By Jabulani Simplisio Chibaya
HARARE – ZIMBABWE’S data protection landscape has entered an enforcement phase. The latest notice issued by the Postal and Telecommunications Regulatory Authority of Zimbabwe signals a decisive shift—from awareness to compliance.
At the center of this is the Cyber and Data Protection Act, which now requires all organisations that process personal data to be licensed as Data Controllers. The grace period effectively ended in March 2025. As of March 2026, regulators are no longer asking—they are expecting full compliance.
What the Notice Is About (In Simple Terms)
The government is saying:
If your business collects, stores, processes, or uses personal data, you must be licensed.
This applies whether data is handled:
Digitally (databases, apps, emails)
Physically (forms, files)
Through surveillance (CCTV, biometrics)
Despite the deadline passing, many organisations are still operating without a Data Controller licence—and this is now a regulatory risk.
Why This Matters in Today’s Economy
In a Zimbabwean environment already facing:
Rising operational costs
Increased digitisation (mobile money, e-commerce, fintech)
Cybersecurity threats and fraud
Data is now a critical asset—and a liability.
Non-compliance is no longer just a legal issue—it affects:
Customer trust
Partnership eligibility (especially with banks, insurers, and international partners)
Ability to scale digitally
In short: No compliance = limited growth + higher risk exposure
Who Must Comply?
You are affected if you are:
A company, SME, startup, NGO, or institution
Operating in Zimbabwe (or handling Zimbabwean data)
Handling any form of:
Customer data
Employee records
Financial information
Health or biometric data
There are very few exemptions. Assume it applies to you.
Key Requirements for Businesses
To comply, organisations must:
- Obtain a Data Controller Licence
Apply through POTRAZ via: https://dcliscensing.potraz.zw/
This legalises your data processing activities
- Appoint a Data Protection Officer (DPO)
A responsible person for:
Data governance
Compliance monitoring
Liaison with regulators
- Audit Your Data
What data do you collect?
Where is it stored?
Who has access?
Why are you collecting it?
- Implement Data Protection Policies
Privacy policies
Data handling procedures
Breach response protocols
- Secure Your Systems
Cybersecurity controls
Access management
Encryption where necessary
For Non-Compliant Businesses: Immediate Next Steps
If you have not complied yet, here’s what you must do urgently:
Step 1: Acknowledge Your Exposure
You are currently:
Operating illegally under the Act
At risk of:
Penalties
Reputational damage
Operational restrictions
Step 2: Start the Licensing Process Immediately
Submit your application for a Data Controller licence
Even initiating the process demonstrates intent to comply
Step 3: Conduct a Rapid Data Audit (Within 7–14 Days)
Identify all personal data touchpoints
Prioritise high-risk areas (financial, health, biometric data)
Step 4: Appoint a Responsible Person (Even Interim)
Assign a compliance lead internally
This can later evolve into a formal DPO role
Step 5: Engage Support Where Needed
Legal advisors
IT/cybersecurity experts
Compliance consultants
What Happens If You Ignore This?
Regulators have now signaled active enforcement. Likely consequences include:
Fines and penalties
Suspension of operations in extreme cases
Loss of business with compliant partners
Increased scrutiny in audits and inspections
In a tightening economy, this can cripple already strained businesses.
The Strategic Opportunity (The “Hidden Upside”)
Forward-looking businesses should see this as more than compliance:
Trust Advantage → Customers prefer secure businesses
Partnership Readiness → Required for banks, fintech, global firms
Digital Expansion → Enables safe scaling into e-commerce and data-driven models
Competitive Edge → Many SMEs are still non-compliant
Compliance is becoming a market differentiator.
Final Thought
This notice is not just a regulatory reminder—it’s a signal that Zimbabwe is aligning with global data governance standards.
Businesses that act now will:
Reduce risk
Build trust
Position themselves for growth in a digital economy
Those that delay will find compliance more costly—and possibly too late.
Jabulani Simplisio Chibaya is a Data and AI Consultant specializing in data science, artificial intelligence, blockchain, and cryptocurrency innovation. A seasoned conference speaker, he also writes on the intersection of technology, regulation, and economic development. Contact: Cell: +263 778 921 881, Email: simplisiochibaya22@gmail.com, LinkedIn: https://www.linkedin.com/in/jabulani-simplisio-chibaya
Discover more from Etimes
Subscribe to get the latest posts sent to your email.