Data Protection Obligations in Zimbabwe: Is your Organisation Aligned?

BHEKIMPILO MANGENA AND FUNGAI CHIMWAMUROMBE

 

Introduction

This article outlines the legal requirements under the Cyber and Data Protection Act [Chapter 12:07], hereinafter the ‘Act’ and Statutory Instrument (S.I.) 155 of 2024, including the obligations for licensing as Data Controllers, appointment of Data Protection Officers (DPOs), and associated compliance measures. The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) is the designated Data Protection Authority in Zimbabwe according to section 5 of the Act.

 

Licensing as Data Controllers

Under Section 4 of the Cyber and Data Protection Regulations (S.I. 155 of 2024), all entities that process personal data for commercial purposes must:

• Apply for a Data Controller license through Form DP1.
• Pay applicable license fees based on their tier (i.e., USD50 for Tier 1, USD 300 for Tier 2, USD 500 for Tier 3, and USD2500 for Tier 4).
• Ensure licenses are valid for 12 months and renewed 3 months prior to expiry.
• Submit applications for licensing by the mandatory deadline of 12^th of March 2025

Data controllers include banks, microfinance institutions, insurance companies, credit stores, local authorities, educational institutions, tourism organisations, health facilities (hospitals and pharmacies)  and any other organisation that meets the definition of a data controller as given under section 3 of the Act as read with section 4 of S.I. 155 of 2024.

 

Appointment of a Data Protection Officer (DPO)

By the regulatory deadline of 12^th of December 2024, all Data Controllers should have:

• Appointed a DPO with the requisite qualifications, including knowledge of data protection laws, data science, or information systems audit.
• Notify the Authority of the appointment within 14 days using Form DP2.

It therefore means that most entities are already in breach of DPO appointment deadline if this hasn’t been done yet.

 

Obligations of Data Controllers

Data Controllers must:

• Report data breaches within 24 hours and inform affected data subjects within 72 hours where applicable.
• Ensure the DPO monitors compliance, conducts staff training, and manages data protection audits.

 

DPO Scope of Services

DPOs are key to Data Controllers and should do the following amongst other duties:

1. Monitor compliance with the Cyber and Data Protection Act and Regulations.
2. Conduct internal audits and data protection impact assessments.
3. Train staff on data protection policies and best practices.
4. Act as the point of contact for the Data Protection Authority and data subjects.
5. Oversee data breach notifications and reporting requirements.
6. Provide compliance training and implement necessary policies to meet regulatory standards.
7. Draft and implement relevant data protection policies and procedures to ensure comprehensive compliance.

 

Conclusion

By appointing a qualified and certified DPO, Data Controllers will fulfil their legal obligations under the Cyber and Data Protection Act while enhancing their data governance frameworks. By aligning to regulatory provisions on Data Protection, organisations may achieve compliance assurance and streamlined operations. Failure to comply with data protection regulations may attract a fine not exceeding level 14 or to imprisonment for a period not exceeding ten or twenty years depending on the nature and/or severity of the offence. The law also allows for both fine and imprisonment.

 

Bhekimpilo Mangena is a registered Legal Practitioner, Public Accountant and a Business Consultant at Zenas Consulting (Pvt) Limited and can contacted through [email protected]

 

Fungai Chimwamurombe is a registered legal practitioner and Senior Partner at Chimwamurombe Legal Practice and can be contacted through email [email protected].

 

Related