Guarding Digital Frontiers; Data Protection in Ghana

Sandra Ankomah (UGSOL ’26) – 3rd place (Legally Speakin Relaunch Writing Contest)

In the wake of the digital revolution, personal data has become an invaluable asset, shaping how individuals and businesses interact in a rapidly evolving technological landscape. In Ghana, the widespread adoption of digital platforms for banking, healthcare, commerce, and governance has highlighted the pressing need for robust legal frameworks to protect personal information from
misuse and unauthorized access. Recognizing this necessity, Ghana enacted the Data Protection
Act, 2012 (Act 843) [1] , which serves as the cornerstone of the country’s data privacy and security
regulations. However, while the law provides a strong foundation, the country faces significant
challenges in ensuring compliance and effective enforcement.

The Legal Framework for Data Protection in Ghana
The Data Protection Act, 2012 (Act 843) [2] was enacted to regulate the collection, processing,
storage, and sharing of personal data. The Act applies to all entities that process personal data
within Ghana, whether in the public or private sector. At the core of the legislation are eight
fundamental data protection principles, which include:

1. Accountability – Data controllers must ensure compliance with the Act (Section 17).
2. Lawfulness of Processing – Data must be collected for a lawful purpose and processed
   fairly and transparently (Section 18).
3. Specification of Purpose – Personal data must be obtained only for specific and legitimate
   purposes and be used not excessively (Section 19).
4. Compatibility of Further Processing – Data should not be used for reasons incompatible
   with its original purpose (Section 20).
5. Data Quality – Personal data must be accurate and shall be collected directly from the data
   subject.
6. Openness – Data subjects should be informed of the collection, purpose, and use of their data (Section 22).
7. Security Safeguards – Data controllers must take measures to protect personal data from
   unauthorized access, loss, or destruction (Section 28).
8. Data Subject Participation – Individuals have the right to access their personal data,
   request corrections, or object to processing (Sections 24-26).

These provisions provide a legal backbone for ensuring personal data security while balancing the
needs of businesses, government institutions, and individuals. There is one feature of the Act that must be taken into account. The DPA distinguishes between data controllers and data processors and sets out differing levels of obligations for each party. A data controller is defined under the law as the entity which
determines the purposes and the manner in which personal data is processed, while a data processor
is any person or entity who processes personal data on behalf of a data controller. The differing
levels of compliance prescribed for data controllers and data processors under the DPA makes it
necessary for companies to clearly set out the roles of their independent contractors and service
providers in respect of processing data shared under an outsourcing or service agreement. [3]

Compliance and Enforcement Challenges
Despite the comprehensive legal framework, compliance with data protection regulations remains
a major hurdle. Many businesses and institutions, particularly small and medium enterprises
(SMEs), lack awareness of their obligations under Act 843 [4] . This has resulted in widespread non
compliance, leaving individuals vulnerable to data breaches and unauthorized data sharing.
The Data Protection Commission (DPC), which was established under Act 843 [5] to enforce
compliance, faces numerous challenges, including limited financial and technical resources.
Section 4 of the Act empowers the DPC to investigate complaints, issue penalties, and conduct audits. However, due to inadequate funding and staffing, enforcement mechanisms remain weak,
allowing many organizations to operate without registering as data controllers (Section 27) [6] .
A notable example of enforcement occurred in 2019 when the DPC fined several institutions that
failed to register and comply with the Act. However, enforcement actions remain inconsistent, and
many entities continue to collect and process data without legal authorization.
To expand on this more, it must be noted that the DPA provides penalties and sanctions for
breaches of its provisions. The DPC is authorised to issue enforcement notices to non-compliant
data controllers who may be liable to a fine up to GHS1,500 (approximately US$150) or a term of
imprisonment of one year (to be served by directors in the case of non compliant companies) for
failure to comply with a notice. Non-complaint companies and individuals may also be liable upon
summary conviction to fines under the Act including the general liability of up to GHS60,000
(approximately US$5,000). The DPC can also cancel the registration of data controllers for non
compliance and request other regulators to also suspend or revoke licences of regulated entities if
they breach the provisions of the Act. Data subjects whose rights have been infringed by a breach
of the DPA are also entitled to claim compensation for any resulting damages. It’s worth noting
that even though the enforcement of sanctions under the DPA is still evolving, the DPC has recently
demonstrated its intention to enforce the law, through its liaison with the Attorney General to
appoint a dedicated prosecutor for DPC cases as well as its engagements with the Chief Justice to
establish a Fasttrack Court for non-compliance suits. [7]

Emerging Data Protection Threats in Ghana
The Rise of Cybercrime
One of the most pressing concerns in Ghana’s data protection landscape is the increasing threat of
cybercrime. With the rise of digital financial transactions, cyberattacks on financial institutions,
government databases, and telecommunications networks have surged. Many organizations
fail to implement adequate cybersecurity measures, exposing personal data to breaches.

