Every business that collects, stores, or processes personal data about customers, employees, or any other individuals in Ghana is subject to the Data Protection Act, 2012 (Act 843). Yet compliance remains one of the most overlooked legal requirements for Ghanaian businesses — from small online shops to large corporations.
What Is Personal Data?
Under Act 843, personal data means data about an identifiable individual — this includes:
- Names and contact details (phone, email, address)
- National ID numbers, passport numbers
- Financial information
- Health information
- Location data
- Biometric data (fingerprints, photos)
- IP addresses and online identifiers
If your business collects any of this — and virtually every business does — Act 843 applies to you.
The National Data Protection Commission (NDPC)
The National Data Protection Commission enforces Act 843. It has powers to investigate complaints, audit businesses, issue enforcement notices, and impose penalties.
Registration Requirement
Every data controller (a person or organisation that determines how personal data is processed) must register with the NDPC before processing personal data. Registration is done online through the NDPC portal.
Cost: GHS 500–2,000 annually depending on business size. Failure to register is an offence.
The Data Protection Principles
Businesses must process personal data in accordance with these principles:
- Lawful basis: You must have a legitimate reason for processing — consent, contract performance, legal obligation, or legitimate interests
- Purpose limitation: Collect data only for specified, explicit, and legitimate purposes — don't use it for other things
- Data minimisation: Collect only the minimum data needed for your purpose
- Accuracy: Keep data accurate and up to date
- Storage limitation: Don't keep data longer than necessary
- Security: Protect data with appropriate technical and organisational measures
Data Subject Rights
Individuals whose data you hold have rights:
- Right to access their data (you must provide a copy on request)
- Right to correction of inaccurate data
- Right to deletion (where data is no longer needed)
- Right to object to processing
- Right to withdraw consent
You must have a process to respond to these requests within a reasonable timeframe (typically 21 days).
Consent Requirements
Where you rely on consent to process personal data, the consent must be:
- Freely given (not a condition of service unless the data is genuinely necessary)
- Specific — for identified purposes
- Informed — the individual must know what they're consenting to
- Unambiguous — no pre-ticked boxes
Security Requirements
You must implement appropriate security measures including:
- Password protection and encryption
- Access controls (only authorised staff can access personal data)
- Secure storage (physical and digital)
- Procedures for responding to data breaches
Penalties for Breach
Violations of Act 843 can result in:
- Fines up to GHS 60,000
- Criminal prosecution with potential imprisonment
- Compensation orders to affected data subjects
- Enforcement notices requiring changes to data practices
Use our free Business Structure Finder to start your business on the right legal footing. Read about VAT and tax compliance and employment contracts.