Zimbabwe recently took a major step towards securing personal data with the passing of Statutory Instrument 155 of 2024. This is significant, as it comes at a time when Internet access in Zimbabwe has become more affordable and widespread. The recent official launch of Starlink in Zimbabwe has led to a reduction in broadband prices, with packages as low as US$30 for 100 Mbps. The result? More businesses and organisations are collecting, storing, and processing larger volumes of personal data, both on-premises and in the cloud.

As the internet infrastructure grows, the issue of data security and protection becomes even more critical. Organisations, from banks to tech companies, now handle vast amounts of user data, often involving sensitive information like biometric data. This new regulation sets out the framework to ensure this data is processed safely and that those responsible for handling it are held accountable.

In this article, we will explore what the Cyber and Data Protection Regulations mean for businesses, how they fit into Zimbabwe’s rapidly evolving internet landscape, and why data protection is now more crucial than ever.

What Is Statutory Instrument 2024-155?

Statutory Instrument (SI) 2024-155 introduces key regulations that govern how personal data is handled in Zimbabwe. At its core, it requires that any person or entity processing personal data must have a data controller licence. This ensures that data is handled in line with best practices and that organisations are accountable for their actions regarding data security.

Here are some key components of the regulations:

Licensing of Data Controllers: Any individual or organisation that processes personal information (e.g., businesses that collect customer information) must apply for a licence from the Data Protection Authority. This licence confirms that the organisation has taken steps to ensure data security.
Data Protection Officers (DPOs): Organisations must appoint a Data Protection Officer to monitor and enforce data protection within the organisation. The DPO ensures compliance with the law and deals with any data protection-related issues that arise.
Data Breaches: If there is a data breach (e.g., unauthorised access to personal information), the organisation must report it to the Data Protection Authority within 24 hours. If the breach could harm individuals, they must also be informed within 72 hours.

Why Is This Important Now?

The timing of these new regulations is particularly significant. The launch of Starlink in Zimbabwe has transformed the internet landscape. With affordable high-speed broadband, more businesses, schools, and even households now rely on cloud-based services and store vast amounts of personal data online.

Prior to Starlink, many Zimbabweans faced limited access to reliable and affordable internet services. Now, with faster and cheaper internet options, more organisations are digitising their processes, increasing the amount of personal data stored electronically. This includes sensitive data such as:

Biometric data (fingerprints, facial recognition)
Personal identifiers (name, address, identification numbers)
Financial information

With increased data comes the need for increased responsibility. Organisations that store this data must now follow strict guidelines to ensure it is protected from misuse, hacking, or loss.

Analysing the Key Provisions

Let us break down some of the major aspects of SI 2024-155 and why they matter in today’s data-driven world:

1. The Licensing of Data Controllers

A data controller is anyone who decides how and why personal data is processed. For example, a telecommunications company storing user information, or a retail store that collects customer data, is a data controller. The new regulations require that these entities obtain a data controller licence from the Data Protection Authority.

The licence is not a one-size-fits-all. There are four different tiers of licences based on the number of people whose data you process. A company processing data for a few hundred people will need a different licence than a larger organisation handling millions of data points. Failing to obtain this licence could result in heavy fines or imprisonment.

2. The Role of Data Protection Officers

A Data Protection Officer (DPO) is a professional within the organisation whose job is to ensure that all data protection laws are followed. The DPO acts as the point person for any data protection issues, monitors internal compliance, trains staff on data protection best practices, and ensures that the organisation’s data-handling activities meet the legal requirements.

DPOs must have relevant qualifications, such as expertise in data science, law, or cybersecurity, and they must undergo specific certification training. The DPO also acts as a liaison between the organisation and the Data Protection Authority, particularly in cases of data breaches or compliance issues.

3. Data Breaches and Accountability

Data breaches are one of the biggest concerns in today’s digital world. If a company’s database is hacked, or if sensitive data is accidentally leaked, this is considered a data breach. Under the new law, organisations must:

Report the breach to the Data Protection Authority within 24 hours.
Inform affected individuals within 72 hours if the breach could negatively impact their rights or freedoms.

This rapid response is critical in minimising the damage that can result from data breaches, especially when personal or financial information is involved.

How This Impacts Businesses and Consumers

For businesses, this means that they must now be more vigilant about how they collect, store, and process personal data. Compliance is no longer optional; it is a legal requirement. Companies that fail to comply with the regulations could face penalties, including fines and imprisonment.

On the other hand, consumers can take comfort in knowing that their data is now protected by law. Whether you are shopping online, using a cloud service, or even just signing up for a newsletter, the new regulations ensure that companies are responsible for keeping your personal information secure.

Frequently Asked Questions (FAQs)

Q: What is a data controller?

A: A data controller is any person or organisation that decides how and why personal information is processed. For example, a company that stores customer data is a data controller.

Q: Do all organisations need a data controller licence?

A: Yes, if your organisation processes personal data for more than 50 individuals, you will need a data controller licence. Different tiers of licences are available based on how much data you process.

Q: What happens if there is a data breach?

A: If your organisation experiences a data breach, you must report it to the Data Protection Authority within 24 hours. If the breach could affect individuals’ rights, you must also inform those affected within 72 hours.

Q: What is the role of a Data Protection Officer?

A: A Data Protection Officer (DPO) ensures that the organisation complies with data protection laws. They monitor data-handling activities, provide training, and serve as the contact point for the Data Protection Authority.

Conclusion

The introduction of Statutory Instrument 2024-155 is a crucial step in protecting the personal data of Zimbabweans as the country’s internet infrastructure grows. With more affordable and widespread access to the internet, particularly through platforms like Starlink, data is being collected and processed at an unprecedented rate. The new regulations ensure that companies and organisations handling this data are held to strict standards, ensuring that data protection is prioritised.

Businesses must now invest in proper data management and protection systems, ensuring compliance with the law to avoid penalties. Meanwhile, consumers can enjoy greater peace of mind knowing that their personal information is safeguarded by this landmark regulation.

With Zimbabwe’s digital landscape rapidly evolving, these regulations provide the necessary framework to ensure that data security keeps pace with technological advancements.