Ghana: Data Protection Act 2012 (Act 843) including business registration requirement entered into force with grace period

On 16 October 2012, the Data Protection Act 2012 (Act 843) entered into force with a grace period. A data controller in existence at the commencement of this Act must register as a data controller within three months (by 16 January 2013). Additionally, a data controller incorporated or established after the commencement of this Act must register as a data controller within twenty days of starting the business. The Act establishes a Data Protection Register, which is maintained by the Data Protection Commission (DPC) to record data controllers who process personal data. Data controllers are required to register with the DPC by submitting an application that includes details such as their business name, the types of personal data they process, the purposes for processing, and the security measures in place to protect the data. Failure to register while processing personal data is an offence, punishable by fines or imprisonment.