Navigating Zimbabwe’s Data Protection Act: A Guide for Businesses

By Chihambakwe & Partners

In an era where data is often described as the new oil, the way businesses handle personal information is no longer just a matter of best practice—it is a critical legal mandate. Zimbabwe took a significant step in regulating this space with the enactment of the Cyber and Data Protection Act [Chapter 12:07] (the "Act") and the subsequent release of the Cyber and Data Protection Regulations, 2024 ("SI 155 of 2024").

These laws represent a paradigm shift in how companies must manage the data of employees, clients, suppliers, and any natural person they interact with. For businesses operating in or dealing with Zimbabwe, understanding and complying with this framework is essential to mitigate severe legal, financial, and reputational risks.

This article provides an overview of the key provisions of the Act and practical steps toward achieving compliance.

Understanding the Core Terms

To navigate the law, one must first understand who is who and what is regulated:

• Personal Information: Any data relating to an identifiable living human being. This includes names, addresses, ID numbers, phone numbers, photos, financial history, and medical records.
• Data Subject: The individual whose personal information is being processed.
• Data Controller: The person or entity (e.g., your company) that decides why and how personal information is processed.
• Data Processor: A third party that processes data on behalf of the Data Controller (e.g., a cloud storage provider or an external payroll company).
• Processing: Any operation performed on data, whether automated or manual, including collecting, recording, organizing, storing, using, disclosing, or destroying it.

The Authority: The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) is the designated Data Protection Authority responsible for enforcing the Act.

The 8 Foundational Principles of Data Protection

At the heart of the Act are eight principles that must govern every aspect of data handling:

1. Lawfulness, Fairness, and Transparency: Data must be processed legally, fairly, and in a way that is transparent to the data subject.
2. Purpose Limitation: You may only collect data for a specific, explicit, and legitimate purpose, and not use it for anything incompatible with that purpose.
3. Data Minimization: Only collect the minimum amount of data necessary for your intended purpose.
4. Accuracy: Data must be accurate and kept up to date. Inaccurate data must be erased or corrected immediately.
5. Storage Limitation: You should not keep personal data longer than is necessary to achieve the purpose for which it was collected.
6. Integrity and Confidentiality: You must implement appropriate technical and organizational security measures to protect data from unauthorized access, loss, destruction, or damage.
7. Accountability: The Data Controller is responsible for, and must be able to demonstrate, compliance with all the above principles.
8. Data Subject Rights: You must respect the rights of individuals to access their data, object to processing, request correction, and request deletion.

Practical Compliance Steps for Businesses

Achieving compliance is an ongoing process, not a one-off project. Here are the immediate steps your business should take:

1. Conduct a Data Audit
   Map out what personal data your organization collects, where it comes from, why you need it, where it is stored, who can access it, and when it is deleted. This audit is the foundation of your compliance strategy.
2. Appoint a Data Protection Officer (DPO)
   Under the 2024 Regulations, most Data Controllers must appoint a DPO. The DPO is responsible for overseeing compliance within the organization, serving as the point of contact for POTRAZ and data subjects, and driving awareness. The DPO must undergo a certification course approved by POTRAZ.
3. Register and Apply for a Licence
   Many Data Controllers are now required to register with POTRAZ and apply for a Data Controller Licence. The regulations categorize controllers into four tiers based on the number of data subjects they manage, with different licensing fees applicable. If you process data of 50 or more individuals, registration is likely mandatory.
4. Review and Update Policies
   Update your external privacy policies (available on your website) and your internal data protection policies to align with the Act. These policies must clearly explain how you comply with the data protection principles.
5. Manage Breaches and Third Parties
   Breach Notification: Implement a robust incident response plan. You are required to notify POTRAZ of any data breach within 24 hours of becoming aware of it.
   Third-Party Contracts: Ensure your contracts with Data Processors include specific clauses outlining their data protection obligations.
   Cross-Border Transfers: You cannot transfer data outside of Zimbabwe unless the destination country has adequate data protection laws or specific safeguards are in place.

Conclusion

Zimbabwe’s Data Protection Act is not just a regulatory hurdle; it is an opportunity to build trust with your stakeholders. By prioritizing data privacy, you protect not only your clients but also your business from significant liability.

Non-compliance can lead to massive administrative fines, imprisonment of company officers, and the forced cessation of data processing activities.

Need Assistance?

Navigating the complexities of the Act and its regulations requires specialized legal expertise. Chihambakwe and Partners is equipped to assist your organization with data audits, DPO training support, licensing applications, and policy drafting to ensure you are fully compliant.

Contact us today at our Whatsapp number to schedule a consultation.