Botswana’s Data Protection Act, 2024 (the new Act) has officially come into effect on 14 January 2025 after the Data Protection Act of 2018 (the 2018 Act) was repealed after facing multiple delays since its transition in 2021. The new Act establishes a stronger data protection framework for safeguarding personal data and imposes stricter obligations on data controllers and processors. We break down what this landmark development means for businesses and individuals alike.

Who does the Act apply to?

The new Act has a broad scope and applies to the processing of personal data in Botswana. It also extends to data controllers and processors located outside Botswana when they offer goods or services to individuals in the country or monitor their behaviour.

However, there are notable exclusions where the Act does not apply:

  • Personal or household activities involving the processing of personal data.
  • Data processing by or on behalf of the State for national security and related public functions (such as law enforcement and taxation).
  • Processing for journalistic, artistic, or literary purposes when freedom of expression is an issue.

Key provisions in the new Act

Data subject rights

The new Act empowers individuals with rights to access, correct, delete and restrict processing of their data. They can also request data portability and object to automated decision-making.

Children’s data

Consent from a parent or guardian is required to process a child’s personal data unless the child is 16 or older, and can provide independent consent under the Botswana Children’s Act.

Cross-border transfers

Section 74 prohibits the transfer of personal data outside Botswana unless specific conditions are met such as ensuring that the destination country has adequate data protection measures in place and that such transfer is necessary for contractual, legal or public interest reasons. Botswana has also listed 45 approved countries for data transfers, including Kenya and South Africa.

Data breach notifications

Data controllers must notify the Information and Data Protection Commission within 72 hours of discovering a data breach. Affected individuals should be informed without undue delay if their rights or freedoms are at risk.

Data protection by design and default

Data controllers are required to adopt technical and organisational measures to ensure that only essential personal data is processed by default.

Appointment of data protection officers (DPOs)

Organisations conducting large-scale monitoring or processing sensitive data must appoint a DPO to oversee compliance and register their contact details with the Commission. The Commission is yet to publish details on how the registration process will work.

Data Protection Impact Assessments (DPIAs)

Data controllers are required to conduct a DPIA where processing is likely to result in high risks to the rights and freedoms of data subjects. High-risk processing may include large-scale processing of sensitive information, monitoring employee activities, or using AI systems for decision-making.

Penalties for non-compliance

Non-compliance may result in fines up to BWP 50 million or 4% of global turnover, and imprisonment for breaches of confidentiality or unauthorised data use.

What does this mean for you?

The Act is now in effect, making compliance mandatory. If you operate in the Botswana market, these changes likely affect you. Businesses must review their existing technical and organisational measures to ensure they meet the new Act’s requirements. Individuals can now request information from data controllers about how their data is handled and are protected from decisions made solely by automated processes. These measures give data subjects greater control over their information and create a safer digital environment in Botswana.

Actions you can take

  • Read the Data Protection Act to see where you fit in. We can also help you understand the Act and helping you with completing the actions you need to comply with.
  • We can help you by providing you with a data protection laws of Africa report, which is a detailed report outlining all the important issues in the Act you are interested in.
  • Join our data protection programme. We have a lens that specifically focuses on African data protection developments.
  • Subscribe to our newsletter to receive updates on the latest developments.