Botswana's New Data Protection Act: What You Need to Know (2025 Guide)

Introduction

The Botswana Data Protection Act, 2024 (the new Act) officially came into effect on 14 January 2025. The new act replaces the Data Protection Act 32 of 2018. Its language has been refined to be clearer and less ambiguous, making it easier to interpret and apply. The new Act strengthens the country's data protection framework, aligning it with international standards like the EU's General Data Protection Regulation (GDPR).

If you operate in the Botswana market, these changes likely affect you. Businesses must review their existing technical and organisational measures to ensure they meet the new Act’s requirements. 

The Act ensures that personal data is processed with integrity, transparency, and accountability. It addresses modern challenges such as cross-border data transfers, and data breaches.  For individuals, it provides robust rights over their personal information, including access, correction, and erasure. For organisations, it sets clear standards for lawful data processing, secure handling of sensitive data, and compliance with global best practices. Lastly, it introduces increased penalties for breaches to ensure compliance. 

Key Definitions

The national supervisory authority responsible for ensuring effective application and compliance with The Act is The Information and Data Protection Commission (the Commission). The Commission shall monitor and enforce the application of the Act, promote awareness, advise on data protection, handle complaints, and conduct investigations.

At its core, the Act revolves around three central figures: the "data subject," the "data controller" and the “data processor”

Data Subject: the individual whose personal data is being collected, processed, and stored. Personal data can be anything from a subject's name and contact details to their financial information and biometric data.

Data Controller: the person or organization (e.g., a company, a government ministry, or a hospital) that determines the "why" and "how" of data processing. They are responsible for ensuring that your data is handled lawfully.

Data Processor: A person or organization that processes data on behalf of a data controller. This could be a third-party service provider, such as a cloud hosting company, or a payroll service. The processor acts on the instructions of the controller and does not determine the purpose or means of the processing. 

Scope and Exclusions

The act applies to organisations and entities in Botswana processing personal data and extends application to international organisations or data controllers or processors outside of Botswana, if they offer goods or services to individuals in Botswana or monitor their behaviour within the country, this broadens the territorial scope of the provisions mirroring the GDPR. 

This Act is not applicable to:

  • Personal or household activities involving the processing of personal data.
  • Data processing by or on behalf of the State for national security, public safety, budgetary and taxation matters. 

Principles of Data Processing 

Sections 19-24  of the Act set out the core principles of data processing that data controllers must adhere to:

  • Lawfulness, Fairness, and Transparency: Data must be processed legally, in a way that is just, and with full transparency to the data subject.
  • Purpose Limitation: Data should only be collected for specified, explicit, and legitimate purposes.
  • Data Minimisation: Only the minimum amount of data necessary for the intended purpose should be collected.
  • Accuracy: Data must be accurate, complete, and kept up-to-date. Reasonable steps must be taken to ensure that personal data that is inaccurate, having regard to the purpose for which it is processed, is erased or rectified without delay. 
  • Storage Limitation: Personal data that is kept in a form which permits the identification of data subjects should not be kept for longer than is necessary.
  • Integrity and Confidentiality: Appropriate security measures must be in place to protect data from unauthorized access, unlawful processing, accidental loss, destruction or damage.

Section 25 of the Act requires the data controller to be responsible for and be able to demonstrate compliance with the principles of processing. 

The Rights of the Data Subject 

Part VIII of The Data Protection Act sets out the rights of the data subject. The act empowers the data subject with significant control over their personal information. These rights include:

  • The Right to Be Informed: The right to know what data is being collected, who is collecting it, and why. Individuals can now request information from data controllers about how their data is handled and protected from decisions made solely by automated processes.
  • The Right of Access: The data subject can request access to their personal data held by a data controller.
  • The Right to Rectification: The data subject can request that inaccurate or incomplete data be corrected.
  • The Right to Erasure (Right to be Forgotten): In certain circumstances, the data subject can request the deletion of their personal data.
  • The Right to Object: The data subject can object to the processing of their data, particularly for direct marketing purposes.
  • The Right to Data Portability: The data subject can ask for their data to be transferred to another organization in a structured, commonly used, and machine-readable format.

Key Obligations for Businesses: Complying with Botswana's Data Law

The new Act introduces clear requirements, including:

  • Mandating entities to adopt data protection by design and default
  • Maintaining a Record of Processing Activities (RoPA)
  • Implementing appropriate data security standards
  • Managing data breaches effectively
  • Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing
  • Appointing data protection officers
  • Allowing for the creation of specialized codes of conduct

Data Protection by design and default

Section 52 outlines the legal obligation for data controllers to implement and maintain data protection measures. It emphasizes a "data protection by design and by default" approach.

