Data Privacy Regulations

The following data privacy regulations are applicable to cloud computing in Ghana:

• Data Protection Act, 2012 (Act 843); and
• Cybersecurity Act, 2020 (Act 1038).

Sensitive Data

Section 96 of the Data Protection Act defines personal data as data about an individual who can be identified from the data, or from the data or other information in the possession of or likely to come into the possession of the data controller.

Ghanaian law does not use the term sensitive data but instead refers to special personal data, which consists of information relating to race, colour, ethnic or tribal origin of the data subject, political opinion of the data subject, religious or similar beliefs of the data subject, physical, medical, mental health, or mental condition or DNA of the data subject, sexual orientation of the data subject, commission or alleged commission of an offence by the data subject, or the proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings, or the sentence of any court in the proceedings.

Processing Personal Data in the Cloud

In processing personal data in the cloud, the data controller or processor shall, in respect of foreign data subjects, ensure that personal data is processed according to the data protection legislation of the foreign country of that subject where personal data originating from that country is sent to Ghana for processing, thereby highlighting cross-border individual privacy rights through robust data protection measures during cloud data processing, as required under Section 28 of the Data Protection Act.

Carrying out robust security measures including encryption, access controls, and regular audits is required to uphold the confidentiality and integrity of data stored in the cloud.

Data controllers must ensure that cloud data processors outside Ghana must comply with data protection regulations of Ghana during cloud data processing as required under Section 30 of the Data Protection Act.

Consent of the data subject as required under Section 20 of the Act.

Section 45 of the Data Protection Act directs data controllers established outside Ghana but using equipment or a data processor carrying on business in Ghana to process data, to comply with data protection legislation in Ghana.

Where data controllers oversee processing of data originating partly from Ghana, and partly outside Ghana, or wholly from Ghana, they shall comply with Ghana data protection legislation.

While not expressly stated in the Act, it is the usual practice when transferring data out of the jurisdiction to submit a letter to the Data Protection Commission notifying them of the intended transfer and requesting clearance. This letter typically includes details such as the scope of the transfer, the duration and the purpose.

There are no specific penalties for non-compliance with data privacy regulations applicable to the cloud.

Data controllers, including those using cloud services to process data, who fail to register with the Data Protection Commission may incur liability not exceeding 250 penalty units (currently GHS3,000) or a term of imprisonment not exceeding two years or both as required under Section 56 of the Data Protection Act.

Persons who purchase, obtain or disclose personal data are liable to pay a maximum of GHS3,000 or be sentenced to a maximum of two years in prison or both.

Security Measures Required by Local Law

In Ghana, the Data Protection Act, 2012 (Act 843) and the Cybersecurity Act, 2020 (Act 1038) establish strict standards for securing cloud-stored data. Organisations handling personal data must implement technical and organisational safeguards to preserve confidentiality, integrity and availability. This includes identifying risks, applying and testing controls and updating them as threats evolve.

Section 28 of the Data Protection Act places the data controller under an obligation to take the necessary steps to secure the integrity of personal data in the control or possession of a person by adopting appropriate, reasonable, technical and organisational measures to prevent loss of personal data, damage to personal data, unauthorised destruction to personal data, unlawful access to personal data and unauthorised processing of personal data.

The law requires data controllers to identify reasonably foreseeable risks to personal data under their possession or control, establish and maintain appropriate safeguards against the identified risks, regularly verify that the safeguards are put to action, and ensure that the safeguards are continually updated to counter new risks or deficiencies.

Data controllers are also required to observe generally accepted information security practices and procedures, and specific industry or professional rules and regulations. 

Flowing from the above, data controllers are required by law to implement generally accepted fundamental tools in data protection and cybersecurity such as encryption, authentication, firewalls, vulnerability testing and patching. For example, for data storage, data controllers can leverage strong encryption such as AES-256 to enhance the security of data stored in the cloud.

Data controllers are responsible for ensuring third-party processors meet the same standards. Breaches must be reported to both regulators and affected individuals.

The framework under the Bank of Ghana Cyber and Information Security Directive also requires adherence to recognised security practices and sector-specific rules. For instance, financial institutions must comply with Bank of Ghana (BoG) directives, adopt risk-based approaches aligned with ISO 27000, NIST, and PCI-DSS, and obtain board approval before using cloud services.

Beyond data protection, Ghana’s cybersecurity regime imposes obligations on entities considered critical to the country’s information infrastructure. These organisations must adopt strict access controls, implement robust risk management measures, and report any cyber-incidents to the national response team.

