African countries have been trailing their global counterparts when it comes to enacting laws to protect the digital data of their citizens. But that is changing, and enterprise technology leaders doing business on the continent need to be aware of current legislation in order to make sure digital services are in compliance with new laws.\nAlmost half of Africa's 53 countries \u2014 including some of the biggest sub-Saharan markets \u2014have adopted some form of regulation with the goal of protecting personal data, according to Privacy International. The forward momentum around data protection in the region has, to a large extent, been driven by the European Union's ground-breaking GDPR legislation, which was adopted in 2016, and which has provided a superb framework and a successful model for many countries' legislation globally.\nIn addition to the GDPR, another accelerant was undoubtedly the exposure of the dirty tricks being employed by the British consulting firm Cambridge Analytica. Those revelations revealed how vulnerable African countries were to digital manipulation.\nIn March 2018, the Guardian and New York Times reported how the firm had been hired in both Nigeria and Kenya to influence elections. In the Nigerian case, the firm was hired to dig up \u2018kompromat' on the leader of the opposition, Muhammad Buhari, while in Kenya, they had been hired to influence the results of both the 2013 and 2017 presidential campaigns. To add insult to injury, Cambridge Analytica was also revealed to be actively working to stoke racial resentment and intolerance in South Africa.\nAfrican nations move to coordinate data laws\nIn the wake of these events, and fearing the possibility of having to negotiate different data protection rules in different countries, many enterprise leaders have been hoping for some sort of coordination on data protection legislation among African Union countries. \u00a0\nOne possible framework for such legislation is the African Union's Convention on Cyber Security and Personal Data Protection, which would obligate AU nations to enact policy and regulatory measures for cybersecurity. But even though the document was adopted by the AU in 2014, progress toward actually implementing it has been slow \u2014 at least 15 member AU states must sign and ratify the convention for it to come into force, and that has not happened yet. (Among theratifying countries so far: Angola, Ghana, Guinea, Mozambique, Mauritius, Namibia, Rwanda, Senegal, and Zambia. Some large countries, like South Africa and Nigeria, have passed data protection laws without ratifying the convention.)\nOne of the recurring stumbling blocks seems to be the apparent indifference of local populations to the issue. Anecdotal evidence reveals that many people don't really care very much about data protection and are unaware of their right to privacy. They are also so starved of internet access that when it does finally come, they are happy to go along with it and sort out the issues around data privacy at a later stage.\n"Unfortunately in many cases we are dealing with asymmetric data scenarios where the individual may be \u2018obliged' to divulge data \u2018voluntarily' in order to receive assistance or tangible benefits, without being able to assess the value of what they are divulging, or being able to bargain for fair value," said Joseph Atick, executive director of ID4Africa, a non-profit organisation \u00a0committed to the responsible adoption of modern digital identity systems.\nPublic pressure could be a real accelerant to speed up adoption of legislation, but it seems that is unlikely to come to pass without a major cybersecurity threat that serves to highlight just how vulnerable most people's data really is.\u00a0\nMore emphasis on educating the public about data and its value would help, Atick said. \u00a0\n"Generally speaking there is still no broad awareness of\u00a0 the value of data by the general public in Africa, and hence the question of privacy and data protection and associated regulations appears to be a secondary priority for the population at this stage of development of digital societies," Atick said. "This will change as the data economy emerges in Africa, as it did in the rest of the world, and the value of data gets established within a market economy guided by robust data governance frameworks."\nCommon elements of data protection laws\nThough African countries are far from moving in lock step toward data protection laws, there are many common principles that form the basis of legislation that has passed in Africa, based on elements of the GDPR.\nBasic principles enshrined in the GDR that are reflected in African data protection laws that have been passed so far include:\n\nOrganizations that are collecting data need to make clear that they are doing so, and explain why they are doing so\nThey should only collect data for as long as is necessary to complete the aforementioned purpose\nThey should try to minimize, or limit, the amount of data they need to collect as a way of safeguarding individuals in the event of a breach\nInaccurate or incomplete data should be erased as quickly as possible\nData should be deleted once it is no longer necessary for a given purpose\n\nThese basic elements form the core of most modern data protection legislation. With that in mind, here are steps taken by four of the major African economies to create laws that match the moment in the digital economy.