';

About Us

At our firm, we strive to be the preferred choice for businesses and commercial transactions. Our mission is to provide comprehensive commercial law solutions by leveraging our expertise in legal, business, and finance disciplines. We uphold values such as effectiveness, efficiency, integrity, diligence, teamwork, confidentiality, and adaptability.

Contact Us

  • admin@hofisilaw.com
  • +263-(242)- 369-976
  • www.hofisilaw.com

© 2024. Hofisi & