Most businesses in Eswatini are sitting on a compliance risk they do not know about yet. The Data Protection Act 2022 requires any organisation that holds personal data to put proper security measures in place. For many businesses, that means one thing needs to change immediately: how they verify who accesses their systems.
One-Time Password verification is one of the most practical and affordable ways to address this. This guide covers what the law requires, which businesses face the most exposure, and how to act on it without a big IT budget.
What the Law Actually Requires
The Data Protection Act 2022 (Act No. 5 of 2022) was signed into law on 4 March 2022. It covers any organisation, public or private, that collects or handles personal information about people in Eswatini.
Section 14 is the section most businesses need to pay attention to. It requires data controllers to take reasonable technical and administrative steps to prevent:
- Unauthorised access to personal data
- Unlawful processing of personal data
- Loss or destruction of personal information
The Act also requires businesses to identify the risks to their data, put safeguards in place, check those safeguards are working, and update them as threats evolve.
In plain language
If your customer database, staff portal, or financial system can be accessed with just a username and password, you have a gap. A password alone is not an adequate safeguard. If it is stolen, guessed, or shared, your entire customer data is exposed.
The penalties are serious
Section 53 penalties:
- Administrative fines of up to E5 million or 2% of annual turnover
- Criminal fines of up to E100 million or 5% of annual turnover
- Imprisonment of up to 10 years for the head of the organisation
- Civil claims from affected customers
These are not hypothetical numbers. They are the actual penalties in the Act as gazetted.
Which Businesses Face the Most Risk
| Sector | Data held | Risk |
|---|---|---|
| Financial services | Account numbers, transactions, IDs | ๐ด Very high |
| Healthcare | Medical records, personal health data | ๐ด Very high |
| Government bodies | Citizen data, national IDs | ๐ด Very high |
| Retailers with loyalty programs | Customer names, purchase history | ๐ High |
| Schools and universities | Student and parent records | ๐ High |
| Stokvels and societies | Member banking details, contributions | ๐ High |
| SMEs with customer databases | Contact info, payment history | ๐ก Medium |
| Broadcasters and media | Subscriber data, payment details | ๐ก Medium |
What OTP Does and Why it Matters
OTP stands for One-Time Password. When someone tries to log in or complete a sensitive action, a unique six-digit code is sent to their registered mobile number. They enter that code to confirm it is really them. The code expires in minutes and cannot be reused.
This matters because passwords alone fail regularly. People reuse them across accounts, share them with colleagues, and fall for phishing attacks. Once a password is compromised, an attacker has full access. OTP adds a second check that cannot be bypassed without physical access to the person's phone.
| Section 14 requirement | How OTP addresses it |
|---|---|
| Prevent unauthorised access | Only the person holding the registered phone can receive and use the code |
| Establish safeguards against identified risks | OTP is a standard technical control for access security |
| Regularly verify safeguards are working | Every login and transaction is verified in real time |
| Update safeguards as threats evolve | Codes expire in minutes and each one is unique and single use |
What Happens if You Do Not Act
Enforcement of the Data Protection Act is still in its early stages in Eswatini. But that is not a reason to wait. The law is in force and has been since March 2022. Businesses that experience a breach without adequate security measures in place face the full consequences of Section 53.
Beyond the legal penalties, the reputational damage from a data breach is often harder to recover from than the fine itself. Customers who trusted you with their personal information will not easily forgive its exposure.
The question is not whether you will face scrutiny. It is whether you will be ready when you do.
How to Get Started with OTP on Lunyazi
You do not need a large IT team or a significant budget to implement OTP. With Lunyazi, the whole process takes less than a day.
- Create a free account at lunyazi.com
- Top up with Eswatini credits using MoMo
- Connect to the Lunyazi API with two simple calls
- Integrate into your login, payment, or data access flow
- Test with a real number โ codes arrive in under two seconds
- Go live โ your users are protected
How it works technically
To send an OTP: POST to /otp/send with the recipient's phone number. Lunyazi generates the code and delivers it via SMS.
To verify: your user enters the code. POST to /otp/verify. Lunyazi confirms whether it is correct.
Codes expire in 10 minutes. Five attempts maximum. Brute-force protection is built in.
Common Questions
Is OTP specifically required by the Act?
The Act does not name OTP specifically. It requires appropriate technical security measures. OTP is widely accepted as a proportionate and effective control for verifying identity and preventing unauthorised access. For any system handling personal data, it is a strong and legally defensible choice.
Does the Act apply to small businesses?
Yes. The Act applies to any data controller processing personal information in Eswatini, regardless of size. The measures you implement should be proportionate to your risk level, but the obligation to act exists for every business.
How much does it cost?
Lunyazi is pay as you go. No monthly fees, no setup costs, no minimum spend. You pay per OTP credit. Top up with MoMo when you need to. Pricing is available at lunyazi.com.
Can it be used for staff systems as well as customer-facing ones?
Yes. Many businesses use Lunyazi OTP for both. Securing staff access to internal systems is just as important as protecting customer accounts. Both are covered under the Act's requirements for data controllers.
How quickly can we go live?
Most businesses are live within a day. If you need help with the integration, the Lunyazi support team is on WhatsApp at +268 7817 0242.
Get compliant today.
No setup fees. No monthly fees. No contracts. Top up with MoMo and go live in minutes.
Start free โ๐ www.lunyazi.com | ๐ฑ +268 7817 0242 (WhatsApp) | ๐ง sales@ekukhulenilabs.com