Zimbabwe has taken significant steps towards strengthening its data protection laws with the introduction of new regulations. These changes aim to enhance privacy rights and ensure responsible handling of personal information across various sectors. Therefore, this article explores the key aspects of these regulations and their potential impact on businesses and individuals in Zimbabwe.
Furthermore, the Cyber and Data Protection Act, gazetted in March 2022, marks a crucial development in Zimbabwe’s data protection landscape. These regulations build upon the previous Cyber and Data Protection Act. It introduces new requirements and guidelines for organisations handling personal data.
Scope of work of Data Controllers
Additionally, according to the Act, ”The object of this Act is to increase cyber security in order to build confidence and trust in the secure use of information and communication technologies by data
controllers, their representatives and data subjects.”
Furthermore, one of the primary focuses of the data protection act in Zimbabwe is the scope of work of data controllers. This new Act aims to ensure accountability and compliance among organisations processing personal information.
Also, some of the key points to consider are that all data controllers or data processors shall ensure that personal information is processed in accordance with the right to privacy of the data subject. Also, the data controller shall ensure the lawful processing of personal information. They must also ensure that this is fair and transparent in relation to any data subject.
Furthermore, the controller is responsible for the collection of information that is explicit, specified and legitimate. Also, that there is no further processing in a manner incompatible with those purposes. These are some of the duties of the data controller whose authority comes from the data authority (POTRAZ).
Appointment of Data Protection Officers (DPOs)
Moreover, the regulations place significant emphasis on the role of DPOs in ensuring compliance with data protection laws 2. Important aspects include that appointment of DPOs is in three specific scenarios. In public authorities, organisations processing data of over 3,000 subjects and those dealing with special categories of data 2.
Also, DPOs are responsible for ensuring compliance with the Act, monitoring internal processes and raising awareness about data protection issues 2. Finally, organisations must notify POTRAZ of DPO appointments and publish their details publicly 2.
Requirements for Processing Personal Data
Additionally, the Act outlines specific requirements for processing personal data, aiming to balance organisational interests with individual rights and freedoms. When acquiring data directly from the data subject, the data controller or the controller’s representative shall provide the data subject with relevant information. This is unless the data subject has already received such information. Moreover, this information includes but not limited to the name and address of the data controller and of his or her representative, if any. The information on the purposes of the processing. Also, the existence of the right to object. This is by request and is free of charge to the intended processing of data relating to him or her. This is also if it is obtained for the purposes of direct marketing.
Security Measures and Breach Reporting
Furthermore, the Act emphasises the importance of robust security measures and timely reporting of data breaches. Data controllers must report personal data breaches to POTRAZ within 24 hours of becoming aware of the breach. Also, affected individuals must be notified without undue delay if the breach poses a high risk to their rights and freedoms. Finally, organisations must establish internal procedures for detecting, investigating, and reporting data breaches.
Conclusion
The Cyber and Data Protection Act represent a significant step towards strengthening data protection in Zimbabwe. While compliance may present challenges for some, the alignment with international standards suggests that many will find the transition relatively straightforward.
As these regulations come into effect, citizens are advised to conduct thorough self-assessments, prepare for potential costs associated with compliance. The government’s efforts to ensure enforcement and compliance are commendable, and citizens should take advantage of the resources provided by POTRAZ to navigate these new requirements successfully.