Confidentiality, Integrity and Availability of Data

Confidentiality

Organisations that handle personal data must protect it from unauthorised access or misuse. Those who process data are also required to treat it as confidential at all times. To achieve this, sensitive information must be encrypted when it is transferred, and if stored in the cloud, also while it is at rest. Access should only be given on a need-to-know basis, with strong authentication and system monitoring to detect any suspicious activity. These measures keep the personal data of the data subject restricted from dissemination.

Integrity

Personal data must remain accurate, complete and protected from loss or destruction. Organisations are expected to have safeguards that prevent unauthorised changes and to regularly check that their systems are working properly. This includes controls to protect databases, routine audits and other measures that help ensure information cannot be altered without approval. The goal is to maintain the trustworthiness and reliability of the data.

Availability

It is also important that systems and data remain available when needed. Organisations must have clear governance structures, backup procedures and recovery plans to reduce the risk of disruption. These arrangements should be tested and overseen at the highest level of management, often the board of directors. By doing so, critical services can continue and recover quickly even if there is an unexpected failure or incident.

Encryption Standards for Data in Transit and at Rest in the Cloud

Ghana’s data protection laws do not set out specific encryption standards. Instead, they focus on requiring organisations to take appropriate measures to protect data against unauthorised access or misuse. This approach gives flexibility while still expecting the use of modern, effective security practices.

It is widely accepted in cybersecurity circles that data in transit requires protection by encrypting email servers and web connections using a secured socket layer (SSL), or transport layer security protocols (TLS), and using end-to-end encryption.

For data at rest, recommended standards include protection by deploying a full disc encryption or file encryption.

It is recommended that encryption for data at rest and data in transit require that encryption keys be protected using key management systems that separate encryption keys from the encrypted data. This security measure wards off attackers from deciphering encrypted data, even if the attackers were to gain access to a database. Cloud service providers offering key management systems include AWS KMS, Azure Key Vault and Google Cloud KMS.

For banks and other institutions regulated by the BoG, stricter obligations apply in practice and under the Exposure Draft of the BoG Cyber and Information Security Directive 2025. These institutions must encrypt data both when it is being transferred within and outside the organisation, including on wide area networks, using end-to-end encryption. They must also ensure that data stored in the cloud is encrypted, with the encryption keys kept under the institution’s control rather than with the service provider.

In addition, these institutions are required to align their practices with recognised global standards, such as the ISO 27000 series and the NIST framework. Where payment card data is involved, the PCI-DSS standard must also be followed. Together, these laws make clear that institutions are expected to apply industry-standard cryptography and security measures, even if the law does not list specific algorithms.

For Dedicated Electronic Money Issuers (DEMIs) and Payment Service Providers (PSPs), the BoG has directed them to upgrade their certification from ISO 27001:2013 to ISO 27001:2022 by 31 October 2025.

Access Control Management

Section 24 of the Data Protection Act directs data controllers who retain records of personal data to ensure that the data is adequately protected from unauthorised access or use for unauthorised purposes. In addition, and as mentioned above, Section 28 of the Act also requires data controllers to take steps to prevent unauthorised access to processing of personal data.

Data controllers are responsible for making sure that proper security measures are in place, even when they rely on third-party processors. These processors must be bound by contract to keep data secure and confidential, and the obligation applies whether the processor is located in Ghana or outside the country. This ensures that the same level of protection follows the data wherever it is handled.

For banks and other regulated financial institutions, the rules on access control are more detailed. Staff permissions must be limited strictly to what is necessary for their work (need-to-know basis), supported by unique user IDs, secure authentication and continuous logging of activities. Systems should also apply extra restrictions, such as limits on session duration or access only at approved times of day.

Administrators who manage critical systems must use two-factor authentication to strengthen security. Remote and vendor access must be tightly controlled, closely monitored and fully auditable to reduce the risk of misuse. In addition, when institutions use cloud services, their contracts must give them the right to carry out security audits and to integrate monitoring systems with those of the cloud provider.

Measures to Prevent Unauthorised Access or Data Breaches

Organisations in Ghana are enjoined to assess risks, apply safeguards and keep them updated to protect personal data. Data controllers are responsible for ensuring that data processors also follow these standards through binding contracts. Confidentiality is required at all times, and unauthorised disclosure or sale of data is prohibited. Breaches must be reported to both the regulator and affected individuals.

For banks and other regulated institutions, stricter rules apply. They must use layered security, including firewalls, intrusion detection, endpoint and database protections, and regular vulnerability checks. User access must be closely controlled and monitored, with encryption applied to data in transit and in the cloud, where encryption keys remain under the institution’s control.

