Data protection has moved from a "nice to have" to a legal expectation in Botswana. With the Data Protection Act, 2018, the responsibility to handle people's personal information properly is now written into law. For most businesses this is not cause for alarm — the requirements largely formalise things a well-run organisation should already be doing — but it does mean that being careless with customer or staff data is no longer just bad practice; it can be a compliance failure.
This is a practical, plain-English overview of what that means for an ordinary Botswana business. It is general information, not legal advice (see the note at the end and our full disclaimer) — but it will help you understand the shape of your obligations and where to start.
What the law is really about
Strip away the legal language and data protection law rests on a simple idea: if you hold information about people, you have a duty to look after it and to use it fairly. The principles that run through modern data protection law — and that you should treat as your working checklist — are broadly these:
- Lawful, fair and transparent. Collect and use personal data for clear, legitimate reasons, and be open with people about what you do with their information.
- Purpose limitation. Use the data for the purpose you collected it for, not for unrelated things.
- Data minimisation. Collect only what you actually need.
- Accuracy. Keep it correct and up to date.
- Storage limitation. Don't keep it longer than necessary.
- Security. Protect it against loss, theft and unauthorised access.
- Accountability. Be able to show that you are doing these things.
If your business reflects those principles in how it handles data, you are most of the way there.
Does it apply to you?
In short: if you hold personal information about identifiable people — customers, employees, suppliers — the rules are relevant to your business, whatever its size. Personal data means anything that can be tied to a specific person: names, phone numbers, email and physical addresses, ID or passport numbers, financial details, employment records, and so on. Some categories, such as health information, are more sensitive and call for extra care.
Almost every business holds personal data. A shop has customer contacts; an employer has staff records; a service provider has client files. So for practical purposes, this applies to you.
Practical steps to get on the right footing
You do not need to become a privacy lawyer. A sensible, proportionate programme looks like this:
- Know what you hold. Make a simple inventory: what personal data do you collect, where is it stored, who can access it, and why do you have it? You cannot protect or manage what you haven't mapped.
- Have a reason for each use. For each type of data, be clear why you hold it and that the reason is legitimate. Stop collecting data you don't actually need.
- Tell people what you do. A clear, honest privacy notice — like the one on this website — explaining what you collect and why goes a long way toward the transparency the law expects.
- Secure it. This is where cybersecurity and compliance meet. The security basics — access control, MFA, encryption, backups, patching — are exactly what "keeping personal data secure" requires in practice. See our cybersecurity guide.
- Respect people's rights. Individuals can generally expect to access the data you hold about them and to have inaccuracies corrected. Have a simple, known process for handling such requests.
- Plan for a breach. Know in advance what you would do if personal data were lost or exposed — contain it, assess it, and understand your obligation to notify, which may include affected individuals and the relevant authority.
- Make someone responsible. Even in a small business, one person should own data protection, so it doesn't fall through the cracks.
Security and compliance are the same effort
The most useful thing to understand is that good cybersecurity and data protection compliance are largely the same work. The "security" principle of the law is satisfied by the controls we recommend throughout this pillar: multi-factor authentication, least-privilege access, encryption, tested backups, and staff awareness. Invest in those, and you are simultaneously reducing your risk of an attack and meeting a core legal obligation. A breach prevented is a compliance problem avoided.
Where to get certainty
Data protection law and the body that oversees it can evolve, and how the rules apply depends on your specific circumstances — your sector, the data you hold, and how you use it. This guide is intended to orient you, not to give you a definitive legal answer. For that, confirm the current status of the law and its regulator, and obtain advice from a qualified legal professional.
What we can help with is the practical and technical side: mapping the personal data your systems hold, securing it to the standard the law expects, and building the access controls, backups and breach-response capability that turn "we should comply" into "we do." If that's useful, a conversation is the right place to start.
This article is general information only and is not legal advice. See our disclaimer.
Frequently asked questions
Does the Data Protection Act apply to small businesses?
If your business holds personal information about identifiable people — customers, staff, suppliers — then the data protection rules are relevant to you, regardless of size. The obligations scale with the sensitivity and volume of data you handle, but the basic duty to keep personal data secure and use it responsibly applies broadly.
What counts as personal data?
Any information relating to an identifiable individual — names, contact details, ID or passport numbers, financial information, employment records, and similar. Sensitive categories such as health information carry extra care. If you can tie the information to a specific person, treat it as personal data.
Is this guide legal advice?
No. This is general information to help you understand the topic. Data protection law evolves and its application depends on your specific circumstances. For a definitive view on your obligations and the current status of the law and its regulator, consult a qualified legal professional and the relevant Botswana authority.