years a number of countries have passed data security and privacy legislation modelled after the GDPR aimed at bringing the data privacy laws in those countries into compliance with the global “Gold Standard”. Argentina, Australia, Brazil, New Zealand, Angola, Benin, Botswana, South Africa and Madagascar are just a few countries that have enacted data privacy laws.
Data Protection Act 2018
On 03/8/2018 the Parliament of Botswana passed into law to the Data Protection Act (“DPA”), this act is still on notice.
The DPA was enacted with the aim of:
- establishing the Information and Data Protection Commission (“IDPC”);
- regulating the protection of personal data of all data subjects; and
- regulating the collection, processing, transfer, storage and management of personal data.
The DPA applies to all organisations and individuals deemed to be ‘data processors’ or ‘data controllers’ in terms of the Act. Both data processors and data controllers have a duty to collect, process, store, transfer and manage personal data in compliance with the DPA.
The DPA restricts the cross-border transfer of personal data to 3rd parties situated outside Botswana. In terms of the DPA data transfers must be done in accordance with the requirements outlined in the Act which must be met for the lawful transfer of personal data The DPA provides that the following requirements must be met when collecting, processing, transferring and storing data:
- personal data must be processed fairly, lawfully and where necessary (and possible) must be obtained with the consent of the data subject;
- personal data must be collected for a specific and legitimate purpose, which must be stated in no ambiguous terms. In addition to this personal data may only be used for the stated purpose;
- personal data may only be kept for a period of time necessary for the purposed for which it was collected;
- personal data must be kept up-to-date, where it is not there is a duty on the data controller or processor to rectify the issue;
- personal data must be complete and accurate, in the event that it is not there is a duty on the data controller or processor to ensure completeness and accuracy; and
- personal data must be adequately protected by safeguards from theft, loss and any unauthorised access or use.
Furthermore section 15 of the DPA prohibits the disclosure of personal data of any data subject without the consent of such subject or authorisation from a statutory instrument.
The DPA places an obligation on data controllers and processors to place adequate safeguards on personal data collected, processed and stored and in the event of security breaches there is a duty on these parties to notify the Commissioner of the IDPC of breaches in an expeditious fashion.
Failure to comply with the provisions of the DPA could potentially lead to the offending data controllers and processors being penalised with a fine or a term of imprisonment, with the maximum penalty being a fine of BWP 1 million or a term of imprisonment not exceeding 12 years or both.
Therefore, it is important that organisations that are characterised as data controllers or processors in terms of the DPA ensure that they are in full compliance.
For further information contact Kutlo Mphusu on 391 2397 or email kutlo@bookbinderlaw.co.bw.