Handling Security Accidents and Breaches in the Cloud

When personal data is accessed or obtained without authorisation, the organisation responsible must promptly notify both the regulator and the individuals affected. A short delay is only allowed if law enforcement needs it, but the organisation must also take immediate steps to restore the security of its systems.

The cybersecurity laws of Ghana add further obligations. Organisations are under an obligation to report incidents of data breach to the national response team, with guidance indicating a 24-hour reporting window and penalties for failing to comply.

For banks and other regulated institutions, the requirements are stricter. They must have incident response plans in place, report incidents to the BoG, and carry out a post-incident review within seven days. Continuous improvement is expected, and cloud arrangements must include monitoring and secure, encrypted data flows with service providers.

Data Ownership and Control

Ghana’s data protection law distinguishes between the data controller, who decides why and how personal data is processed, and the data processor, who handles the data on the controller’s behalf. Even when data is stored in the cloud, ownership and control remain with the controller, and the cloud provider has no right to decide the purpose or method of processing.

Controllers must ensure processors provide strong safeguards and must formalise this through a written contract. Such contracts are expected to cover issues like how data is retained or returned at the end of the service, rights to audit or inspect, limits on cross-border transfers, and strict rules on security, confidentiality and non-disclosure.

Therefore, data controllers engaging cloud service providers for data processing must ensure that the cloud agreements adhere to data protection standards in Ghana in addressing data security measures, data breach notification procedures and data transfer mechanisms.

In practice, this means that the customer remains legally responsible for the data, while the cloud provider is bound by contract to act only under the controller’s instructions.

Data Subject Rights

Ghana’s data protection law gives individuals a range of rights over their personal data, whether it is stored locally or in the cloud. For instance:

• people have the right to be informed about why their data is collected, who receives it, and what safeguards are in place;
• people also have the right to access their data, correct inaccuracies and request deletion or blocking of data that is unlawful or irrelevant;
• individuals may object to the processing of their data, including for marketing or profiling, and cannot be subject to automated decisions that have a significant effect on them; and
• where harm results from unlawful processing, they are entitled to seek compensation.

More importantly, the use of cloud services does not reduce or limit these rights. The data controller remains fully responsible for ensuring that all of them are respected.

Exercise of Rights

When individuals wish to exercise their data rights, they must make the request to the data controller – the organisation that collected their information – not to the cloud provider. The controller is responsible for retrieving, correcting or deleting the data, even if it is stored with a third-party processor.

Controllers are required to respond to such requests, including access, rectification or deletion, within 21 days. They must also provide practical ways for individuals to submit requests, whether in writing or electronically.

Cloud providers are usually bound by contract to support the controller in meeting these obligations. This may include enabling data export, correction or deletion, but they may only act on the controller’s instructions.

If a controller fails or refuses to comply, the individual has the right to complain to the Data Protection Commission. The Commission may then investigate and, where necessary, order the controller to take corrective action.

Ghana’s laws do not spell out data portability in the same detailed way as the EU GDPR, but there are provisions that cover many of the same ideas. Under the Data Protection Act, individuals have the right to access their personal data and receive a copy in a form they can understand. They must also be given this information without undue delay or excessive cost.

The law further allows people to demand correction or deletion of their data. This means that controllers, including those using cloud services, must be able to locate, extract and modify personal information when requested. These rights together provide the practical foundation for data portability, even if the term itself is not used.

In addition, sector rules strengthen portability in cloud settings. For example, financial institutions regulated by the BoG must ensure that cloud contracts include exit arrangements. These must allow data to be retrieved, transferred to another provider if needed, and securely deleted when the service ends.

Ghana’s data protection law requires that personal data is not kept longer than necessary for the purpose it was collected. Controllers must set clear retention schedules and ensure data is deleted once it is no longer needed. Special categories of data, such as health or biometric information, may require stricter limits unless there is a lawful or vital reason to retain them. Individuals also have the right to request erasure or blocking of data held beyond necessity.

In the financial sector, additional rules apply. Banks and regulated institutions must adopt formal retention and destruction policies for cloud-stored data. Contracts with cloud providers must include terms on returning or deleting data at the end of the service, and encryption keys must remain under the institution’s control. Secure destruction must cover all data, including backups and redundant copies.

For operators of critical information infrastructure, cybersecurity rules require records and logs to be kept for defined periods, but also demand secure disposal once the data lifecycle ends. Across all sectors, the legal responsibility rests with the controller, even when data is hosted by a third-party provider. Cloud providers may only act on the controller’s instructions, and contracts should give the controller audit rights to verify that data has been properly deleted and not reused.

