Ghana Data Protection Act | Ghana DPA
The Trust Challenge

Key obligations and consequences

Pointer

The principles of data subject privacy which every data controller is obligated to take into account in processing data are.

  • Accountability.
  • Lawfulness of processing.
  • Specification of purpose.
  • Compatibility of further processing with purpose of collection.
  • Quality of information.
  • Openness.
  • Data security safeguards.
  • Data subject participation.
Pointer

The Data Protection Act requires that personal data may only be processed if the purpose for which it is to be processed is necessary, relevant, and not excessive. These yardsticks must be used in measuring all claims by the data controller in the determining the soliciting and processing of data subjects' information.

Pointer

The obligation for the data subject to consent to the processing of personal data is a condition which must be fulfilled by the data controller unless the data controller can demonstrate that such processing is.

  • Necessary for the purpose of a contract to which the data subject is a party.
  • Authorized or required by law.
  • To protect a legitimate interest of the data subject.
  • Necessary for the proper performance of a statutory duty.
  • Necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.
Pointer

The Data Protection Act requires that the data subject must consent to the further processing of the information, or that the data should be publicly available or have been made public by the person concerned or further processing necessary.

  • For the prevention, detection, investigation, prosecution, or punishment for an offense or breach of law.
  • For the enforcement of a law which imposes a pecuniary penalty.
  • For the enforcement of legislation that concerns the protection of revenue collection.
  • For the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated.
  • For the protection of national security.
Pointer

The principles relating to data retention also carry with them the obligation to maintain data processing records and ensure that data is not kept beyond the retention period.

The Trust Challenge

Key Challenges in brief:

If the personal data of a data subject has been accessed or acquired by an unauthorized person, the data controller or a third party who processes data under the authority of the data controller shall notify the Commission and the data subject of the unauthorized access or acquisition as soon as reasonably practicable after the discovery of the unauthorized access or acquisition of the data. The data controller shall take steps to ensure the restoration of the integrity of the information system.

The Data Protection Act recognises that there is no one-size-fits-all approach to retention periods. There is also recognition that the period for which data subject records may be held are capable of being benchmarked against specific issues. One statutory prescribed retention principle is that a data controller must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed unless.

  • The retention of the record is required or authorized by law.
  • The retention of the record is reasonably necessary for a lawful purpose related to a function or activity.
  • Retention of the record is required by virtue of a contract between the parties to the contract.
  • The data subject consents to the retention of the record.

The retention period for which personal data may be held may be the subject matter of specialized legislation relating to different aspects of activities. The actions of the data controller may trigger a data subject to submit a request for information, and in such circumstances, the data controller would be required to provide the requested information in line with the provisions of the Data Protection Act.

Following are some data owner rights that Ghana can practice.

  • Right to be Informed: Data subjects have the right to be informed of the processing of their personal data and the purposes for which the data is processed.
  • Right to Access: Data subjects have the right to obtain confirmation whether or not the controller holds personal data about them, access their personal data, and obtain descriptions of data recipients.
  • Right to Rectification: Under the right to rectification, data subjects can request the correction of their data.
  • Right to Erasure: Data subjects have the right to request the erasure and destruction of the data that is no longer needed by the organization.
  • Right to Object:The data subject has the right to prevent the data controller from processing personal data if such processing causes or is likely to cause unwarranted damage or distress to the data subject.
  • Right not to be Subjected to Automated Decision-Making: The data subject has the right to not be subject to automated decision-making that significantly affects the individual.

Data Protection Impact Assessments ('DPIA') is a practice that every data controller should commit to. Data controllers ought to ensure that compliance monitoring is done at all times to ensure that there are no breaches of the Data Protection Act. Where there are security breaches, the disclosure regime required under the Data Protection Act means that DPIAs are a core practice which every data controller ought to engage in. Security breaches and violations trigger DPIA at all times.

Win-Win Situation

Solutions

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

The Trust Challenge

Key Obligations & Consequences

Pointer

The principles of data subject privacy which every data controller is obligated to take into account in processing data are.

  • Accountability.
  • Lawfulness of processing.
  • Specification of purpose.
  • Compatibility of further processing with purpose of collection.
  • Quality of information.
  • Openness.
  • Data security safeguards.
  • Data subject participation.
Pointer

The Data Protection Act requires that personal data may only be processed if the purpose for which it is to be processed is necessary, relevant, and not excessive. These yardsticks must be used in measuring all claims by the data controller in the determining the soliciting and processing of data subjects' information.

