Resources & Regulatory Information

Comprehensive information about data protection laws and regulators across Africa

72-Hour Rule

Most jurisdictions require breach notification within 72 hours of discovery

High Risk Breaches

Must notify affected individuals if breach poses high risk to their rights

Prevention First

Implement technical and organizational measures to prevent breaches

Documentation

Keep detailed records of all personal data processing and security measures

African Data Protection Jurisdictions

Nigeria

🌍

Law: Nigeria Data Protection Act (NDPA, 2023)

Regulator: Nigeria Data Protection Commission (NDPC)

Notification Period: 72 hours

Potential Fines: Up to 10% of annual turnover or ₦10 million

Website: Visit Site

Contact: info@ndpc.gov.ng

South Africa

🌍

Law: Protection of Personal Information Act (POPIA)

Regulator: The Information Regulator

Notification Period: As soon as reasonably possible

Potential Fines: Up to R10 million or 10 years imprisonment

Website: Visit Site

Contact: complaints.IR@justice.gov.za

Kenya

🌍

Law: Data Protection Act (2019)

Regulator: Office of the Data Protection Commissioner

Notification Period: 72 hours

Potential Fines: Up to KSh 5 million or 10% of annual turnover

Website: Visit Site

Contact: info@odpc.go.ke

Ghana

🌍

Law: Data Protection Act (2012)

Regulator: Data Protection Commission

Notification Period: Within 72 hours

Potential Fines: Up to GH₵300,000

Website: Visit Site

Contact: info@dataprotection.org.gh

Uganda

🌍

Law: Data Protection and Privacy Act (2019)

Regulator: The Personal Data Protection Office

Notification Period: 72 hours

Potential Fines: Up to UGX 500 million

Website: Visit Site

Contact: info@privacy.go.ug

Zambia

🌍

Law: Data Protection Act (2021)

Regulator: The Office of the Data Protection Commissioner

Notification Period: 72 hours

Potential Fines: Up to ZMW 500,000

Website: Visit Site

Contact: info@dpc.org.zm

Botswana

🌍

Law: The Data Protection Act – Act No. 18 of 2024

Regulator: The Information and Data Protection Commission

Notification Period: 72 hours

Potential Fines: Up to P500,000

Website: Visit Site

Contact: info@idpc.gov.bw

Malawi

🌍

Law: Data Protection Act, 2024

Regulator: The Malawi Communications Regulatory Authority (MACRA)

Notification Period: 72 hours

Potential Fines: Up to MWK 50 million

Website: Visit Site

Contact: info@macra.mw

Rwanda

🌍

Law: Protection of Personal and Privacy 2021

Regulator: The National Cybersecurity Authority (NCSA)

Notification Period: 72 hours

Potential Fines: Up to RWF 50 million

Website: Visit Site

Contact: info@ncsa.gov.rw

Tanzania

🌍

Law: Personal Data Protection Act (PDPA)

Regulator: The Personal Data Protection Commission

Notification Period: 72 hours

Potential Fines: Up to TZS 100 million

Website: Visit Site

Contact: info@pdpc.go.tz

Mauritius

🌍

Law: The Data Protection Act 2017

Regulator: Data Protection Office

Notification Period: 72 hours

Potential Fines: Up to MUR 500,000

Website: Visit Site

Contact: dpo@govmu.org

Ethiopia

🌍

Law: Personal Data Protection Proclamation

Regulator: Ethiopian Communications Authority

Notification Period: 72 hours

Potential Fines: Up to ETB 5 million

Website: Visit Site

Contact: info@ethionet.et

Breach Prevention Best Practices

Implement strong access controls with multi-factor authentication
Encrypt sensitive data both in transit and at rest
Conduct regular security awareness training for all staff
Maintain up-to-date software and security patches
Perform regular backups and test recovery procedures
Limit data collection to what is necessary for business purposes
Implement proper data retention and deletion policies

Breach Response Checklist

Immediate Containment

Stop the breach from continuing or spreading

Assessment

Determine scope, cause, and affected data

Notification

Notify regulators and affected individuals

Recovery

Restore systems and implement improvements

Additional Resources

Legal Guidance

Consult with local legal experts familiar with data protection laws in your jurisdiction.

Cybersecurity Training

Regular training programs for staff on recognizing and preventing security threats.

Industry Networks

Connect with other SMEs to share best practices and lessons learned.

Compliance Frameworks

Consider implementing ISO 27001 or similar information security frameworks.

Penetration Testing

Regular security assessments to identify vulnerabilities before attackers do.

Vendor Management

Ensure third-party vendors meet your data protection standards.

Need Additional Help?

While this toolkit provides comprehensive guidance, some situations may require professional assistance.

Legal Counsel

For complex legal questions or major breaches

IT Security Experts

For technical incident response and recovery

Compliance Consultants

For ongoing compliance and policy development