The following due diligence should be conducted when selecting a cloud service provider.

Legal and Regulatory Compliance

Confirm the CSP is properly registered, licensed (where required), and compliant with Ghana’s Act 843. For regulated sectors like banking, ensure the provider meets BoG’s Cyber and Information Security Directive (CISD) requirements. Always check cross-border data storage and transfer arrangements.

Data Security and Technical Controls

Evaluate whether the CSP applies strong safeguards – encryption (with client-held keys for banks), multi-factor access controls, data segregation, robust backup/disaster recovery capabilities, and effective monitoring and breach response procedures.

Operational and Governance Standards

Look for internationally recognised certifications (ISO, SOC), review internal policies (security, privacy, retention/deletion), and assess provisions for data portability, secure exit, and subcontractor oversight.

Contractual Protections

Contracts should confirm client ownership and control of data, define breach notification timelines, grant audit rights, set exit/migration obligations, and clarify liability and indemnity for security incidents or downtime.

Reputation and Track Record

Check the CSP’s experience in Ghana and Africa, investigate any past breaches or sanctions, and seek client references from comparable organisations.

Security Safeguards

Evaluate the CSP’s security infrastructure, including physical security of data centres, access controls, network security and encryption standards.

Inclusion of Data Protection Requirements

Under Act 843 and regulator guidance, the data controller (customer) remains responsible for compliance even when data is processed in the cloud. To transfer obligations, cloud contracts must include specific clauses.

• The agreement must clearly state that the CSP (processor) only processes personal data on the controller’s instructions.
• The purpose must be lawful, specific and not excessive.
• The law requires data controllers to ensure processors provide “adequate safeguards” (technical and organisational).
• Confidentiality undertakings from the provider’s staff are required.
• Contracts must specify retention periods, data return on termination and secure deletion.
• The law also requires data processors to notify controllers “as soon as reasonably practicable” of breaches or unauthorised access.
• Cloud providers may only engage subcontractors (eg, overseas data centres) with the controller’s authorisation and equivalent safeguards.
• Contracts must regulate hosting outside Ghana to ensure data is not transferred without safeguards consistent with the data protection laws of the country.
• Controllers should include rights to audit, or at least to receive independent audit reports.

Measures in Place to Ensure Compliance

Legal and regulatory measures

The Data Protection Commission oversees compliance with Ghana’s data protection law. It registers and supervises data controllers, who must disclose any processors they use, including cloud service providers. The Commission has powers to audit, investigate and issue orders or sanctions if standards are not met.

The Cybersecurity Act requires certain ICT providers, including those offering cybersecurity-related cloud services, to be licensed by the Cybersecurity Authority. This authority can set technical standards and impose incident-reporting duties. Sector regulators also play a role: the BoG requires financial institutions to seek approval before using cloud services and insists on strict conditions covering encryption, access control, audits and exit provisions. The National Communications Authority may also impose requirements, such as local storage or extra safeguards for subscriber data.

Contractual and Operational Measures

Before engaging a cloud provider, organisations must carry out due diligence, assessing certifications, track record and compliance history. Once contracted, providers are usually required to submit periodic security reports or independent audit certifications such as ISO 27001, ISO 27018 or SOC 2. Controllers should also have audit rights, either directly or through trusted third-party reviews.

Cloud providers must have clear incident-reporting processes to alert both the controller and regulators of any breaches. Contracts should also address termination, requiring providers to return or securely delete data, while ensuring portability and preventing vendor lock-in.

The structure of data processing agreements in the cloud environment are as follows.

• Parties and roles:
1. clearly identify the controller (determines purpose/means) and processor (cloud provider acting only on instructions).
• Purpose and scope:
1. define categories of data subjects, types of data, purposes of processing and retention period. Explicitly prohibit provider’s own use of data.
• Processor obligations:
1. act only on controller’s instructions;
2. maintain confidentiality and security safeguards (encryption, access controls, backups);
3. obtain approval for sub-processing and cross-border transfers;
4. notify controllers of breaches promptly;
5. return or delete data at termination; and
6. support audits or provide certifications (ISO/SOC reports).
• Controller obligations:
1. ensure lawful basis and register with the DPC;
2. inform data subjects of rights and enable access/erasure;
3. conduct due diligence on CSP compliance; and
4. remain legally responsible (liability cannot be shifted).
• Data subject rights:
1. the DPA must require the CSP to assist the controller in fulfilling access, rectification and deletion requests within statutory timelines.
• Security and technical annex:
1. annex should specify encryption, access control, logging/monitoring, segregation, backup, disaster recovery and continuity measures.
• Exit and portability:
1. set procedures for data return, migration in standard formats (CSV/XML/SQL), secure deletion (including backups) and certification of destruction.
• Liability and indemnity:
1. allocate responsibilities and indemnities for breaches, downtime or failures. The controller remains accountable under Act 843 despite negotiated limits.
• Sector-specific (BoG CISD – financial institutions):
1. additional requirements include BoG approval before migration, client-held encryption keys, SOC/SIEM integration, incident reporting within seven days and explicit exit/data retrieval provisions.

