Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
October 11, 2024
A friend who lives in the UK currently posted this message on our professional platform: Institute of ICT Professionals Ghana (IIPGH) on the 7th October 2024.
I registered a company in obimanso (foreign land) about 3 months ago. Last week i got a letter from the obimanso (foreign land) “Data Protection office”. The interesting thing is the title of the letter: Pay the data protection fee. It’s the law – the title reads. The cost is £40/Year. Failure to pay can results in a fine of up to £4,000. I am wondering, @Emmanuel Gadasu. Is this something the data protection commission in Ghana can look into? Connect with registrar general and anytime a company is registered, they are looped in.
I believe the systems put in place and the collaborative efforts of the Information Commissioners Office (ICO) led to the message above. This will definitely lead to higher data controller/processor registration in the UK.
The Transitional provisions in the Data Protection Act 843 is clear through Section 97 subsections 1 and 2 when a newly incorporated business is required to register and when existing companies before the coming into force of this Act should register.
97 (1) A data controller incorporated or established after the commencement of this Act shall be required to register as a data controller within twenty (21) days of the commencement of business.
(2) A data controller in existence at the commencement of this Act shall be required to register as a data controller within three months after the commencement of this Act.
The above proviso in the Data Protection Act 2012 (Act 843) ideally will ensure that most companies are registered with the Data Protection Commission (DPC). This is however not the case in Ghana. There is a great number of companies that have not registered or renewed their data protection certificates with the DPC as required by Act 843. To ensure that most of these companies are registered and continue to renew their Data Protection Certificates every two (2) years (as stated in Section 50: A registration shall be renewed every two years.), I would like to propose a collaborative strategy to enhance compliance. To ensure that all companies register and renew their data protection status every two years, the DPC can liaise with several key institutions that regulate and interact with these companies.
Below are specific suggestions for collaboration with each institution:
- Registrar General’s Department
The DPC can work closely with the Registrar General’s Department to create a seamless system where businesses are reminded about their data protection obligations at the point of registration and renewal of business licenses. This can be achieved by integrating data protection registration into the company incorporation and renewal process. Any business seeking to renew their license would be required to present proof of registration with the DPC before proceeding.
- Public Procurement Authority (PPA)
The Public Procurement Authority can play a pivotal role in ensuring that companies participating in public contracts or bidding processes are compliant with the DPC’s requirements. By mandating proof of valid data protection registration and renewal as part of the criteria for eligibility in public procurement tenders, companies will be compelled to register or renew with the DPC before bidding on government contracts.
- Ghana Revenue Authority (GRA)
The DPC can collaborate with the GRA to integrate data protection registration as part of the tax filing and clearance certificate processes. The GRA could require that companies provide evidence of compliance with the DPC before being issued tax clearance certificates. This would ensure that tax-compliant businesses are also compliant with data protection regulations.
- Bank of Ghana
As a key regulatory body overseeing the banking and financial services sector, the Bank of Ghana can be instrumental in enforcing data protection compliance. The DPC could partner with the Bank of Ghana to mandate that all licensed financial institutions provide proof of registration with the DPC before their operational licenses are renewed or granted. This could also extend to ensuring that financial institutions only work with businesses that are registered with the DPC.
- Banks/Financial Institutions
Financial institutions can help enforce compliance by making data protection registration a requirement for companies applying for loans, credit facilities, or other banking services. By incorporating this into their Know Your Customer (KYC) procedures, banks would ensure that any company seeking financial assistance must first present a valid data protection registration or renewal certificate.
- Health Facilities Regulatory Agency (HEFRA)
Given the sensitive nature of data handled by health institutions, collaborating with HEFRA is crucial. The DPC could work with HEFRA to ensure that all healthcare facilities—both public and private—are required to register with the DPC before receiving operational licenses or permits from HEFRA. Renewal of these licenses could also be tied to proof of updated data protection registration.
- National Insurance Commission (NIC)
The DPC could engage with the National Insurance Commission to make it mandatory for insurance companies to provide proof of valid data protection registration as part of their regulatory compliance. This requirement can be extended to insurance companies’ clients, ensuring that any business seeking insurance coverage is also registered with the DPC.
Implementation Strategy
Inter-institutional MoUs: The DPC can enter into formal Memorandums of Understanding (MoUs) with each of these regulatory bodies to clearly define roles and responsibilities.
Joint Communication Campaigns: The DPC and the respective institutions can carry out joint awareness campaigns to educate businesses about the importance of data protection and the mandatory nature of registration.
Centralized Database: Establish a centralized database where each regulatory institution can verify the compliance status of businesses seeking services, contracts, or licensing.
I believe these measures will create a stronger enforcement framework, ensuring that businesses in Ghana take their data protection obligations seriously. I am confident that through collaborative efforts, the DPC can achieve higher compliance rates and strengthen data privacy across the country.
Author: Emmanuel K. Gadasu
(CEH, CDPS, CIPM, CIPP/E, BSc IT, MSc IT and Law, LLB*)
The writer is a Data Protection and Cybersecurity Consultant, Practitioner and Trainer! You can reach him for further comments by Call/WhatsApp/Telegram +233 24391 3077 or via email: ekgadasu@gmail.com.
LinkedIn: https://www.linkedin.com/in/emmanuelgadasu/
Facebook: https://web.facebook.com/emmanuel.gadasu/
