Ghana: Data Protection Act 2012 (Act 843) including business registration requirement entered into force

On 6 January 2013, the Data Protection Act 2012 (Act 843) entered into force. A data controller in existence at the commencement of this Act (16 October 2012) was required to register as a data controller within three months (by 16 January 2013). Additionally, a data controller incorporated or established after the commencement of this Act must register as a data controller within twenty days of starting the business. The Act establishes a Data Protection Register, which is maintained by the Data Protection Commission (DPC) to record data controllers who process personal data. Data controllers are required to register with the DPC by submitting an application that includes details such as their business name, the types of personal data they process, the purposes for processing, and the security measures in place to protect the data. Failure to register while processing personal data is an offence, punishable by fines or imprisonment.