Over 65% of businesses not complying with Data Protection Act

Executive Director of DPC, Patricia Adusei-Poku

… Health, education and religious bodies worst culprits

Out of 6,000 private and public businesses registered at the Registrar Generals’ Department, only 2,000 have registered with the Data Protection Commission (DPC), which means more than 65 percent of business in the country are not data protection compliant.

The act sets out the rules and principles governing the collection, use, disclosure and care for personal data or information by a data controller or processor and the DPC is the only state body mandated to have oversight.

Checks by the B&FT indicate that, while the banking and extractive sectors are among those with high compliance levels, the health, education and religious bodies are among the lowest even though the DPC has classified them as bodies holding very sensitive data and need training on how to manage them.

Executive Director of DPC, Patricia Adusei-Poku, speaking at the lunch of the new Data Protection Registration and Compliance Software said: “we have a lot of work to do, and with the media’s support through challenging them of their status of compliance and how they collect and process data, more and more institutions will be registering with the commission so that we can have a list of them to engage with and support to implement privacy programme. We hope that this time next year we will move closer to the 6,000.”

As a result, the Minister for Communication, Ursula Owusu-Ekuful has granted a six-month amnesty period from October 1, 2020 to March 31, 2021 to defaulting data controllers considering the impact of the COVID-19 Pandemic on businesses.

The Minister said the amnesty period would allow defaulting data controllers to register with the DPC, and pay just the current year’s amount thus waiving any applicable arrears. She cautioned that: “all entities which fail to regularize their operations with the DPC during this amnesty period will face the full brunt of the law after March 31, 2021.”

The move is in accordance with the regulations of section 94 of Act 843 which empowers the Minster to extend the transitional period for data controllers. She however encouraged all defaulting data controllers to take advantage of the amnesty period to be in good standing with the commission.

“The Commission would engage with NITA, GIFEC and the Cyber Security Secretariat and other critical stakeholders in a collaborative effort to step up public education on the need to protect personal data, how to do so and monitor the compliance status of Data Controllers,” she hinted.

Mrs. Adusei-Poku added that the new Data Protection Registration and Compliance Software is interactive and would enhance transparency as well as build trust between the commission, data controllers and data subjects which will contribute significantly to the transformation agenda of the country.

She said the new system has enhanced features such as user ability to update records, allowing the upload of photos, videos and other documents as evidence of accountability to data subjects and the DPC. “The ability to automatically assess your institution’s state of compliance and score against a 100 percent weighted state of compliance are among the many other features.”

Leave a Reply