CEOs must not ignore POTRAZ’s coming compliance storm

For years, data protection in Zimbabwe has largely been treated as a technical issue tucked away in the back offices of companies, banks, insurers, retailers, telecoms firms and even non-governmental organisations.

 

Many executives have assumed that cybersecurity and data governance are matters for IT departments to handle quietly behind the scenes.

 

That complacency is about to collide with regulatory reality.

 

The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) has now made it abundantly clear that the era of gentle persuasion is ending.

 

Beginning in the 4th quarter of 2026, the regulator intends to intensify compliance audits under the Cyber and Data Protection Act [Chapter 12:07], with criminal sanctions , including jail terms of up to seven years for chief executive officers and accountable executives, firmly on the table.

 

Corporate Zimbabwe should not dismiss this warning as another routine regulatory threat that will fade with time.

 

The message from POTRAZ Director for Data Protection, Tsitsi Mariwo, is unmistakable, clean up now or face the consequences later.

 

This development marks a significant shift in Zimbabwe’s corporate governance environment.

 

Data protection is no longer merely about avoiding reputational embarrassment after a cyberattack or customer data leak. It is now a boardroom risk with criminal implications for executives themselves.

 

That changes everything.

 

In today’s digital economy, data has become one of the most valuable corporate assets.

 

Companies collect vast amounts of personally identifiable information every day, names, ID numbers, bank details, mobile numbers, health information, political affiliations and even religious data.

 

Yet many organisations continue to store this information carelessly, without proper cybersecurity systems, clear consent protocols, internal audits or trained compliance personnel.

 

Some businesses are still operating without designated Data Protection Officers despite clear legal requirements. Others remain unlicensed under the Data Protection Regulations. In many cases, boards and executives have failed to appreciate that ignorance of the law will not shield them from liability.

 

POTRAZ’s planned crackdown therefore represents more than regulatory enforcement. It is a wake-up call for corporate accountability.

 

To be fair, the regulator cannot be accused of ambushing industry. For the past three years, POTRAZ has invested heavily in awareness campaigns, stakeholder engagement and training programmes. Nearly 1,200 Data Protection Officers have already been trained, creating a growing pool of expertise that organisations can tap into.

 

The regulator has effectively exhausted the “soft approach”. Enforcement was always inevitable.

 

Zimbabwean businesses must now move urgently to strengthen their compliance systems. Boards should immediately conduct comprehensive data audits to determine what information they collect, where it is stored, who has access to it and whether current systems comply with the law. Companies must ensure they are properly licensed, appoint qualified Data Protection Officers and implement clear breach reporting and cybersecurity frameworks.

 

Most importantly, CEOs themselves must take ownership of this issue rather than delegating it entirely to IT departments.

 

Globally, regulators are tightening data protection laws because the risks associated with weak data governance are enormous.

 

Data breaches can destroy consumer trust, expose citizens to fraud and identity theft, compromise national security and destabilise financial systems. Zimbabwe cannot afford to lag behind in building a secure digital economy.

 

Ultimately, POTRAZ’s warning should not be viewed solely as a threat of punishment. It should be understood as an opportunity for businesses to modernise governance standards, build consumer confidence and align themselves with international best practices.

Related