Typical Termination and Exit Strategies

Contracts would often specify minimum notice before termination to allow migration.

The provider must return all customer data in a structured, commonly used, machine-readable format. After return, the provider must securely delete all copies (including backups and replicas), providing a certificate of destruction.

The provider may be obliged to assist migration (for a defined period and at agreed fees).

Sometimes data is retained until disputes over termination are resolved, to prevent data loss.

For critical systems (banks, telecoms), regulators may require contingency plans to ensure service continuity during migration.

Note: Cloud service providers may offer a “read-only” grace period post-termination for retrieval.

Migration of Data and Services

Per best practice procedures such as contained in the General Data Protection Regulation, when migrating between cloud providers, the process begins with data migration. Providers are expected to supply secure export tools or APIs that allow customers to extract their data in standard formats such as CSV or XML. During this transfer, data must be encrypted in transit through secure protocols like TLS or VPN, and under BoG rules encryption keys should always remain in the customer’s control. Once the migration is complete, a verification process is undertaken to confirm that all data has been accurately and completely transferred.

Alongside data, there is also application and service migration. Depending on the system’s architecture, workloads may be exported as virtual machine images or container registries. Customers need to carefully document all integrations, APIs and middleware configurations that must be replicated in the new environment. To minimise disruption, many organisations run both the old and new systems in parallel for a short period (a practice called dual hosting) to ensure that the transition is seamless.

Finally, the roles and responsibilities in the migration process must be clearly defined. The customer is responsible for setting the migration timeline, verifying data integrity and providing instructions to the provider. The provider, on the other hand, supplies the export facilities, maintains service continuity until migration is finished, and ensures that residual data is securely deleted afterwards. In some cases, third-party migration specialists or managed service providers may be engaged to provide technical support and ensure that the process is efficient and secure.

Requirements for Reporting

Under Ghanaian law, data breaches largely depend on the industry. Thus, there is no blanket rule that governs general data breaches although there is a general Data Protection Act to deal with loopholes where and when necessary. The regime under three different industries will be evaluated:

• personal data laws;
• cybersecurity industry; and
• banking industry.

The Data Protection Act deals with personal data breaches and states that when a data breach occurs in the cloud and personal data is accessed or acquired by an unauthorised person, the data controller remains responsible for reporting the breach. The data controller must notify the Data Protection Commission within a reasonably practicable time after discovering the breach.

The individual whose data has been breached must also be notified, unless law enforcement or the Commission advises that notification would hinder a criminal investigation. The controller must also, where they have reason to believe that publicity may protect a subject, publicise the breach.

Where the data breached borders on cybersecurity activity, the Cybersecurity Act, 2020 (Act 1038) is activated. The Cybersecurity Act puts data breaches in the cybersecurity industry under the ambit of what it terms a “cybersecurity incident”. A cybersecurity incident loosely refers to attempts, regardless of whether they are successful or not, to gain unauthorised access to information with the aim of either disrupting or misusing the information.

Once a data breach occurs, the Sectoral and National Computer Emergency Response Team, teams set up under Cybersecurity Act to respond to all cybersecurity incidents, shall be called to co-ordinate appropriate responses. The relevant Sectoral Computer Emergency Response Team shall be the first port of call, which will be within 24 hours of detecting the breach, to co-ordinate the appropriate responses to the breach. Thereafter, the Sectoral Team shall co-ordinate with the National Team, which in turn, oversees the responses by the Sectoral Team.

The Cybersecurity Act regulates all data breaches in the following sectors as well as other sectors determined by the Cybersecurity Authority:

• public sector;
• banking and financial sector;
• telecommunications sector;
• energy and utilities sector;
• military sector;
• national security sector;
• academic sector;
• health sector; and
• transportation sector.

Aside from the system of reporting under the Cybersecurity Act, banks and other financial institutions must further, immediately and automatically inform the BoG of any data breaches through the Security Operations Centres they are mandated to establish. Additionally, they must provide a monthly summary of all data incidents to the BoG on the 15th of each month.

