Many businesses in Lesotho mistakenly believe that the absence of an appointed Data Protection Commission means the Data Protection Act is not enforceable. This assumption is both legally incorrect and commercially dangerous.
Every day, organisations in Lesotho collect and process personal data, including customer names, telephone numbers, addresses, and payment information. The notion that such processing is exempt from legal oversight until a regulator is operational ignores the binding nature of the law and exposes businesses to significant legal and financial risk.
The Data Protection Act, 2012 has been in force since its enactment and applies to every organisation that collects, stores, or processes personal information in Lesotho.
The Act:
- Grants individuals the right to access, correct, and block the misuse of their personal data.
- Imposes strict obligations on businesses to obtain informed consent before processing personal data.
- Requires the implementation of security measures to safeguard personal information.
- Extends liability to third parties processing data on behalf of a business, making it the responsibility of the data controller to ensure compliance throughout the chain.
The fact that the Data Protection Commission is not yet appointed does not suspend these obligations. The courts retain full jurisdiction to hear claims under the Act, and individuals may institute proceedings for breaches. Judges are empowered to award damages and impose penalties.
Experience in other African jurisdictions shows that enforcement can begin abruptly and retrospectively:
- Nigeria fined Fidelity Bank over USD 350,000 for collecting data without consent.
- Kenya’s Data Protection Commissioner regularly issues penalties for privacy violations.
- South Africa’s Information Regulator now receives double the number of monthly breach reports compared to the previous year.
In each of these countries, enforcement activity accelerated quickly after regulators became operational, often targeting historic non-compliance.
Compliance is not only a legal requirement but also a competitive advantage:
- Customers are more likely to engage with businesses that can be trusted to handle their personal information securely.
- International partners increasingly demand robust privacy safeguards as a condition for doing business.
- Proper data management improves operational efficiency and decision-making.
Failure to comply can be costly. In South Africa, the average cost of a data breach is estimated at R44.1 million. Globally, SMEs face average costs of USD 105,000 per incident, excluding reputational harm, customer loss, and potential litigation.
With the regulator not yet in place, businesses in Lesotho have a short window to act proactively:
- Audit Your Data Practices – Identify what personal data you collect, why you collect it, where it is stored, and who has access.
- Implement Security Measures – Use encryption, restrict access, and train employees on data handling.
- Update Privacy Notices – Ensure that your policies and consent processes meet the Act’s requirements.
- Manage Third Parties – Conclude written agreements with all third-party data processors, imposing equivalent compliance obligations.
- Develop a Breach Response Plan – Prepare procedures for detecting, reporting, and mitigating breaches.
The absence of an operational Data Protection Commission in Lesotho is not a free pass, it is borrowed time. The Data Protection Act 2012 is fully enforceable, and when the Commission is appointed, enforcement will likely extend to past conduct.
Businesses that act now will not only avoid costly disputes and penalties but will also position themselves as trusted, compliant partners in an increasingly data-conscious economy. The law is real. The risks are real. The time to comply is now.