Data protection is now a legal obligation in Botswana, not just good practice. The Data Protection Act, 2018 was passed in 2018 and came into operation on 15 October 2021, following a commencement order gazetted by the responsible Minister, with a 12-month transition period that has since passed (the Act is published by BOCRA). In other words, this is live law — and being careless with customer or staff data is no longer merely bad practice; it can be a compliance failure with real consequences.
The good news for most businesses: the requirements largely formalise what a well-run organisation should already be doing. This is a practical, plain-English overview of what the Act means for an ordinary Botswana business. It is general information, not legal advice (see the note at the end and our full disclaimer).
What the Act actually requires
The Act sets out duties for a data controller — anyone who determines how and why personal data is processed. In practice, the obligations that matter most to an ordinary business are:
- Process lawfully and fairly. Collect and use personal data for clear, legitimate purposes, be transparent with people about what you do with their information, and don't repurpose it for unrelated uses.
- Collect only what you need, keep it accurate, and don't hold it forever. Minimisation, accuracy and storage limitation are core principles.
- Notify the Commission. The Act establishes a Data Protection Commission to oversee and enforce it, and provides for the notification of processing operations (section 34). A controller can appoint a data protection representative to help ensure compliance; the Commissioner should be informed of that appointment.
- Report breaches. A data controller must notify the Commissioner of any breach to the security safeguards protecting personal data. Knowing this obligation before an incident is what lets you meet it under pressure.
- Respect data-subject rights. Individuals can generally access the personal data you hold about them and have inaccuracies corrected. You need a known process for handling those requests.
- Keep personal data secure. The Act requires appropriate safeguards against loss, theft and unauthorised access.
Underpinning all of this is accountability — being able to show that you handle data responsibly, not just claim it.
The penalties are real
The Act is enforced with more than words. Non-compliance carries a combination of fines and imprisonment: reported ranges run from a minimum fine of around P20,000 up to P1 million, with custodial sentences of three to twelve years for serious offences (summary via CaseGuard). For most small and medium businesses the more likely cost is reputational — customers, partners and regulators lose confidence fast when personal data is mishandled — but the statutory penalties make clear that compliance is not optional.
Does it apply to you?
Almost certainly yes. Personal data means anything that can be tied to a specific person: names, phone numbers, email and physical addresses, Omang (national ID) or passport numbers, financial details, employment records, and so on. Some categories, such as health information, are more sensitive and call for extra care.
Nearly every business holds personal data. A shop has customer contacts; an employer has staff records; a service provider has client files. If that describes you, the Act is relevant to your business.
Practical steps to get on the right footing
You don't need to become a privacy lawyer. A sensible, proportionate programme looks like this:
- Know what you hold. Build a simple inventory: what personal data do you collect, where is it stored, who can access it, and why? You cannot protect or manage what you haven't mapped.
- Have a lawful reason for each use. For each type of data, be clear why you hold it and that the reason is legitimate. Stop collecting data you don't actually need.
- Tell people what you do. A clear, honest privacy notice — like the one on this website — explaining what you collect and why goes a long way toward the transparency the Act expects.
- Secure it. This is where cybersecurity and compliance meet. Access control, MFA, encryption, backups and patching are exactly what "keeping personal data secure" requires in practice. See our cybersecurity guide.
- Respect people's rights. Have a simple, known process for access and correction requests.
- Plan for a breach. Decide in advance what you would do if personal data were lost or exposed — contain it, assess it, and be ready to notify the Commissioner as the Act requires. Our ransomware guide covers the incident side.
- Make someone responsible. Even in a small business, one person should own data protection so it doesn't fall through the cracks.
Security and compliance are the same effort
The most useful thing to understand is that good cybersecurity and data-protection compliance are largely the same work. The Act's security obligation is satisfied by the controls we recommend throughout this pillar: multi-factor authentication, least-privilege access, encryption, tested backups and staff awareness. Invest in those, and you simultaneously reduce your risk of an attack and meet a core legal duty. A breach prevented is a compliance problem avoided.
Where to get certainty
This guide is designed to orient you, not to give a definitive legal answer — how the Act applies depends on your sector, the data you hold and how you use it, and enforcement practice continues to mature. For specifics, refer to the Act itself and the Data Protection Commission via BOCRA and obtain advice from a qualified legal professional.
What we can help with is the practical and technical side: mapping the personal data your systems hold, securing it to the standard the Act expects, and building the access controls, backups and breach-response capability that turn "we should comply" into "we do." If that's useful, a conversation is the right place to start.
This article is general information only and is not legal advice. See our disclaimer.
Frequently asked questions
Is the Botswana Data Protection Act actually in force?
Yes. The Data Protection Act, 2018 was enacted in 2018 and came into operation on 15 October 2021 through a commencement order gazetted by the Minister responsible, with a 12-month transition period that has now passed. It is live law, not a future plan.
Does the Data Protection Act apply to small businesses?
Yes. The Act applies to any 'data controller' that processes personal information about identifiable people — customers, staff, suppliers — regardless of business size. The obligations scale with the sensitivity and volume of data you handle, but the core duties to process lawfully, keep data secure and respect people's rights apply broadly.
What are the penalties for non-compliance?
The Act backs its obligations with real penalties — a combination of fines and, for serious offences, imprisonment. Reported ranges run from a minimum fine of around P20,000 up to P1 million, with custodial terms of three to twelve years. Beyond the legal penalty, a breach also brings reputational damage and lost customer trust.
Is this guide legal advice?
No. This is general information to help you understand the topic. How the Act applies depends on your specific circumstances, and the law and its enforcement continue to develop. For a definitive view on your obligations, consult a qualified legal professional and refer to the Act and the Data Protection Commission directly.
How Apjakal can help
Get a straight read on your security posture
Share your details and we will arrange a short, practical review of where your business stands and what to fix first.
Get a Quote