Data & Privacy ยท Botswana
Data protection & privacy law in Botswana (2026)
Botswana shaded by its data & privacy status
Data protection in Botswana: comprehensive law, under Data Protection Act 18 of 2024 (in force 14 January 2025), supervised by the Information and Data Protection Commission (IDPC).
Botswana enacted a comprehensive data protection regime first under the Data Protection Act of 2018, which came into force in October 2021. That Act was repealed and replaced by Data Protection Act 18 of 2024, assented to on 29 October 2024 and in force from 14 January 2025, which significantly strengthens individual rights, regulator powers, and penalty thresholds. The supervisory authority is the Information and Data Protection Commission (IDPC), an independent body established in 2022.
Key points
Data Protection Act 18 of 2024 repealed the 2018 Act and came into force on 14 January 2025. It is the primary comprehensive statute governing personal data processing in Botswana, modelled broadly on GDPR-style principles including lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, and the new additions of accountability, integrity, and confidentiality.
The Information and Data Protection Commission (IDPC) is the independent national supervisory authority. It is divided into a Data Protection Division and an Access to Information Division. The Commission handles complaints, investigations, enforcement, and public awareness. The inaugural Commissioner is Ms. Kepaletswe Somolekae.
Data subjects are granted rights to access, correct, delete, and restrict processing of their personal data. They may also request data portability and object to automated decision-making, bringing the regime broadly in line with GDPR-equivalent protections.
Data controllers must conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities, appoint a Data Protection Officer under prescribed conditions, and notify the IDPC within 72 hours of discovering a personal data breach. The Act also introduces specific rules on processing children's data.
The 2024 Act introduces a soft data localisation requirement: a copy of personal data transferred abroad must be retained in Botswana during the processing period. Transfers are only permitted to countries deemed to have adequate protections; Botswana has published a list of 45 approved destination countries including Kenya and South Africa.
Maximum administrative fines were raised from BWP 10 million under the 2018 Act to BWP 50 million (approximately USD 3.7 million) or 4% of global annual turnover under the 2024 Act. Criminal liability, including imprisonment, applies for breaches of confidentiality and unauthorised data use.
Timeline - major decisions & events
The Minister for the State President issued Statutory Instrument SI 4/2025, commencing the Data Protection Act 2024 on 14 January 2025. The new Act replaces the entire 2018 framework, introduces GDPR-aligned principles (lawfulness, purpose limitation, data minimisation, accountability), 72-hour breach notification, fines up to BWP 50 million or 4% of global annual turnover, and extraterritorial scope covering controllers that monitor Botswana residents from abroad.
Botswana Laws โ Official Gazette Bulletin โThe Minister for State President published the Data Protection (Amendment) Act (Period of Processing Personal Data) Order in the Government Gazette, extending the compliance deadline for existing data processing operations from 17 September 2023 to 17 September 2024. The further extension reflected ongoing legislative reform work and insufficient Commission capacity, and coincided with drafting of the comprehensive 2024 Bill.
Minchin & Kelly (Botswana) โ law firm analysis โParliament amended Section 54 of the 2018 Act, empowering the Minister to extend the transition period by 12 months to 15 September 2023. The amendment was driven by the newly-appointed Commissioner's public identification of serious legislative gaps, including no household-activity exemption and no rules for national-security processing, and the Commission still building its institutional capacity from scratch.
Botswana Laws โ Official Gazette Bulletin โKepaletswe Somolekae was appointed as Botswana's inaugural Information and Data Protection Commissioner, marking the Commission becoming operational. Somolekae promptly raised public alarms about gaps in the 2018 Act, including its silence on household-activity processing, national-security carve-outs, and international transfer adequacy rules, catalysing the legislative reform process that culminated in the 2024 Act.
ITWeb Africa โThe Minister of Presidential Affairs, Governance and Public Administration published the Commencement Order in the Government Gazette, activating the Data Protection Act 2018 three years after assent. Data controllers were granted a 12-month grace period (originally expiring 15 October 2022) to bring their processing operations into compliance, the first time personal data protection was enforceable in Botswana.
Botswana Communications Regulatory Authority (BOCRA) โBotswana's first standalone data protection statute was passed in August 2018, establishing consent as the central lawful basis for processing, enumerating data subject rights (access, correction, deletion, objection), creating sensitive-data and direct-marketing restrictions, regulating cross-border transfers, and establishing the Information and Data Protection Commission as the supervisory authority. It was a landmark for the SADC region.
Botswana Communications Regulatory Authority (BOCRA) โ Official Act text โParliament modernised the 2007 cybercrime law, providing precise definitions of cyber offences (unauthorised access, data interference, interception), stronger protections for critical computer systems, and updated rules for collecting electronic evidence. Directly relevant to data-breach liability and state access to personal data stored digitally.
Botswana Communications Regulatory Authority (BOCRA) โ Official Act text โTwo complementary statutes established the legal recognition of electronic contracts and digital signatures (requiring BOCRA accreditation of e-signature providers) and the admissibility of electronic records in court proceedings. Together they laid the foundational digital-economy infrastructure on which subsequent data protection rules operate.
Botswana Communications Regulatory Authority (BOCRA) โ Legislation page โThe CRA Act created the Botswana Communications Regulatory Authority as the unified regulator for telecommunications, internet, ICTs, broadcasting, and postal services. BOCRA was subsequently designated to administer the Data Protection Act on behalf of the Commission during the gap between the 2018 Act's assent and the Commission becoming operational in 2021-2022.
Botswana Communications Regulatory Authority (BOCRA) โ Official Act text โBotswana's first cybercrime statute criminalised unauthorised access to computer systems, interception of data in transit, and computer-related fraud, while facilitating collection of electronic evidence. It established state-level recognition that electronically stored data required legal protection, predating any dedicated privacy framework by more than a decade.
UNODC Sherloc โ Botswana Legislation โAt independence, Section 9 of the Constitution prohibited the search of any person, their property, or entry onto their premises without consent, subject to defined exceptions. For over five decades this constitutional provision remained the sole privacy protection available in Botswana, providing the foundational human-rights basis on which the 2018 data-protection legislation was later built.
Parliament of Botswana โ Official Constitutional Text โBotswana - other topics
Data & Privacy in other countries
Last verified 5/24/2026 ยท Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite ยท Explore the full world map โ