Guidelines for Data Controllers & Processors

The Data Protection Act of 2012 (Act 843) establishes rules and principles governing the collection, use, disclosure, destruction, and care of personal data by data controllers (organisations) and data processors. Enforced by the independent Data Protection Commission, the Act aims to ensure compliance and protect individuals’ personal data. The Act has been in effect since 16 October 2012.

Find out more about your obligations as an organisation.

Compliance Requirements for Data Controllers

Under the DPA, all organisations that process personal data must adhere to the following obligations:

  1. Registration with the DPC:
    • Organizations must register with the Data Protection Commission (Sections 46(3) and 27(1)).
    • Registration must be renewed every two years (Section 50).
  2. Appointment of a Data Protection Supervisor:
    • Medium and large data controllers must appoint a dedicated Data Protection Supervisor (Section 58).
    • Small data controllers may be exempt from this requirement but are encouraged to seek advisory services to enhance their compliance framework.
  3. Compliance Reporting:
    • Organizations must perform a gap analysis audit to identify areas of non-compliance before preparing the compliance assessment report.
    • A compliance report must be submitted prior to the renewal of registration.
    • This report should outline measures taken to demonstrate adherence to the Data Protection Act.
  4. Audit Readiness:
    • Organizations must be available for ad hoc audits by the DPC.
    • Audit readiness requires maintaining up-to-date and accurate documentation of data protection measures.
  5. Demonstration of Compliance:
    • Organizations must implement and document robust data protection practices to prove adherence to the Act’s principles.

Role and Responsibilities of a Data Protection Supervisor

The Data Protection Supervisor plays a pivotal role in ensuring organisational compliance with the DPA. Their key responsibilities include:

  1. Advisory Role:
    • Providing expert advice on the Data Protection Act’s requirements and best practices.
    • Assisting the organisation in developing and maintaining a comprehensive data protection compliance framework.
  2. Gap Analysis and Compliance Assessment:
    • Conducting a detailed gap analysis to identify areas of non-compliance.
    • Preparing a compliance assessment report to guide corrective actions.
  3. Internal Oversight:
    • Monitoring internal data processing activities to ensure they align with the Data Protection Act.
    • Facilitating regular training for staff to build awareness of data protection principles.
  4. Audit Preparation:
    • Preparing the organization for potential audits by maintaining thorough documentation of compliance efforts.

Staff Awareness and Training

To ensure compliance with data protection best practices, organizations must prioritize staff training on handling personal data. Key areas of focus should include:

  1. Data Protection Principles:
    • Providing employees with an understanding of the core principles of data protection, including lawfulness, fairness, transparency, and data minimization.
  2. Handling Personal Data:
    • Training staff on appropriate methods for collecting, storing, using, and disposing of personal data.
    • Emphasizing the importance of maintaining confidentiality and security of personal data.
  3. Incident Reporting:
    • Establishing clear protocols for reporting data breaches or incidents.
    • Ensuring all staff are aware of their roles in responding to data protection issues.
  4. Regular Updates and Refreshers:
    • Conducting periodic training sessions to keep staff informed of changes in data protection regulations and organizational policies.

Restrictions on Data Protection Supervisors

To maintain independence and avoid conflicts of interest:

  1. Cross-Boundary Service Prohibition:
    • Data Protection Supervisors cannot simultaneously serve multiple organisations across different jurisdictions.
    • This restriction ensures their undivided focus on a single organisation’s compliance framework.
  2. Advisory Capacity for Small Data Controllers:
    • For small data controllers, supervisors can provide advisory services but are not mandated to oversee operations directly.
    • Small data controllers are advised to appoint a dedicated Data Protection Supervisor as they scale up their operations.

Recommendations for Compliance Readiness

  1. Small Data Controllers:
    • Engage qualified advisors to assess compliance readiness.
    • Transition to appointing a dedicated Data Protection Supervisor as the organization grows.
  2. Medium and Large Data Controllers:
    • Ensure the appointment of a full-time in-house Data Protection Supervisor.
    • Develop and implement a compliance framework tailored to the organization’s size and complexity.
    • Secure the services of a Data Protection Accredited institution if your Data Protection Supervisor is inexperienced.
  3. Submission of Reports:
    • Prepare and submit comprehensive gap analysis and compliance assessment reports as part of the renewal process.
    • Highlight ongoing measures to maintain adherence to the Data Protection Act.
Data Protection Act 2012 (Act 843)

Download the official Act to ensure your organisation complies with legal standards and privacy principles.

Download

Register Your Organisation Today

All organisations that collect or process personal data in Ghana are required to register with the Data Protection Commission. Begin your compliance journey today.

Start Registration

Renew Your Registration

Keep your organisation compliant. If your registration is due for renewal, complete your submission now.

Renew Now