The Cybersecurity Act, 2020 (Act 1038) [8] was enacted to complement Act 843 [9] by providing
additional protection against cyber threats. However, there is still a need for stronger collaboration
between regulators, businesses, and law enforcement agencies to combat cybercrime effectively.

Cross-Border Data Transfers
The law permits cross-border transfers of personal data, such as the transfer of personal data of
employees or customers in Ghana to a data centre or server located in another country. In such an
instance, the data controller must obtain the consent of data subjects and must also ensure that
appropriate safeguards are in place to protect the personal data during the transfer. Ghana’s legal framework is still evolving regarding cross-border data transfers, which creates uncertainty for multinational corporations. The lack of clear regulations on data localization and international data-sharing agreements complicates compliance for businesses operating in multiple jurisdictions. Under Section 44 of Act 843, data controllers must ensure that transfers of personal data outside Ghana meet an adequate level of protection. However, there is no clear list of countries deemed to provide such protection, making it difficult for companies to navigate compliance requirements.

Strengthening Data Protection in Ghana
To address these challenges, several measures must be taken to strengthen data protection in
Ghana: First:
Public Awareness and Education
Greater public awareness and education on data rights and responsibilities are essential. Many
citizens remain unaware of their rights under Act 843, making them susceptible to data
exploitation. Government agencies, civil society organizations, and businesses must collaborate to
promote awareness campaigns that inform individuals about how their data is collected, stored,
and shared.

Data protection impact assessments (DPIAs):
If an organization’s data processing activities are likely to result in a high risk to individuals’
privacy, the company may conduct a DPIA to assess the impact of the processing on individuals’
privacy rights. A DPIA is a risk assessment tool that helps companies identify and mitigate
potential data protection risks. By conducting a DPIA for their operations and projects, companies
can identify areas where they may be at risk of non-compliance and take steps to address these
risks.

Updating Legislation to Align with Global Best Practices
Ghana should consider updating its legislation to align with global best practices, such as the
European Union’s General Data Protection Regulation (GDPR) [10] . Modernizing the law to
address emerging issues, such as artificial intelligence (AI), biometric data, and cloud storage, will
ensure that Ghana remains at the forefront of data privacy protection.

Strengthening Data Security in Organizations
Businesses and organizations must take proactive steps to strengthen data security. Implementing
robust cybersecurity frameworks, adopting encryption technologies, and conducting regular
data protection audits will significantly reduce the risks of breaches. Additionally, organizations
should integrate data protection policies into their corporate governance structures, ensuring that
employees at all levels are trained on data privacy best practices.

Cross-border data transfers:
Organizations which intend to undertake cross-border data transfers must put in place safeguards
to ensure that personal data is adequately protected. These include; Adequacy decisions: One way
to ensure that data is protected is by transferring it to a country that has adequate data protection
laws comparable to Ghana. If the country is deemed adequate, the transfer can be made without any additional safeguards. Standard Contractual Clauses: If the transfer is to a country that is not
deemed adequate, standard clauses can be included in outsourcing or other relevant contracts to
ensure that personal data is adequately protected in the course of the data transfer. Binding
Corporate Rules (BCRs): BCRs are internal rules that apply to a group of companies, which define
the standards and procedures for the transfer of personal data within the group. BCRs are subject
to approval by the relevant data protection authorities. Codes of Conduct: Codes of conduct are
sets of rules that organizations can voluntarily adhere to, to demonstrate compliance with the
DPA. [11]

Encouraging Responsible Data Collection by Tech Companies
With the growing influence of big data, artificial intelligence, and social media, Ghanaian
regulators must ensure that tech companies comply with ethical data collection and processing
standards. Companies that collect vast amounts of personal information, including social media
platforms and telecommunications firms, must be held accountable for how they use personal data.

