Skip to content
World Watch/Botswana/Data & Privacy

Data & Privacy ยท Botswana

Data protection & privacy law in Botswana (2026)

Comprehensive lawData Protection Act 18 of 2024 (in force 14 January 2025), supervised by the Information and Data Protection Commission (IDPC)Country index 73 ยท B

Botswana shaded by its data & privacy status

Data protection in Botswana: comprehensive law, under Data Protection Act 18 of 2024 (in force 14 January 2025), supervised by the Information and Data Protection Commission (IDPC).

Botswana enacted a comprehensive data protection regime first under the Data Protection Act of 2018, which came into force in October 2021. That Act was repealed and replaced by Data Protection Act 18 of 2024, assented to on 29 October 2024 and in force from 14 January 2025, which significantly strengthens individual rights, regulator powers, and penalty thresholds. The supervisory authority is the Information and Data Protection Commission (IDPC), an independent body established in 2022.

Key points

Governing Legislation

Data Protection Act 18 of 2024 repealed the 2018 Act and came into force on 14 January 2025. It is the primary comprehensive statute governing personal data processing in Botswana, modelled broadly on GDPR-style principles including lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, and the new additions of accountability, integrity, and confidentiality.

Supervisory Authority

The Information and Data Protection Commission (IDPC) is the independent national supervisory authority. It is divided into a Data Protection Division and an Access to Information Division. The Commission handles complaints, investigations, enforcement, and public awareness. The inaugural Commissioner is Ms. Kepaletswe Somolekae.

Individual Rights

Data subjects are granted rights to access, correct, delete, and restrict processing of their personal data. They may also request data portability and object to automated decision-making, bringing the regime broadly in line with GDPR-equivalent protections.

Controller & Processor Obligations

Data controllers must conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, appoint a Data Protection Officer under prescribed conditions, and notify the IDPC within 72 hours of discovering a personal data breach. The Act also introduces specific rules on processing children's data.

Cross-Border Data Transfers

The 2024 Act introduces a soft data localisation requirement: a copy of personal data transferred abroad must be retained in Botswana during the processing period. Transfers are only permitted to countries deemed to have adequate protections; Botswana has published a list of 45 approved destination countries including Kenya and South Africa.

Penalties

Maximum administrative fines were raised from BWP 10 million under the 2018 Act to BWP 50 million (approximately USD 3.7 million) or 4% of global annual turnover under the 2024 Act. Criminal liability, including imprisonment, applies for breaches of confidentiality and unauthorised data use.

Timeline - major decisions & events

Jan 14, 2025decision
Data Protection Act 2024 Enters into Force via SI 4/2025

The Minister for the State President issued Statutory Instrument SI 4/2025, commencing the Data Protection Act 2024 on 14 January 2025. The new Act replaces the entire 2018 framework, introduces GDPR-aligned principles (lawfulness, purpose limitation, data minimisation, accountability), 72-hour breach notification, fines up to BWP 50 million or 4% of global annual turnover, and extraterritorial scope covering controllers that monitor Botswana residents from abroad.

Botswana Laws โ€” Official Gazette Bulletin โ†—
Sep 15, 2023decision
Second Compliance Deadline Extension, Period of Processing Personal Data Order 2023

The Minister for State President published the Data Protection (Amendment) Act (Period of Processing Personal Data) Order in the Government Gazette, extending the compliance deadline for existing data processing operations from 17 September 2023 to 17 September 2024. The further extension reflected ongoing legislative reform work and insufficient Commission capacity, and coincided with drafting of the comprehensive 2024 Bill.

Minchin & Kelly (Botswana) โ€” law firm analysis โ†—
Sep 16, 2022law
Data Protection (Amendment) Act 33 of 2022, First Compliance Extension

Parliament amended Section 54 of the 2018 Act, empowering the Minister to extend the transition period by 12 months to 15 September 2023. The amendment was driven by the newly-appointed Commissioner's public identification of serious legislative gaps, including no household-activity exemption and no rules for national-security processing, and the Commission still building its institutional capacity from scratch.

