Data protection & privacy laws in Botswana (2026)

Data Protection Act 18 of 2024 repealed the 2018 Act and came into force on 14 January 2025. It is the primary comprehensive statute governing personal data processing in Botswana, modelled broadly on GDPR-style principles including lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, and the new additions of accountability, integrity, and confidentiality.

The Information and Data Protection Commission (IDPC) is the independent national supervisory authority. It is divided into a Data Protection Division and an Access to Information Division. The Commission handles complaints, investigations, enforcement, and public awareness. The inaugural Commissioner is Ms. Kepaletswe Somolekae.

Data subjects are granted rights to access, correct, delete, and restrict processing of their personal data. They may also request data portability and object to automated decision-making, bringing the regime broadly in line with GDPR-equivalent protections.

Data controllers must conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, appoint a Data Protection Officer under prescribed conditions, and notify the IDPC within 72 hours of discovering a personal data breach. The Act also introduces specific rules on processing children's data.

The 2024 Act introduces a soft data localisation requirement: a copy of personal data transferred abroad must be retained in Botswana during the processing period. Transfers are only permitted to countries deemed to have adequate protections; Botswana has published a list of 45 approved destination countries including Kenya and South Africa.

Maximum administrative fines were raised from BWP 10 million under the 2018 Act to BWP 50 million (approximately USD 3.7 million) or 4% of global annual turnover under the 2024 Act. Criminal liability, including imprisonment, applies for breaches of confidentiality and unauthorised data use.