Every Ghanaian business that collects, processes, or stores personal data — customer names, phone numbers, email addresses, payment information — is subject to Ghana's Data Protection Act, 2012 (Act 843). Most SMEs are unaware of their obligations. Here is what the law requires.
Who Does the Data Protection Act Apply To?
The Act applies to any person or organization (the "data controller") that:
- Collects personal data from individuals in Ghana
- Processes, stores, uses, or discloses personal data
- Controls or processes data in connection with business in Ghana
In practice: almost every business. If you have a customer database, employee records, or a website that collects email addresses, you are a data controller.
Registration with the Data Protection Commission
Before collecting or processing personal data, every data controller must register with the Data Protection Commission (DPC).
Registration involves:
- Completing a registration form describing your data processing activities
- Paying a registration fee (varies by business size)
- Receiving a Data Controller Registration Certificate
Annual renewal is required. Failure to register: fine up to GHS 60,000 and/or imprisonment.
Core Principles of Data Processing
Data controllers must comply with these principles:
1. Consent
Personal data must be collected with the individual's informed consent. They must know: what data is being collected, why, and how it will be used. Pre-ticked boxes or vague consent forms do not constitute valid consent.
2. Purpose Limitation
Data collected for one purpose cannot be used for a different purpose without new consent. If you collect email addresses for order confirmations, you cannot use them for marketing without separate consent.
3. Data Minimization
Only collect data that is necessary for your stated purpose. Don't collect data "just in case."
4. Accuracy
Keep personal data accurate and up to date. Individuals have the right to correct inaccurate data you hold about them.
5. Security
Implement appropriate technical and organizational measures to protect personal data from unauthorized access, loss, or disclosure. This includes: password protection, encryption, access controls, staff training.
6. Retention Limits
Don't keep personal data longer than necessary. Have a data retention policy and delete data when no longer needed.
Individual Rights Under the Act
Every individual whose data you hold has the right to:
- Access their data (Subject Access Request)
- Correct inaccurate data
- Withdraw consent
- Object to processing
- Complain to the DPC
You must respond to data access requests within 21 days.
Privacy Policy
If your business has a website that collects any personal data (contact forms, newsletter sign-ups, analytics), you must display a clear privacy policy explaining: what data you collect, why, how long you keep it, who you share it with, and how individuals can exercise their rights.
Employee Data
Employee records are personal data. HR files, payroll data, performance records, and health information must all be handled in compliance with the Act.
Penalties
- Unregistered data processing: up to GHS 60,000 fine
- Breach of data processing principles: up to GHS 120,000 fine and/or 2 years imprisonment
- Civil liability to affected individuals for damage suffered
Use our free Business Structure Finder. Read about employment contracts and contract essentials.