We’ll protect customers’ integrity - data processors
MBABANE - Data processors and controllers have assured the Eswatini Communications Commission (ESCCOM) that they will protect the integrity of customers’ data.
This message was shared during the official handover of data protection certificates to 14 entities that have successfully registered as Data Controllers/processors, in line with the Data Protection Act of 2022.
The entities include EswatiniBank, Ngwenya Glass, Ezulwini Private Hospital (EPH), ESCCOM and Chakaza Holdings, among others.
The registration started last month and it will end on September 30, 2024.
The Data Protection Act was passed into law in March 2022, to regulate and guide the collection, processing, disclosure and protection of personal information.
The Act designates the ESCCOM as the Eswatini Data Protection Authority (EDPA), charged with the mandate to administer and foster compliance with the Act.
Section 5 of the Act enjoins the commission to maintain a register of all data controllers and data processors.
Thanked
Speaking during the handover ceremony, which was held at ESCCOM Boardroom yesterday morning, Eswatini Royal Insurance Corporation (ESRIC) Head of Legal Services and Compliance, Sifiso Dlamini, representing the entities, thanked ESCCOM for being the country’s first data protector and data controller.
Dlamini assured the commission that they would protect the integrity of customers’ data.
He detailed that the registration meant they had adopted the “Nkwe” proclamation by His Majesty King Mswati III and they were ready to work.
According to Dlamini, they will work hard and also mentioned that they were confident that the commission would continue to guide them throughout the journey.
ESCCOM Chief Executive (CE)
Mvilawemphi Dlamini said data registration is common all over the world, in all organisations that handle people’s data.
The CE said this requirement was not unique to Eswatini, but a best practice and common across many European and African countries already implementing their data protection laws.
According to the CE, registration is one of the biggest steps in complying with the Act.
He stated that compliance should not be seen as a hindrance and cost to the company, but should be viewed as a value-add-in that consumers/ data subjects would have trust that their data at the entity’s disposal was secure and that they were legitimate data processors and data controllers duly registered with the EDPA.
Happy
“This is the beginning of a long journey to compliance, and we are happy that you have embarked on the first step and will continue to comply with other obligations as we go together through these unchartered waters of data protection.
“We urge you to continue working closely with the EDPA and respond to consultation processes that may be required from time to time,” the CE said.
He then urged other data controllers and data processors to follow suit and grab the registration opportunity available through the registration window period ending on September 30.
“We have made registration easy as it can be done online and we are happy that daily, we see several registrations, however, as indicated in the decision, registration certificates are issued upon payment of the associated registration fees,” he said.
Furthermore, the CE encouraged all those who are unregistered to complete the process by paying the prescribed registration fees so that they may also be issued with their certificates.
He also advised that the certificates were in a digital format with a unique quick-response (QR) code. According to the Act, an entity can register as both a data controller and a data processor concerning any processing operation.
The Act defines a data controller as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing personal data.
Demonstrate
The Act states that data controllers must comply and demonstrate compliance with all the data protection principles and meet all obligations under the Act and all regulatory frameworks that may be in place from time to time.
Also, the Act further defines a data processor as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.