Compliance

The Data Protection Act (DPA) 2012 (Act 843) establishes rules and principles governing the collection, use, disclosure, destruction, and care of personal data by data controllers (organisations) and data processors. Enforced by the independent Data Protection Commission (DPC), the Act aims to ensure compliance and protect individuals’ personal data. The DPA has been in effect since 16 October 2012.

These guidelines help organisations understand and implement necessary measures to comply with Ghana’s data protection regulations. They typically include:

• Registration with the Commission – Required for all data controllers before processing personal data.

• Adherence to Data Protection Principles – Such as lawfulness, transparency, data minimisation, purpose limitation, and accountability.

• Appointment of a Data Protection Supervisor – To oversee compliance internally.

• Development of Internal Policies – Including privacy notices, consent forms, and data protection impact assessments.

• Security Safeguards – To ensure integrity and confidentiality of personal data.

• Breach Notification Procedures – Prompt reporting of data breaches to the Commission.

• Training & Awareness – For staff and stakeholders on data protection requirements.

Read More

1. Small Data Controllers:
   • Engage qualified advisors to assess compliance readiness.
   • Transition to appointing a dedicated Data Protection Supervisor as the organization grows.
2. Medium and Large Data Controllers:
   • Ensure the appointment of a full-time in-house Data Protection Supervisor.
   • Develop and implement a compliance framework tailored to the organization’s size and complexity.
   • Secure the services of a Data Protection Accredited institution if your Data Protection Supervisor is inexperienced.
3. Submission of Reports:
   • Prepare and submit comprehensive gap analysis and compliance assessment reports as part of the renewal process.
   • Highlight ongoing measures to maintain adherence to the Data Protection Act.

The Data Protection Commission (DPC) of Ghana, under Section 54 of the Data Protection Act 2012, Act 843, offers Due Diligence Search Requests as a paid service to individuals, businesses, and institutions that need to verify the data protection compliance status of Data Controllers.  This includes the registration, renewal and general compliance status of these Data Controllers, with the Data Protection Act 2012 (Act 843).

Interested parties must:

1. Submit a formal request to the DPC, specifying the Data Controller’s name and purpose of the search.
2. Provide supporting documents (if required).
3. Pay the applicable processing fee (as determined by the Commission).
4. Await processing and verification by the Commission.

(DPIA) aims to provide organisations with the necessary tools and guidance to adequately identify, assess, and mitigate the levels of personal data risk generated as a result of the personal data processing activities undertaken by their various projects. These projects and their applicable documentations are reviewed by the unit and management to ensure compliance with the Data Protection Act, 2012 (Act 843) while safeguarding individuals’ privacy and personal data. A DPIA helps organizations identify and assess the potential risks to individuals’ privacy and personal data protection before beginning or updating any data processing activities. It is a proactive measure to ensure compliance with legal requirements, mitigate risks, and build trust with individuals whose data is processed.

Together, we ensure that data protection is integrated into the core of organisational practices, promoting a culture of accountability and respect for individuals’ rights. For further assistance or inquiries, please do not hesitate to contact us impactassessment@dataprotection.org.gh

When to Conduct a DPIA

In line with Section 28₂ of the Data protection Act 2012, (Act 843) a DPIA should be conducted in the following cases:

1. Starting a new data processing activity: If the processing could result in high risks to individuals’ privacy (e.g., large-scale data collection or use of sensitive data).
2. Introducing new technology or systems: If new technologies, such as AI or facial recognition, could impact data security or privacy.
3. Making significant changes to existing processing activities: If changes may increase privacy risks (e.g., altering the scope, purpose, or context of data processing).
4. When required by law: For high-risk processing activities such as
5. Profiling, automated decision-making, or processing sensitive personal data.