On September 19, 2024, media reports emerged of a landmark ruling regarding identity theft by the ride-hailing company Bolt Ghana and one of its customers.
The ruling was issued by the Circuit Court in Accra, ruling in favor of the plaintiff, Justice Noah Adade, who had filed a lawsuit against Bolt Ghana Limited for failing to detect the theft of his identity, which was then used by a driver.
Adade, in his GH¢2 million lawsuit, alleged negligence on the part of the ride-hailing company, stating that Bolt had violated the Data Protection Act by using his personal data for one of its drivers without proper verification.
The plaintiff contended that Bolt had neglected to verify the ownership of the vehicle with registration number GR 2052-22 before registering it.
In his lawsuit, he asked the court to compel Bolt to remove his personal data from its database and sought compensation for the unauthorised use of his information after discovering his identity had been stolen when he requested a ride.
This ruling is expected to raise concerns for individuals in Ghana who often believe that companies, businesses, and even the government frequently violate Data Protection Laws.
Many individuals oppose these data breaches, such as receiving excessive text messages during elections, product campaigns, and other unwarranted communications.
However, businesses operating in the country are mandated to safeguard customers' personal data and adhere to the Data Protection Act, 2012 (Act 843).
To prevent lawsuits related to identity theft, businesses must take proactive steps to protect customers' personal data and ensure compliance with the Data Protection Act, 2012 (Act 843).
GhanaWeb Business offers some essential strategies that businesses can adopt to minimise the risk of identity theft and potential legal consequences.
Compliance with Data Protection Act (DPA) requirements:
Businesses operating in the country must register with the Data Protection Commission (DPC) and adhere to all of its rules and regulations.
Additionally, businesses that rely on data must obtain explicit consent from consumers or individuals before processing their personal data, which must only be used for its intended purpose while ensuring transparency.
Inform customers about data use and adopt strong encryption measures:
Businesses must also inform customers about how their data will be used, stored, and protected, while using strong encryption methods to protect sensitive personal data both in transit and at rest.
Entities must also ensure robust network security through updated firewalls, antivirus programs, and intrusion detection systems while limiting access to personal data to authorized personnel only, using multi-factor authentication and strong password policies.
Additionally, businesses must only collect the minimum amount of personal data necessary for business operations and implement clear policies on how long personal data will be retained, securely deleting or anonymizing data that is no longer required.
Conduct regular audits and risk assessments:
To avoid lawsuits regarding identity theft, businesses must periodically assess the security of data management systems to identify vulnerabilities.
They must also conduct regular security audits and risk assessments to stay ahead of potential threats and ensure compliance with data protection laws.
Employee training and awareness creation:
Employers must ensure staff receive adequate training on data protection best practices, equip them with knowledge of cyber threats, malware attacks, and mitigation measures.
Business operators must ensure employees sign confidentiality and non-disclosure agreements related to handling personal data.
Data breach response plan:
Businesses must also develop a comprehensive data breach response plan to quickly detect, report, and mitigate any breaches. In case of a data breach, businesses must notify the affected individuals and the DPC promptly as required under the DPA.
Review third-party contracts and data sharing agreements:
Businesses must ensure that third-party service providers (such as payment processors or cloud storage services) comply with data protection laws. Owners must also establish clear terms for how personal data is shared and protected when partnering with other businesses.
With additional files from the Data Protection Commission
MA
Watch the latest edition of BizHeadlines below:
Ghana’s leading digital news platform, GhanaWeb, in conjunction with the Korle-Bu Teaching Hospital, is embarking on an aggressive campaign which is geared towards ensuring that parliament passes comprehensive legislation to guide organ harvesting, organ donation, and organ transplantation in the country.
Click here to follow the GhanaWeb Business WhatsApp channel