Ghana’s Data Protection Commission has declared 2026 a year of active enforcement and the Communications Minister has ordered a government policy directive mandating fines against non-compliant institutions, signalling the end of a largely educational phase and the beginning of formal regulatory action across public and private sector organisations that handle personal data.
Dr Arnold Kavaarpuo, Executive Director of the Data Protection Commission (DPC), launched the shift at the Data Protection Month 2026 ceremony in Accra on January 26, telling regulators, privacy professionals and government officials that unlawful data processing would now carry real legal and reputational consequences. The month-long programme, expanded from its previous week-long format, was held under the theme “Your Data, Your Identity: Building Trust in Ghana’s Digital Future.”
“2026 will be a year of enforcement,” Dr Kavaarpuo said. “The Data Protection Act emphasises compliance requirements for lawful data processing, and it also provides consequences for non-compliance.”
Under Section 27(1) of the Data Protection Act, 2012 (Act 843), every data controller that intends to process personal data is required to register with the Commission before doing so. Section 56 of the Act prescribes fines and imprisonment of up to four years for intentional misuse or unlawful disclosure of personal data, while failure to comply with an enforcement notice carries a fine or up to one year in prison for directors of non-compliant companies.
At the National Data Protection Conference in Accra on March 2, Communications Minister Samuel Nartey George escalated the government’s position further, disclosing that a policy directive would soon be issued to the DPC to impose fines on organisations that had not registered or complied with the Act. He also confirmed that a new Data Protection Bill was being drafted to extend legal oversight to Artificial Intelligence systems, automated decision-making, deepfakes and cross-border data transfers, areas not covered by the existing 2012 legislation.
The DPC reported significant regulatory progress in 2025, completing its largest nationwide public awareness campaign, which reached an estimated 25 million people, expanding registrations of data controllers, conducting compliance audits across key sectors, and training more than 800 data protection officers. The Commission has also modernised its internal regulatory systems to improve the speed and transparency of its enforcement processes.
Deputy Minister of Communications Mohammed Adams Sukparu said Ghana’s expanding investments in digital identity, Mobile Money (MoMo) and e-government services could only deliver their full value if citizens trusted that their personal data was handled lawfully and securely. The Ghana Association of Privacy Professionals (GAPP) President Emmanuel Gadasu warned organisations to treat data protection officers as strategic assets rather than administrative burdens, saying that data misuse undermined both personal autonomy and economic participation.