Develop data protection policies and procedures:
Organisations should develop clear policies and procedures for the collection, processing, and
storage of personal data, and ensure that all employees are trained on these policies. Such policies
and procedures must include the process of obtaining explicit consent from individuals before
collecting, processing, or storing their personal data, and providing clear and transparent
information about how their data will be used.

Registration and Renewal as Data Controllers with the DPC:
Organizations which are classified as data controllers under the DPA must register with the DPC
and renew their registration every 2 years to ensure compliance. For the purpose of registration, data controllers are classified by the DPC into large, medium and small data controllers, depending
on their annual turnover and number of staff and/ or customers.

In practice however, the DPC does not insist on the requirement to register as an external
company due to the impracticality of enforcement and may allow such foreign companies to
register as data controllers upon fulfilling specified conditions.

Regularly review and update data protection practices:
Companies should regularly review and update their data protection practices to ensure that they
remain compliant with the latest regulations and best practices.

Conclusion
Data protection in Ghana is a critical issue that requires immediate attention and collective
action. While the enactment of the Data Protection Act, 2012 (Act 843) laid a strong legal
foundation, its effectiveness depends on heightened awareness, stricter enforcement, and
improved cybersecurity measures. As Ghana continues its digital transformation, safeguarding
personal data must remain a national priority.
By fostering a culture of data privacy and security, Ghana can build trust in digital services and
position itself as a leader in data protection on the African continent. The future of data protection
in Ghana hinges on the commitment of government agencies, businesses, and individuals to
uphold privacy rights and ensure the responsible handling of personal data. Strengthening

Foreign companies which are not incorporated in Ghana but are (a) collecting and processing
personal data originating from Ghana or (b) using equipment or data processors in Ghana to
process data, are required under the DPA to register an external company (also known as a branch,
representative office or liaison office) with the Office of the Registrar of Companies and register
as data controllers with the DPC. [12] In practice however, the DPC does not insist on the requirement to register as an external
company due to the impracticality of enforcement and may allow such foreign companies to
register as data controllers upon fulfilling specified conditions.
Regularly review and update data protection practices:
Companies should regularly review and update their data protection practices to ensure that they
remain compliant with the latest regulations and best practices.

Conclusion
Data protection in Ghana is a critical issue that requires immediate attention and collective
action. While the enactment of the Data Protection Act, 2012 (Act 843) laid a strong legal
foundation, its effectiveness depends on heightened awareness, stricter enforcement, and
improved cybersecurity measures. As Ghana continues its digital transformation, safeguarding
personal data must remain a national priority. By fostering a culture of data privacy and security, Ghana can build trust in digital services and position itself as a leader in data protection on the African continent. The future of data protection in Ghana hinges on the commitment of government agencies, businesses, and individuals to uphold privacy rights and ensure the responsible handling of personal data. Strengthening regulatory oversight, enforcing compliance, and modernizing data protection laws will be
essential steps in securing Ghana’s digital future.
Ending with great quotes of the world leaders,

“Privacy is not something that I’m merely entitled
to, it’s an absolute prerequisite. —Marlon Brando

And,
Data is a precious thing and will last longer than the systems themselves.” –Tim Berners-Lee (Inventor of the World Wide Web)

Endnotes

1. Data Protection Act 2012 (Act 843).
2. Data Protection Act 2012 (Act 843).
3. Dorothy Mensah, Aasiya Sarku Nettey, and Kezia Owusu-Ansah, Data Protection Compliance in Ghana: Navigating the Regulatory Framework and Emerging Compliance Requirements (TEMPLARS LAW, 2023
4. Data Protection Act 2012 (Act 843).
5. Data Protection Act 2012 (Act 843).
6. Data Protection Act 2012 (Act 843).
7. Dorothy Mensah, Aasiya Sarku Nettey, and Kezia Owusu-Ansah, Data Protection Compliance in Ghana: Navigating the Regulatory Framework and Emerging Compliance Requirements (TEMPLARS LAW, 2023
8. Cybersecurity Act 2020 (Act 1038)
9. Data Protection Act 2012 (Act 843).
10. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1.
11. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) [2016] OJ L119/1
12. 12 Dorothy Mensah, Aasiya Sarku Nettey, and Kezia Owusu-Ansah, Data Protection Compliance in Ghana: Navigating the Regulatory Framework and Emerging Compliance Requirements (TEMPLARS LAW, 2023
13. Data Protection Act 2012 (Act 843).