Penalties

Under the Data Protection Act, offences committed under the Act and not otherwise specifically provided for, attract a fine of up to 5,000 penalty units (GHS60,000 as at the date of publication of this article, one penalty unit is GHS12) or up to ten years of imprisonment, or both.

Under the Data Protection Act, however, the failure to report a data breach is not classified as an offence. A controller who the Data Protection Commission determines has contravened any of the data protection principles will be served with a notice, known as an enforcement notice, to either take or refrain from processing any personal data based on and in relation to the description in the notice. The Commission will also determine the period the enforcement notice shall apply.

An enforcement notice can either be varied or cancelled based on either an application made by the person who was served the enforcement or by the Commission’s own volition. If a controller, who has been served with the enforcement notice, fails to comply with the notice, they have committed an offence and are liable to a fine of not more than 150 penalty units (which is equal to GHS1,800 as at the time of the publication of this article) or to a term of imprisonment of not more than one year, or to both.

This means that if a data controller commits a data breach which contravenes the data protection principles, they may be liable to be served with an enforcement notice and be liable for a fine if they fail to comply with the enforcement notice.

Under the Cybersecurity Act, the failure of a licensed authority to report a cybersecurity incident is classified as an offence and attracts an administrative penalty of between 250 penalty units and 5,000 penalty units (which at the time of the publication of this article ranges from GHS3,000 to GHS60,000).

Investigations of data breaches are governed by the Data Protection Act where investigations of data breaches are done by two entities, namely, the cloud service provider, acting as data processor, and the data controller. They often employ forensic techniques to trace the source of the intrusion. The data controller would be held responsible for any breaches even when using a cloud service provider.

Efforts to Cease Data Breach

Upon discovering a data breach in the cloud, the data controller must immediately take action to limit the breach, such as putting a stop to any unauthorised practice, recovering the records, or if practicable shutting down the system that was breached. If the last action point is not practicable, it is advisable to revoke or change computer access privileges, and address weaknesses in physical or electronic security. 

Notification

The controller is mandated to notify both the Data Protection Commission and the affected individuals of the breach, while also taking steps to restore the integrity of the compromised system. Notifications to data subjects must contain sufficient detail to enable them to take protective measures in response to the breach. If the investigations uncover the identity of the unauthorised actor, this information must be included in the controller’s report to the Commission. The Commission, being the only entity recognised under the Data Protection Act that can remedy the situation, may issue further directions requiring additional remedial measures or wider public disclosure.

Timeline for Notifying Data Subjects and Regulators

• Personal data – notify the Data Protection Commission as soon as reasonably practicable after notice of the breach as required under Section 31 of the Data Protection Act, except where the disclosure to the data subject will impede a criminal investigation.
• Cybersecurity incidents – within 24 hours of notice of the breach.
• Financial institutions – immediately after notice of the breach.

Information Included in Data Breach Notifications

Notifications must be made in a manner that provides enough detail to allow the individual affected to protect themselves. Practically, this would include:

• a description of the nature of the breach (what happened, and what type of data was affected);
• the likely consequences of the breach;
• measures taken or proposed by the data controller to address or mitigate the breach;
• the identity of the unauthorised person who accessed or acquired the data, if known; and
• any further instructions or precautions data subjects should take.

Co-Ordination

Contracting

• Cloud service agreements must stipulate deadlines for notification in line with law.
• The agreement should also require the CSP to provide the data controller with forensic logs, scope of the breach, affected systems and mitigation measures.
• The agreement should also cover the CSP’s willingness to co-operate during the investigation.
• The agreement must spell out security measures required to be maintained by the CSP.

Internal procedures to expedite co-ordination

• The data controller and CSP must designate a specific person to report breaches and ensure a fast, smooth and clear-cut communication process.
• Assessment and escalation – internal procedures should stipulate the movement of the report from the CSP upwards. The severity of the breach must be assessed and the breach escalated to legal and management teams for formal notification to the Data Protection Commission and data subjects.
• Remediation – the data controller and CSP shall work to restore the integrity of the information systems of the data controller.

Regulation of International Data Transfers

The Data Protection Act does not provide a robust framework for all data matters outside the jurisdiction. It loosely describes a foreign data subject as a data subject which is regulated by foreign laws and is sent to Ghana from a foreign country for processing purposes. It does not speak specifically to international data transfer, but touches on it in a few sections. The concept of foreign data does not apply to data that merely transits through the country without any form of processing.

