Statutory Instrument 155 of 2024, formally titled the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024, represents a significant step forward in Zimbabwe's data protection landscape.
The regulations, which came into effect on September 13, 2024, introduce a licensing regime for data controllers and mandate the appointment of data protection officers (DPOs).
This article will delve into the key provisions of the regulations, their implications for businesses, and the compliance deadlines that organizations must adhere to, with the goal of sensitizing businesses on key aspects of the new law.
Key provisions of S.I. 155 of 2024
The regulations outline several key provisions:
- Licensing of data controllers: All entities processing personal data for commercial gain or other benefits are required to obtain a data controller license from the Data Protection Authority. Licenses are categorised based on the volume of data processed. Certain entities, such as law enforcement agencies and journalists, are exempt from licensing but still need to comply with data protection principles.
- Appointment of data protection officers: Data controllers must appoint a DPO to oversee data protection compliance. The DPO must have specific qualifications and experience in data protection or related fields. DPOs are responsible for monitoring compliance, advising on data protection matters, and acting as a contact point for data subjects.
- Data security requirements: Data controllers must implement robust technical and organizational measures to protect personal data from unauthorized access, disclosure, or loss.
- Data breach notification: In the event of a data breach, data controllers must notify the Data Protection Authority and affected individuals within specified timeframes. Specifically, data controllers are required to report personal data breaches to the Authority within 24 hours and inform affected individuals within 72 hours.
- Data subject rights: The regulations reinforce the rights of data subjects, including the right to access, rectify, and erase their personal data. Special considerations apply to the processing of children's data, including obtaining parental/legal guardian consent before hand and conducting regular data protection impact assessments.
Implications for businesses
The regulations have far-reaching implications for businesses operating in Zimbabwe. Compliance with the regulations is mandatory, and failure to comply can result in significant penalties, including fines and imprisonment. Key implications include:
- Licensing requirements: Businesses must assess their data processing activities to determine if they need a data controller license. The licensing process involves completing application forms, paying fees, and demonstrating compliance with data protection principles.
- DPO appointment: Businesses must appoint a qualified DPO to oversee data protection matters. The DPO will be responsible for ensuring compliance with the regulations, conducting data protection impact assessments, and managing data breaches.
- Data security: Businesses must invest in robust security measures to protect personal data. This includes implementing encryption, access controls, and regular security audits.
- Develop data protection policies: Businesses must create and implement policies and procedures to guide the business's data protection practices. Thereafter it would be key to provide training to the staff on data protection principles and procedures as well as regularly review the data protection practices to ensure ongoing compliance.
- Data breach response: Businesses must have a plan in place to respond to data breaches promptly. This includes notifying the Data Protection Authority and affected individuals, investigating the breach, and taking steps to mitigate its impact.
- Data subject rights: Businesses must be prepared to handle requests from data subjects to access, rectify, or erase their personal data.
Compliance deadline
The regulations require businesses to obtain a data controller license and appoint a DPO within six months from the date of their promulgation on September 13, 2024.
Therefore, the deadline for compliance is March 13, 2025. It is advisable to commence the compliance process as soon as possible to avoid penalties and ensure adequate data protection measures are in place.
Conclusion
Statutory Instrument 155 of 2024 marks a significant advancement in Zimbabwe's data protection framework.
Businesses must take immediate steps to understand and comply with the regulations to avoid penalties and protect their reputation.
By understanding the key provisions and compliance obligations, businesses can proactively adapt their practices to meet the requirements of this new legislation.
Failure to comply with the regulations can result in substantial fines and penalties. It is essential for businesses to seek legal advice to ensure they are fully compliant with the law and protect the privacy rights of their customers.
- The information and opinions expressed above are for general information only. They are not intended to constitute legal or other professional advice. For clarification, assistance, or if you have questions about the article, contact Beatrice Moyo on beatrice@mushoriwamoyi.co.zw. Beatrice is a legal practitioner practicing in Harare, Zimbabwe