The Act has been promulgated to regulate the protection of personal data and to ensure that the privacy of individuals in relation to their personal data is maintained. It also establishes a regulator, the Information and Data Protection Commission ('the Commission'), to supervise compliance with the Act. The Commission has not been set up yet, and its constitution might be finalised during the transition period. The functions of the regulator are, among others things:

• to instruct a data controller to take such measures which are necessary to ensure that the processing of personal data is in accordance with this Act;
• provide guidance and instructions on appropriate measures to ensure the security of personal data;
• receive reports and claims from a data subject or his or her representative regarding a violation of the Act;
• to take such remedial action as is necessary or as may be prescribed; and
• to create and maintain a public register of all data controllers.

At the helm of the Commission is the Commissioner, which is a public office. Although the Act provides that the Commission shall do all such things as are necessary to protect the personal rights of individuals with regards to their personal data and ensure the effective application and compliance with the Act, it makes no provision for the independence of the Commission. This is in contrast with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which requires the complete independence of supervisory authorities, as well as the Protection of Personal Information Act, 2013 (Act 4 of 2013) of South Africa, which requires that the Information Regulator be independent and impartial in the discharge of its duties.

The material scope of the Act is undoubtedly personal data; that is, data that is capable of identifying an individual directly or indirectly. Its territorial scope on the other hand extends to personal data entered into a file for a data controller established in Botswana or not established in Botswana but makes use of processing means situated within Botswana. The household exemption is applicable to personal data processed for purely personal and household activity. Furthermore, the State is exempted from compliance with the Act in relation to processing for national security, prevention, investigation, or proof of offences, and economic or financial interests. The exemption in relation to the State is not absolute; it requires that necessary safeguards for the processing of personal data be specifically created under some other written law.

Just like any other data protection law, the Act establishes the baseline for protection of personal data by outlining the minimum requirements or data protection principles to be adhered to in the processing of personal data. Data controllers and data processors in processing personal data have to take into consideration lawfulness and fairness of processing, purpose specification and limitation, retention limitation, data minimisation, relevance and adequacy of personal data, integrity and confidentiality of personal data, and processing of personal data in accordance with good practice. The lawful basis for processing sensitive personal data is distinguished from the lawful basis for processing any other personal data that is not sensitive in terms of the Act. By virtue of the Act, a data subject is afforded the right to be informed, the right to access, the right to be given reasons if the access is denied, the right to object, the right to revoke consent, and the right to raise a challenge in relation to their personal data with the Commission. Unlike the GDPR, data subjects are not afforded the right to data portability. Its contrast with the GDPR also relates the establishment of the data protection representative ('DPR') instead of the data protection officer, although the responsibilities are similar.

The Act generally prohibits the trans-border flow of personal data to a third country, but such transfer may be done in terms of the exemptions established by the Act. One of the exemptions is that transfer of personal data may be transferred to a third country if the third country has adequate safeguards for personal data. The third countries with adequate safeguards are yet to be identified.

On penalties, the Act prescribes varying penalties for non-compliance with the highest being liability of a fine of up to BWP 1,000,000 (approx. €75,770) and/or an imprisonment term not exceeding 12 years for processing sensitive personal data in contravention of the Act. For failure to implement appropriate security safeguards, the Act imposes liability of a fine of up to BWP 500,000 (approx. €32,030) and/or an imprisonment term not exceeding nine years; the same also applies to failure to give effect to the data subject's right to object in respect of direct marketing.

Preparing for the Act

During the 12 months transition period, businesses should look into their processing activities for personal data. They ought to ascertain, among other things:

• whether they are a data controller, data processor, or recipient in relation to any processing activity;
• the nature and type of personal data that they are processing;
• where and how the personal data is collected and disclosed;
• the appropriate legal basis for processing the personal data;
• the appropriate organisational and technical safeguards for confidentiality and integrity of personal data processed;
• the authorisation processes with data processors and contractual clauses on obligations and apportionment of liability;
• circumstances under which notification to the regulator will be required and how this will be done; and
• whether personal data is transferred to a third country and the appropriate legal mechanism for doing so.

Furthermore, businesses ought to transform their processes to accommodate giving effect to data subject rights including data subject access requests. The Act does not explicitly require the carrying out of Data Protection Impact Assessments, however it may be prudent to carry them out anyway to properly identify risks and mitigate these in relation to the relevant processing activities. Businesses should also consider the appointment of a DPR to assist with compliance with the Act. One of the advantages of appointing a DPR is that the business would not have to notify the Commissioner each time before carrying out any wholly or partially automated processing of personal data.

Senwelo Modise Associate
[email protected]
Botlhole Law Group [In Association with Neill Armstrong], Gaborone