The Data Protection Act 2018 (the “DPA”) was assented to by the Parliament on 3rd August 2018 and is currently on notice. As the first local statutory enactment focused solely on protection of personal data it is without doubt a critical piece of legislation.
In particular, pertaining to data subjects, who are aware of the DPA, there is excitement and this legal development seems to be a welcome one. For those who qualify as data controllers and data processors for purposes of the DPA, like any new legislation, a number of companies have anxiously called upon their legal, human resources and compliance departments to ensure compliance with the DPA when it eventually comes into effect.
One may ask, what does the DPA mean to the data subject or to people processing personal data? This is the million-dollar question that we will try to answer in this introductory article to the DPA.
All data subjects should at minimum know and understand the DPA requirements on how their personal data, either being general or sensitive, should be processed and what their rights are in relation to the processing of that data. In terms of the DPA, data subjects have the following rights; the right of access to personal data through subject access requests, the right to correct inaccurate personal data, the right in certain cases to have personal data erased, the right to object to the processing of data for certain purposes and the right to obtain a copy of the personal data in the possession of a data processor or a data controller, as the case may be.
For people and entities processing personal data, personal data must be processed in accordance with the processing principles as specified in the DPA. The principles of data processing provide that personal data must be processed lawfully, transparently and fairly. Data should be collected only for specific legitimate purposes and limited to what is necessary, relevant and accurate. The data should be kept up to date, stored only for as long as is necessary and with appropriate security.
Each person or entity that processes personal data should have a lawful basis for processing that data. Personal data shall be processed on freely given, specific and informed consent of the data subject. Alternatively, it should be processed when it is necessary for the conclusion of a contract to which the data subject is a party or for the protection of the vital interests of the individual, or for compliance with the legal obligations of a data controller under the DPA or processing is necessary for the public interest or the legitimate interest of an organisation.
The DPA carries severe penalties for non-compliance. The penalties are a combination of fines and a possibility of imprisonment. The minimum fine for non-compliance is BWP 20 000.00 with a maximum fine of BWP 1 million. Prison sentences range from a minimum of three years to a maximum of 12 years.
For all organisations based outside the European Union that offer goods or services to European Union residents or monitor their behaviour or process their personal data, in addition to complying with the requirements of the DPA, the processing of personal data of European Union residents will also be subject to the European Union General Data Protection Regulation (“GDPR”). The GDPR came into effect on 25th May 2018. Due to the heavy penalties under the GDPR non-compliance is not an option.
Food for thought – will you be compliant with the requirements of the DPA when it comes into effect and are you compliant with the GDPR, if applicable? We are compliant and hope you are as you won’t have time to start preparing for compliance once the DPA comes into effect, you will already be in breach or you might already be in breach!