Data controllers must, from the very beginning of any data processing activity, implement technical and organizational measures to ensure compliance with the data protection principles of the Act. These measures should consider the current technology, the costs involved, and the nature and risks of the data processing. The goal is to build necessary safeguards directly into the processing system.

By default, data controllers must ensure that they only process the personal data that is absolutely necessary for each specific purpose. This applies to the amount of data collected, the extent of its processing, how long it is stored, and who has access to it.

Record of Processing Activities (RoPA)

Section 60 of the act requires that data controllers keep a record of processing activities. Similarly, data processors must maintain a record of processing activities carried out on behalf of a controller. The content of the records for the controller and processors is different. This record shall be provided to the Commission on request.

Data security - Section 62

Section 62 mandates data controllers and processors  implement appropriate technical and organisational measures to ensure the security of personal data, considering the risks associated with processing. These measures include pseudonymisation, encryption, ensuring ongoing confidentiality and integrity of systems, as well as enabling timely restoration of data after incidents. These measures should be regularly monitored and tested to ensure their ongoing effectiveness. 

Handling of data breaches (Section 64)

In the event of a personal data breach, data controllers must notify the Information and Data Protection Commission within 72 hours of becoming aware of the breach. They must also notify affected individuals if the breach is likely to pose a significant risk to their rights and freedoms. Additionally, data controllers are required to maintain a record of data breaches, which should include facts of the breach, its effects, and remedial action taken. This record must be accessible to the Commission to verify compliance.

Data Protection Impact Assessment  

The Act requires data controllers to conduct a Data Protection Impact Assessment (DPIA) where processing will likely result in high risks to the rights and freedoms of data subjects. The Act identifies these types of high-risk processing: 

  • Systematic evaluations of personal data that lead to significant legal effects on an individual, such as profiling. 
  • Large-scale processing of sensitive personal data like health information.
  • Systematic, large-scale monitoring of publicly accessible areas (e.g., extensive CCTV surveillance).

A Data Protection Impact Assessment should include:

  • A detailed description of the processing operations and their purpose.
  • An assessment of whether the processing is necessary and proportionate.
  • An analysis of the risks to the rights and freedoms of data subjects.
  • The measures and safeguards planned to address those risks.
  • Where appropriate, the data controller should seek the views of the data subjects or their representatives.

If a DPIA shows that a processing operation, even with safeguards, would still result in a high risk, the data controller must consult the Commission before starting the processing. The Commission has the authority to provide written advice, and if necessary, can take action to ensure compliance.

Data Protection Officer -Section 69 - 72

Organizations that engage in large-scale data processing or handle sensitive data are required to appoint a qualified Data Protection Officer (DPO)  to oversee compliance. The contact details of the DPO should be registered with the Information and Data Protection Commission as the DPO will serve as the primary contact point for the Commission.

Code of Conduct for Small and Medium Businesses

Section 73 of the new Act enables data controllers, processors, their representatives, or business associations to create specialized codes of conduct. This provision allows for the creation of industry-specific guidance that makes compliance more manageable for smaller businesses.

The codes must cover:

  • Guidelines for fair and transparent data processing
  • Procedures for collecting and protecting data
  • Requirements for reporting data breaches
  • Rules for transferring personal data to other countries
  • Processes for resolving disputes between businesses and individuals whose data is processed

Once a code is drafted, it must be submitted to the Commission for review. Upon approval, the Commission will officially register the code and make it publicly available.

Transfer of data outside of Botswana

The Act strictly regulates the transfer of personal data outside of Botswana. Such transfers are prohibited unless:

  • The destination country has been deemed to have adequate data protection measures in place. (In 2022 the Commission published a list of 45 adequate countries for data transfers, including Kenya and South Africa).
  • If there is no adequacy decision, data can still be transferred if the data controller or processor provides appropriate safeguards that guarantee enforceable rights for the data subject. 
  • In the absence of an adequacy decision or appropriate safeguards, a transfer can still occur under specific conditions where 
    • The data subject has given explicit consent after being informed of the risks.
    • The transfer is necessary for the performance of a contract with the data subject.
    • The transfer is necessary for legal claims or to protect the vital interests of the data subject.
    • The transfer is for a legitimate public interest or from a public register

The Act requires that a copy of the personal data must remain in Botswana for the duration of the processing. Lastly, the Act tasks the Commission to promote international cooperation to develop mechanisms supporting its extraterritorial application and facilitate the enforcement of data protection laws globally.

Penalties

The new legislation introduces significantly stiffer penalties for non-compliance. These can include:

  • Substantial fines, which can be as high as BWP 50 million or 4% of a company’s global annual turnover, whichever is higher.
  • Imprisonment for certain serious offenses.

These penalties underscore the seriousness of data protection in Botswana and provide a strong incentive for organizations to ensure full compliance.

The Full Text of the act can be found at DS-I Africa Law.  



About the author

Gary Haase

Content Manager