Just a month ago, the Data Protection Period of Processing Personal Order was published.
As anticipated, the period of processing was extended from 17 September 2023 – 17 September 2024.
Now, if we remember this is the second compliance extension, we can speculate and try to ridicule the lack of readiness and attribute blame to the custodian of the DPA (the Office of the Information and Data Protection Commission) but as the old adage goes, “a so-called delay is actually a benediction” and these delays may instead be a sum of outcomes spawned by competing and largely venerable intent.
The Intent:
If you have read the Data Protection Act No.32 of 2018, (the DPA) you may have noticed that it mirrors not only the South African Protection of Personal Information Act No.4 of 2013 (POPIA) but also the European Union’s General Data Protection Regulation, 2018 (GDPR). Having said that – these two jurisdictions have had a head start in implementing their data protection legislations and carrying out investigations, as well as enforcement notices and issuing fines and penalties where provisions have not been adhered to and personal data has been compromised.
With that said, we can use this period to benchmark the two jurisdictions that have helped shape our data protection legislation by using precedents and practical examples emanating from there.
Putting your ducks in a row doesn’t only have to apply to entities that process data, but the Information and Data Protection Commission (the Commission) can proactively start getting everything in order so it can effectively perform its functions and ensure that the personal data of individuals and their privacy rights are adequately protected.
What appears as unnecessary or unreasonable delays can be justified. After all, taking one’s time is better than making errors, especially when used efficiently. The Commission can definitely use this time to ensure that it is well equipped to handle the mammoth task and powers that the DPA confers on it.
Now back to the intent (my opinion) – this extension period could be used to:
- Equip the Commission with the necessary skills, human capital, and resources to implement and execute its functions in terms of the DPA;
- It being a public office, the Commission has a duty to the public and is expected to educate the public about the DPA, its implications and the individual’s rights and remedies under the DPA;
- The Commission can create channels and systems that are available for the public to utilize when reporting or complaining about non-compliance with the DPA;
- The Commission should create a website that acts as an information and educational hub to the public;
- The Commission can create forms, templates, documents, guidance notes, gazette notices and provide continuous updates on the DPA which all must be easily accessible on its website;
- The Commission can create an information portal so compliance is not only for a select few that can afford legal assistance and advice;
- The Commission can partake in educational road shows – where access to internet is restricted;
- Make amendments to the DPA (localize it, make it more specific and relevant to Botswana and its economic landscape);
- Engage entities affected by the DPA, regarding ambiguous provisions and the DPA in general to obtain their input and comments (the role of the DPA should not be to restrict or prevent any innovation or stifle business growth);
- Set up and establish structures in relation to the “Information” part of the Commission where data subjects have the right to request their personal data held by any public and/or private entity (this is often seen during tender awards disputes);
- Set up a defined structure for the Commission and create a charter of roles and responsibilities for the members and staff; and
- Establish an Information and Data Protection Appeals Tribunal to adjudicate over matters brought before the Tribunal for breach of any of the provisions of the DPA.
In order for the Commission to serve as a vigilant protector of data subjects in Botswana and to do its job diligently as a custodian of the DPA this “inordinate delay” could be preferable to error.
Lebogang George is an admitted attorney of the High Court of Botswana and a senior associate.
She spent more than a decade working in South Africa. It is in South Africa
where she expanded her knowledge and focus on Corporate Commercial Law as well as Data Privacy and Data Protection Law, IT Governance as well as Cyber Security Law. She obtained an LLB from the University of Witwatersrand and has a certificate in Law & Logic from Harvard Law School and the European University Institute as well as a Nexus Leadership certificate from the Gordon Institute of Business Science - a business school in South Africa and an affiliate of the University of Pretoria.
Lebogang's experience in Data Protection and Privacy Law spans across various jurisdictions including Botswana, South Africa and the European Union and has advised and provided data protection compliance training to clients in the financial institution sector, the public and private sector respectively.
She is a 2022 Women in Tech Africa nominee and has represented Botswana on various platforms including World Youth Forum in Egypt in 2019. She was also amongst the Top 100 Barclays Bank Brightest Young Minds in South Africa and Top 50 Mail & Guardian Africa - Botswana Change Maker award recipient, to name a few.