A holistic reading of the Data Protection Act shows that international transfers are governed by a mix of applicable provisions and specific duties imposed on data controllers and processors (including cloud service providers) in Ghana processing information from foreign data subjects, as well as cloud service providers domiciled in foreign jurisdictions processing information originating from Ghana.

All data controllers established in Ghana, as well as foreign controllers that use local infrastructure, processors, or handle data originating from Ghana, are subject to the local law. Foreign entities must register as external companies if they process such data. The Data Protection Act treats residents, incorporated bodies, registered businesses, associations, and any person operating through an office or branch in Ghana as established locally.

Where personal data from a foreign jurisdiction is sent to Ghana for processing, the controller or processor in Ghana must comply with the data protection law of the originating jurisdiction.

Conversely, where a processor is not domiciled in Ghana (eg, a cloud provider with offshore servers), the Ghanaian data controller must ensure that the processor complies with Ghanaian data protection laws.

Under the Data Protection Act, data controllers must disclose in their application for registration with the Data Protection Commission, the countries to which data will be sent and the safeguards in place to protect it. The Data Protection Commission exercises oversight and may refuse registration if it finds those safeguards inadequate.

Mechanisms for Transferring Data Outside the Jurisdiction

Where the safeguards are deemed adequate, data may be transferred outside the jurisdiction for processing. Moreover, as noted, controllers and processors have cross-border compliance duties. Thus, where Ghana processes data originating from abroad, they must comply with the laws of the originating country; and where a data processor is located outside Ghana, the Ghanaian controller must ensure that the foreign processor complies with the Data Protection Act.

International Data Protection Requirements

Ghanaian law expressly requires that the relationship between data controllers and data processors, including cloud service providers, be governed by a written contract. Such contracts must establish terms that safeguard the confidentiality, integrity and availability of the data. Where the arrangement involves the processing of foreign data by a Ghanaian processor, or Ghanaian data by a foreign processor, the applicable law must be the data protection law of the originating country or Ghana, respectively.

Ghana does not impose a blanket data localisation requirement that all personal data must be stored domestically. International data transfers are permitted, provided they are disclosed during registration and supported by adequate safeguards.

However, the Cybersecurity Act introduces a narrow, sector-specific localisation rule that requires that equipment used for lawful interception of communications can be installed, managed and monitored only within Ghana, and it prohibits remote management from outside the country. This ensures that interception infrastructure and the sensitive data it may capture remain under Ghanaian jurisdiction.

It must be noted that the government of Ghana is working to adopt a data localisation policy to ensure that its external data in other countries is hosted locally in Ghana.

The implications of data localisation on cloud computing would include infrastructure constraints owing to inadequate data centres. This would limit access to existing global platforms such as AWS, Azure and Google Cloud, and water down user experience, because if these tech companies cannot offer Ghana-based hosting, they would not be accessible by users.

In addition, smaller cloud providers and start-ups would face challenges in scaling up owing to infrastructure costs.

From the regulator’s perspective, a key implication is that the Data Protection Commission would gain better oversight of data handling.

In addition, data localisation would make locally stored data less susceptible to foreign government access under laws such as the US CLOUD Act.

Addressing Conflicts of Law in Cross-Border Data Transfers

The law of the data’s origin follows the data. Therefore, foreign data brought into Ghana is subject to the foreign law, and Ghanaian data sent abroad remains subject to Ghanaian law.

International data transfers in the cloud expose Ghanaian data controllers to several risks. Chief among these are conflicting legal obligations, since data hosted abroad may be subject both to the Data Protection Act and to foreign regimes such as the European Union’s General Data Protection Regulation or the US CLOUD Act. The absence of a detailed “adequacy” framework, unlike in the European Union, adds to the regulatory uncertainty, leaving much to the discretion of the Data Protection Commission.

Risks and Challenges Associated With International Data Transfers in the Cloud

Controllers also carry heavy compliance burdens in that they must disclose transfer destinations at registration, ensure foreign processors comply with the Data Protection Act, and verify that Ghanaian processors handling foreign data observe the originating country’s law. Failure to do so risks not just administrative sanctions but criminal liability.

Other risks arise from security, operational and reputational challenges. Data hosted abroad may be more vulnerable to weaker protections or foreign surveillance. Breach notifications can be difficult to co-ordinate across borders, raising the chance of delayed responses. Operationally, the global replication and distribution of data which are core to cloud efficiency, are constrained by Ghana’s dual compliance obligations, which require Ghanaian law to govern Ghanaian data abroad while respecting foreign law when processing foreign data locally. Reputationally, mishandled transfers or breaches can erode trust and damage business credibility.

