Data protection & privacy laws in Malawi (2026)

The Data Protection Act 2024 was gazetted in February 2024 and officially came into force on 3 June 2024 via Government Notice No. 40 of 2024, replacing Part VII of the Electronic Transactions and Cyber Security Act 2016 as the primary data-protection instrument.

The Act establishes an independent Data Protection Authority (DPA) headquartered at dpa.mw, responsible for issuing guidance, receiving complaints, conducting investigations, and issuing compliance orders. MACRA hosts and operationally supports the DPA during its stand-up phase.

Data controllers and processors must adhere to eight principles: lawfulness, transparency, fairness, purpose limitation, data minimisation, accuracy, storage limitation, and integrity/confidentiality. Recognised lawful bases include consent, contract performance, legal obligation, vital interests, public interest, and legitimate interests.

Data subjects are granted rights to access, rectification, erasure, restriction of processing, data portability, and objection to processing — closely mirroring the GDPR rights framework.

Controllers must notify the DPA within 72 hours of discovering a breach; if the breach poses high risk to data subjects, those individuals must also be notified within 72 hours. A Data Protection Impact Assessment (DPIA) is mandatory before high-risk processing activities begin.

Data controllers and processors of 'significant importance' — defined as those processing data of more than 10,000 data subjects, or data of national economic, social, or security significance — must register with the DPA.