Botswana Laws โ€” Official Gazette Bulletin โ†—
Mar 1, 2022decision
First Information and Data Protection Commissioner Appointed

Kepaletswe Somolekae was appointed as Botswana's inaugural Information and Data Protection Commissioner, marking the Commission becoming operational. Somolekae promptly raised public alarms about gaps in the 2018 Act, including its silence on household-activity processing, national-security carve-outs, and international transfer adequacy rules, catalysing the legislative reform process that culminated in the 2024 Act.

ITWeb Africa โ†—
Oct 15, 2021decisionofficial
Data Protection Act 2018 Brought into Force, S.I. No. 86 of 2021

The Minister of Presidential Affairs, Governance and Public Administration published the Commencement Order in the Government Gazette, activating the Data Protection Act 2018 three years after assent. Data controllers were granted a 12-month grace period (originally expiring 15 October 2022) to bring their processing operations into compliance, the first time personal data protection was enforceable in Botswana.

Botswana Communications Regulatory Authority (BOCRA) โ†—
Aug 1, 2018lawofficial
Data Protection Act 2018 (Act 32 of 2018) Enacted

Botswana's first standalone data protection statute was passed in August 2018, establishing consent as the central lawful basis for processing, enumerating data subject rights (access, correction, deletion, objection), creating sensitive-data and direct-marketing restrictions, regulating cross-border transfers, and establishing the Information and Data Protection Commission as the supervisory authority. It was a landmark for the SADC region.

Botswana Communications Regulatory Authority (BOCRA) โ€” Official Act text โ†—
Jun 29, 2018lawofficial
Cybercrime and Computer Related Crimes Act 2018 (Act 18 of 2018)

Parliament modernised the 2007 cybercrime law, providing precise definitions of cyber offences (unauthorised access, data interference, interception), stronger protections for critical computer systems, and updated rules for collecting electronic evidence. Directly relevant to data-breach liability and state access to personal data stored digitally.

Botswana Communications Regulatory Authority (BOCRA) โ€” Official Act text โ†—
Jan 1, 2014lawofficial
Electronic Communications and Transactions Act and Electronic Records (Evidence) Act 2014

Two complementary statutes established the legal recognition of electronic contracts and digital signatures (requiring BOCRA accreditation of e-signature providers) and the admissibility of electronic records in court proceedings. Together they laid the foundational digital-economy infrastructure on which subsequent data protection rules operate.

Botswana Communications Regulatory Authority (BOCRA) โ€” Legislation page โ†—
Jan 1, 2012lawofficial
Communications Regulatory Authority Act 2012, BOCRA Established

The CRA Act created the Botswana Communications Regulatory Authority as the unified regulator for telecommunications, internet, ICTs, broadcasting, and postal services. BOCRA was subsequently designated to administer the Data Protection Act on behalf of the Commission during the gap between the 2018 Act's assent and the Commission becoming operational in 2021-2022.

Botswana Communications Regulatory Authority (BOCRA) โ€” Official Act text โ†—
Jan 1, 2007law
Cybercrime and Computer Related Crimes Act 2007 (Act 22 of 2007)

Botswana's first cybercrime statute criminalised unauthorised access to computer systems, interception of data in transit, and computer-related fraud, while facilitating collection of electronic evidence. It established state-level recognition that electronically stored data required legal protection, predating any dedicated privacy framework by more than a decade.

UNODC Sherloc โ€” Botswana Legislation โ†—
Sep 30, 1966lawofficial
Constitution of Botswana, Section 9: Protection for Privacy of Home and Property

At independence, Section 9 of the Constitution prohibited the search of any person, their property, or entry onto their premises without consent, subject to defined exceptions. For over five decades this constitutional provision remained the sole privacy protection available in Botswana, providing the foundational human-rights basis on which the 2018 data-protection legislation was later built.

Parliament of Botswana โ€” Official Constitutional Text โ†—

Botswana - other topics

Data & Privacy in other countries

Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ†’