However, Ghana’s approach also shows flexibility and openness to best practice, which mitigates these risks. The Data Protection Act does not impose strict localisation but instead regulates transfers through disclosure, Commission oversight, and contractual safeguards.

The Data Protection Act strikes a fine balance of requiring Ghanaian processors of foreign data to comply with the laws of the originating country while also ensuring that Ghanaian law applies when local data is processed abroad. This dual compliance model balances sovereignty with cross-border data flows, allowing businesses to participate in the global cloud economy while maintaining accountability and protecting data subjects’ rights.

Compliance audits are conducted in cloud environments in two main ways.

Regulatory Audits

The Data Protection Commission may conduct inspections to ensure controllers and processors comply with the Data Protection Act (safeguards, breach notifications, registration, etc).

The Cybersecurity Authority can audit providers offering cybersecurity services or operating as critical information infrastructure under the Cybersecurity Act.

For banks and financial institutions, the BoG requires periodic ICT/cybersecurity audits and reporting on cloud use under the CISD.

Contractual Audits

Cloud service agreements must include audit rights for customers or require providers to supply independent audit reports in accordance with best practices such as practices under the ISO 27001 and the Payment Card Industry Dada Security Standard (PCI-DSS).

Customers may conduct audits directly or rely on external certifications provided by the cloud provider.

Compliance Audit Scope

Typical compliance audit scope in cloud computing in Ghana covers:

• compliance regarding consent, transparency, retention and subject rights as prescribed by the Data Protection Act;
• security controls which check encryption in transit/at rest, access management, vulnerability management, backup and disaster recovery;
• the existence (or lack thereof) of written controller-processor agreements (in the Data Protection Act) with confidentiality, breach notification and deletion provisions;
• the location of cloud servers and safeguards for data transfers outside Ghana;
• sector-specific regulatory compliance (BoG cloud approval, encryption key retention, incident reporting within seven days, among others); and
• breach policies and evidence of breach handling.

Audit Trails and Logs

Management of audit trails and logs in the cloud are trickier as there are no direct legal provisions as to how these activities are to be carried out. Although the Data Protection Act does not prescribe logging formats, it requires controllers/processors to implement “appropriate, reasonable, technical and organisational measures to prevent loss...” which would typically include traceability.

BoG’s CISD is more prescriptive:

• it requires logging of user activities, admin access and vendor access;
• logs must be integrated into Security Information and Event Management (SIEM)/Security Operations Centre (SOC) monitoring systems; and
• access logs must be immutable and auditable.

Providers often use secure logging mechanisms, digital signatures and timestamps to ensure logs cannot be tampered with.

To further ensure the integrity and accuracy of audit reports in cloud environments, several layers of measures are applied. Independent assurance is provided through reliance on third-party audits and internationally recognised certifications such as ISO standards and SOC 2.

On the technical side, audit trails are safeguarded by cryptographic signatures, secure storage and restricted access to prevent tampering.

From a governance perspective, customers retain the right to verify evidence, compare logs against contractual service level agreements, and rely on oversight from regulators such as the BoG or the Data Protection Commission.

Finally, chain-of-custody procedures are implemented to preserve evidence during regulatory audits, ensuring that records remain authentic and unaltered throughout the process.

Audit findings and recommendations in the cloud are addressed through a combination of corrective, regulatory, contractual and monitoring measures. Cloud providers are required to respond with corrective action plans that include defined remediation timelines, while regulators such as the Data Protection Commission and the BoG may mandate corrective steps within a set period and follow up with additional audits to confirm compliance. Customer contracts also play a critical role, often granting clients the right to demand remediation or even terminate the agreement if significant non-compliance is identified. Beyond these reactive steps, continuous monitoring is maintained through logs and automated compliance dashboards, ensuring that improvements are ongoing and issues are promptly detected and resolved.

There are statutory and contractual penalties for non-compliance with the audit requirements. The Data Protection Act has penalties for general non-compliance with the provisions of the Act. The Data Protection Commission may issue enforcement notices, suspend processing or revoke registration.

The Cybersecurity Act states that critical information infrastructure providers who fail to comply with CSA audit/incident-reporting requirements face administrative penalties, suspension of operations or criminal liability.

The CISD mandates that audit findings be escalated to senior management and the board, followed up via tracking or escalation mechanisms, with institutional commitment (resources, staff, oversight), and with regulatory oversight for serious issues.

Many audit requirements are contractual, not statutory. Non-compliance may result in damages, service credits or termination under the contract.