Eswatini Data Protection Act 2022: A Compliance Checklist for Businesses

If your business in Eswatini collects names, phone numbers, ID numbers, payment details or any other personal information, the Data Protection Act No. 5 of 2022 applies to you. The penalties for getting it wrong are serious, but compliance is very achievable with a structured approach. This guide explains the law in plain language and gives you a practical checklist to work through.

What is the Data Protection Act?

The Eswatini Data Protection Act No. 5 of 2022 sets the rules for how organisations collect, store, use and share the personal information of individuals. It exists to protect the privacy of people in Eswatini and to make sure businesses handle data responsibly, lawfully and securely. It applies to companies, NGOs, schools, government bodies and sole traders alike.

Who enforces it, and what are the penalties?

The Act is enforced by ESCCOM, the Communications Commission, acting as the Data Protection Authority. ESCCOM can investigate complaints, audit organisations and impose penalties. Those penalties are substantial: fines of up to E100 million, or up to 5 percent of annual turnover, and/or imprisonment of up to 10 years for serious offences. In short, data protection is no longer optional or a back-office afterthought, it is a board-level responsibility.

Who must comply?

Any organisation that processes personal data of people in Eswatini must comply, regardless of size. If you keep a customer list, run a loyalty programme, employ staff, take bookings or store CVs, you are processing personal data. The more sensitive the data (health, financial, biometric, children's information), the higher the standard of care expected of you.

Your practical compliance checklist

Work through these steps in order. You do not have to do everything at once, but you should be able to show progress and intent.

• 1. Conduct a data audit. Map what personal data you hold, where it came from, where it is stored, who can access it and how long you keep it. You cannot protect what you have not mapped.
• 2. Establish a lawful basis. For each type of data, identify why you are allowed to hold it, for example consent, a contract, a legal obligation or a legitimate business interest. Record this reasoning.
• 3. Get and manage consent properly. Where you rely on consent, it must be freely given, specific and informed. Use clear language, avoid pre-ticked boxes, and make it as easy to withdraw consent as it was to give it.
• 4. Publish a privacy notice. Tell people, in plain language, what data you collect, why, who you share it with and what their rights are. Put it on your website and reference it on your forms.
• 5. Implement security controls. Protect data with strong passwords, access restrictions, encryption where appropriate, up-to-date antivirus, secure backups and a firewall. Limit access to staff who genuinely need it.
• 6. Honour individual rights. People can ask to see, correct or delete their data. Set up a simple process to receive and respond to these requests within a reasonable time.
• 7. Prepare a breach-response plan. Decide in advance who does what if data is lost or stolen, how you will contain it, how you will notify ESCCOM and affected people, and how you will document it. Practise it before you need it.
• 8. Appoint a data protection officer or lead. Even a small business should name someone responsible for data protection, training staff and being the point of contact for queries and ESCCOM.
• 9. Manage third-party processors. If you use external providers (cloud hosting, payroll, email marketing, accounting software), make sure contracts require them to protect data to the same standard. Their failure can become your liability.
• 10. Train your team and review regularly. Most breaches come from human error. Train staff on phishing, safe handling and the basics of the Act, and review your compliance at least once a year.

Why act now

Beyond avoiding penalties, strong data protection builds trust. Customers are far more willing to share their information, buy from you and stay loyal when they believe you will keep their data safe. Treating compliance as a feature of good service, rather than a burden, turns a legal requirement into a competitive advantage.

Get help becoming compliant

Working through the Act can feel daunting, especially the security controls and breach planning. Busiquip helps Eswatini businesses assess their current position, close the gaps and put practical, affordable safeguards in place. Book a free consultation to review where you stand. Call +268 2404 0156, WhatsApp +268 7941 3899, or visit our Mbabane office, and we will help you protect your business and your customers.