\nNigeria\nNigeria's progress over the last 18 months has been somewhat erratic, yet there has been progress in the adoption of a robust data protection regulation framework. The Data Protection Bill of 2020 is making its way through the legislature with the stated objective of promoting "a code of practice that ensures the privacy and protection of personal data without unduly undermining the legitimate interests of commercial organisations and government security agencies to collect such data."\nData protection is a crucial aspect of the Digital Economic Policy and Strategy espoused by the National Information Technology Development Agency (NITDA).\nThere are a number of plainly stated goals that the Bill aims to achieve:\n\nTo protect data subjects' data vis-\u00e0-vis the use of such data by organisations and security agencies;\nEstablish a regulatory authority that will coordinate data protection and privacy issues and\nHave oversight on data controllers and data processors; and ensure that personal data is processed in accordance with NITDA's data protection principles.\n\nThe bill places a large degree of responsibility on the shoulders of Nigerian data controllers, who are defined as \u2018\u2018a person, company, or other body that determines the purpose and means of personal data processing." Hefty fines and imprisonment are on the books for any contravention of the legislation.\nKenya\nKenya has been at the forefront of African technology and innovation for some time, so it's surprising that the country only passed its Data Protection Regulations in November of 2019.\nThe Act has four distinct components to it, which provide a comprehensive overview:\n\nThe establishment of the Office of the Data Protection Commissioner,\nThe regulation of the processing of personal data,\nProvision for the rights of data subjects\nEstablishment of the obligations of data controllers and processors.\n\nOffences can result in jail time and fines of up to five million Kenyan shilling although progress has been slow following the approval of the act. For example It took another 12 months for the new Data Protection Commissioner, Immaculate Kassait, to be sworn into the position (although the delay can be attributed in part to the understandable focus on fighting the global pandemic).\u00a0\nSouth Africa\nSouth Africa's long-awaited Protection of Personal Information Act (PoPIA) was finally signed into law on July 1, 2020. A grace period of 12e months has been permitted to give companies time to become compliant, and from July 1st 2021, liability comes into effect.\nThe goal of the Act is to force both public and private bodies to follow strict guidelines when collecting, processing, storing and sharing personal information. It's very similar in spirit to the EU's GDPR, but extends the terms to apply not only to individuals but also to companies, trusts and various other collective institutions. In that sense, it goes further than the GDPR does, although it is limited to information that is processed within the borders of South Africa, while the GDPR provides a blanket cover for all European citizens, no matter where on earth that information is gathered.\nGhana\nGhana has been way ahead of most African countries in cybersecurity legislation, establishing the Data Protection Act in 2012, "to protect the privacy of the individual and personal data by regulating the processing of personal information." In October 2020, the Data Protection Commission launched new software tools that streamline the registration and renewal process and improve the user experience for Data Controllers and Processors.\nIt also announced a six-month amnesty period that runs until March 2021, "during which any applicable arrears will be waived allowing defaulting Data Controllers to register with the Commission and pay the current year's fee due only."\nWhat Africa's data laws mean for business\nDespite the slow route many African nations are taking toward implementing data protection rules, there is overall steady movement toward a common set of principles that underly such regulations.\n\u00a0"Data knows no boundaries and neither do data protection laws," said John Giles, the managing attorney at South African law firm Michalsons.\nBut Africa and Nigeria, among other nations, show that even countries that are moving ahead of their regional peers in Africa may use GDPR and the AU's data protection convention as a basis to chart their course. As such, IT leaders in business would do well to focus on the basic principles of the GDPR when rolling out digital services on the continent, especially in those countries that have not yet enacted their own specific regulations.\n"We're fast getting to a world in which each organisation has to comply with the data protection laws of many countries," Giles concluded. "Luckily, data protection laws around the world are very similar and we really have a set of global principles. There will always be some local differences as different cultures value privacy differently. But about 80% will always be the same."