We’ve all seen the warnings about encrypting sensitive files and being aware of phishing attempts that aim to steal our personal information. But there’s more to data privacy than meets the eye.
Data privacy breaches can have a significant impact on individuals and corporations alike in terms of reputational and financial repercussions.
Online financial services are used more widely in Africa than anywhere else in the world. As Zimbabwe moves more towards being a cashless society, the finance sector is facing an increasing amount of cybercrime, including phishing and bank card cloning — both of which are on the rise.
Such breaches are not unique to Zimbabwe. For example, several Kenyan financial institutions have lost millions of dollars to cybercrime over the past few years, while a leading bank in Rwanda lost $10.3 million to fraudulent customer withdrawals in under three months.
It’s a critical concern for individuals and businesses globally, and moreso for those operating in Africa, where the digital economy is growing by leaps and bounds.
In an effort to counteract these risks and safeguard the data of its citizens and businesses, Zimbabwe formally enacted the Data Protection Act [Chapter 11:24] on December 3, 2021. While the Act deals with aspects of cybersecurity and cybercrime, its primary focus is on data privacy and ensuring data protection for all data collected within the country, as well as outside the country and processed in Zimbabwe. It also includes some of the strictest penalties for non-compliance and breaches by data handlers.
Lorreta Songola, Regional Chief Commercial Officer, Central Africa Region at Liquid Intelligent Technologies, unpacks ten ways to help Zimbabwean organisations and individuals proactively improve and manage their data privacy practices:
- Foster a top-down approach.
Ensure active involvement and support from senior management in data protection efforts. For instance, a multinational corporation might require all its senior executives to undergo annual data protection training that is filtered down to staff and allocate a portion of their budget to cybersecurity initiatives.
- Designate a data protection officer to oversee data protection efforts.
This senior-level person should have expertise in data protection laws and regulations and oversee compliance within the organisation. This role is crucial in ensuring that data privacy is prioritised and implemented effectively. For example, a healthcare company might recruit a seasoned legal professional with expertise in healthcare data privacy laws, responsible for ensuring compliance with regulations and conducting regular data privacy audits.
- Provide regular training to employees on data protection best practices.
Ongoing training helps create a culture of data privacy within the organisation. An e-commerce company might implement a quarterly training programme covering topics such as recognising phishing attacks and secure handling of customer data. Employees also need to be aware of the risks involved with the use of artificial intelligence tools in terms of the information about your organisation that is (potentially) shared and (definitely) stored.
- Implement a data classification system to categorise data based on its sensitivity.
Classify data based on its sensitivity, for instance as ‘public’, ‘internal-only’, ‘confidential’, and ‘restricted’. A financial institution, for example, might categorise its data into these levels, setting access controls accordingly. This helps control access to sensitive information and ensures that appropriate security measures are in place for each data category.
- Always be mindful of retaining customer trust.
Build customer trust by being transparent about data collection and usage practices. For instance, an online retailer might prominently display its privacy policy on its website, detailing how customer data is collected, used, and protected. Clearly communicate to your customers how their information is being used and stored and implement privacy policies that outline your organisation’s commitment to data privacy.
- Understand the concept of data privacy and its importance.
Data privacy refers to the protection of personal information from unauthorised access, use, or disclosure. A tech startup might include a module on data privacy in its onboarding programme for new hires, explaining the principles of data protection and the company's commitment to safeguarding personal information. By defining data privacy and ensuring that all stakeholders understand its importance, organisations can create a framework for protecting sensitive information.
- Always ensure meticulous regulatory compliance.
Ensure compliance with data protection laws and regulations relevant to your jurisdiction. For example, a global company operating in multiple jurisdictions might conduct regular audits to ensure compliance with GDPR and other relevant data protection regulations. Stay updated with changes in legislation and implement necessary changes to remain compliant.
- Implement robust cyber security measures to protect against cyber threats.
Protect against cyber threats by using encryption, firewalls, and anti-virus software. A bank, for example, might implement multi-factor authentication for all online transactions, encrypt sensitive data, and regularly update its firewall and antivirus software to protect against the latest threats. Organisations such as Liquid Zimbabwe can assist businesses with implementing the appropriate solutions.
- Lorreta Songola is the regional chief commercial officer , Central Africa region at Liquid Intelligent Technologies