Pointer

The obligation for the data subject to consent to the processing of personal data is a condition which must be fulfilled by the data controller unless the data controller can demonstrate that such processing is.

  • Necessary for the purpose of a contract to which the data subject is a party.
  • Authorized or required by law.
  • To protect a legitimate interest of the data subject.
  • Necessary for the proper performance of a statutory duty.
  • Necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.
Pointer

The Data Protection Act requires that the data subject must consent to the further processing of the information, or that the data should be publicly available or have been made public by the person concerned or further processing necessary.

  • For the prevention, detection, investigation, prosecution, or punishment for an offense or breach of law.
  • For the enforcement of a law which imposes a pecuniary penalty.
  • For the enforcement of legislation that concerns the protection of revenue collection.
  • For the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated.
  • For the protection of national security.
Pointer

The principles relating to data retention also carry with them the obligation to maintain data processing records and ensure that data is not kept beyond the retention period.

The Trust Challenge

Key Challenges in brief:

Pointer

Data Breach Notification

If the personal data of a data subject has been accessed or acquired by an unauthorized person, the data controller or a third party who processes data under the authority of the data controller shall notify the Commission and the data subject of the unauthorized access or acquisition as soon as reasonably practicable after the discovery of the unauthorized access or acquisition of the data. The data controller shall take steps to ensure the restoration of the integrity of the information system.

Pointer

Data Retention

The Data Protection Act recognises that there is no one-size-fits-all approach to retention periods. There is also recognition that the period for which data subject records may be held are capable of being benchmarked against specific issues. One statutory prescribed retention principle is that a data controller must not retain the personal data for a period longer than is necessary to achieve the purpose for which the data was collected and processed unless.

  • The retention of the record is required or authorized by law.
  • The retention of the record is reasonably necessary for a lawful purpose related to a function or activity.
  • Retention of the record is required by virtue of a contract between the parties to the contract.
  • The data subject consents to the retention of the record.

The retention period for which personal data may be held may be the subject matter of specialized legislation relating to different aspects of activities. The actions of the data controller may trigger a data subject to submit a request for information, and in such circumstances, the data controller would be required to provide the requested information in line with the provisions of the Data Protection Act.

Pointer

Data Subject Rights

Following are some data owner rights that Ghana can practice.

  • Right to be Informed: Data subjects have the right to be informed of the processing of their personal data and the purposes for which the data is processed.
  • Right to Access: Data subjects have the right to obtain confirmation whether or not the controller holds personal data about them, access their personal data, and obtain descriptions of data recipients.
  • Right to Rectification: Under the right to rectification, data subjects can request the correction of their data.
  • Right to Erasure: Data subjects have the right to request the erasure and destruction of the data that is no longer needed by the organization.
  • Right to Object:The data subject has the right to prevent the data controller from processing personal data if such processing causes or is likely to cause unwarranted damage or distress to the data subject.
  • Right not to be Subjected to Automated Decision-Making: The data subject has the right to not be subject to automated decision-making that significantly affects the individual.
Pointer

Data protection impact assessment

Data Protection Impact Assessments ('DPIA') is a practice that every data controller should commit to. Data controllers ought to ensure that compliance monitoring is done at all times to ensure that there are no breaches of the Data Protection Act. Where there are security breaches, the disclosure regime required under the Data Protection Act means that DPIAs are a core practice which every data controller ought to engage in. Security breaches and violations trigger DPIA at all times.

Win-Win Situation

Solutions

Pointer

Privacy Process Automation: TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks. PIAs and DPIAs aim to enhance privacy practices, ensure compliance with applicable privacy laws and regulations, and protect sensitive information. Overall, a privacy automation solution simplifies and streamlines privacy management processes, reducing the risk of non-compliance and improving data protection practices.

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Pointer

Consent Management: TurtleShield CM is the solution designed to help in enabling consent compliance within your organization involves implementing processes, technologies, and policies that ensure you collect and manage user consent in a way that aligns with applicable data protection regulations and industry best practices. It also helps in enabling consent management in 22 regional languages.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us