Why Register?
Data Protection Basics
In order to comply with the provisions of the Data Protection Act 843, a data controller or data processor who intends to process personal data SHALL
- Register with the Commission (section 27)
- Renew their registration every two years (section 50)
- Appoint and train a data protection supervisor
- Develop and publish its organisational privacy policy on all its platforms, sensitising its data subjects on data processing activities and data subjects’ rights
A data controller shall take the necessary steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction and unlawful access to or unauthorised processing of personal data
A data controller who intends to collect personal data shall ensure that the data subject is aware of
- The nature of the data being collected
- the name and address of the person responsible for the collection
- The purpose for which the data is required for collection
- whether or not the supply of the data by the data subject is discretionary or mandatory
- The consequences of failure to provide the data
- The authorised requirement for the collection of the information or a requirement by law for its collection
- the recipient of the data
- the nature or category of the data
- The existence of the right of access to and the right to request rectification of the data collected before the collection
- where the data is collected from a third party, the data subject shall be given the information specified in subsection 2 before the collection of the data or as soon as practicable after the collection of the data
Data Protection Impact Assessment (DPIA)
1. What is DPIA and Why is it Important? A DPIA helps organizations
identify and assess the potential risks to individuals’ privacy and personal data
protection before beginning or updating any data processing activities. It is a
proactive measure to ensure compliance with legal requirements, mitigate risks,
and build trust with individuals whose data is processed.
2 Steps to Conduct a DPIA:
Step 1: Identify the Need for a DPIA
Step 2: Describe the Data Processing Activity
Step 3: Assess Privacy Risks
Step 4: Evaluate Mitigating Measures
Step 5: Consultation with the Data Protection Commission (DPC)
Step 6: Document the DPIA Process
Step 7: Monitor and Review
3. When to Conduct a DPIA
1.Starting a new data processing activity:
2.Introducing new technology or systems:
3.Making significant changes to existing processing activities:
4.When required by law:
Certified Data Protection Supervisor (CDPS) Training
The CDPS Training is a specialized program designed to equip individuals with the knowledge and skills required to serve as Certified Data Protection Supervisors (CDPS) within their organizations. This training focuses on the practical application of data protection principles.
Key Features:
- Certification: Participants become Certified Data Protection Supervisors (CDPS).
- Target Audience: Individuals who wish to become internal data protection leads or supervisors within their organisations.
- Delivery: Structured classroom sessions or virtual sessions.
- Focus Areas: Data Protection Act 843, rights and obligations under the Act, data breach response, and compliance monitoring.
Relevance to Data Protection Act 843: Section 58 of the Act requires data controllers to designate persons to ensure compliance with data protection rules. The CDPS training provides the skills and knowledge necessary to fulfil this requirement.
Certification process
- New registrants are issued certificates upon successful review and approval of their
applications. (Within 21 working days) - Renewal certificates are granted after the renewal application has been reviewed
and approved, and a completed GAP analysis/Compliance Assessment has been
submitted and validated by the Compliance Unit.
Certificate Collection Requirements:
- A valid National Identification Card is required for collection.
- If an individual is collecting the certificate on behalf of an organization, an official
authorization letter must be provided. The letter should include the individual’s full
name and ID number.
Requesting an Electronic Copy:
- To request an electronic version of your certificate, please send an email to:
certificate@dataprotection.org.gh
Reprint of Certificate.
- To request for a replacement certificate, send an email to
certificate@dataprotection.org.gh (comes at a fee)
Our Data Protection Principles
These guiding standards ensure that all personal data is collected, used, and stored lawfully, fairly, and securely.
1. Accountability
Demonstration of legal compliance with easily accessible documentary evidence.
2. Lawfulness of Processing
Providing evidence of legitimate grounds, fairness and transparency.
3. Specification of Purpose
Proactively obtaining customer consent for changed or new purposes.
4. Quality of Information (section 26)
Ensuring that data held is continuously accurate, available and up-to-date.
5. Purpose of Collection
Processing personal data for clearly specified purposes only.
6. Openness
Keeping Data Subjects fully informed about their personal data via multiple channels.
7. Data Security Safeguards
Use of appropriate technology and organisational measures.
8. Data Subject Participation
Empowering Data Subjects to exercise their legal rights.
Register Your Organisation Today
All organisations that collect or process personal data in Ghana are required to register with the Data Protection Commission. Begin your compliance journey today.
Renew Your Registration
Keep your organisation compliant. If your registration is due for renewal, complete your submission now.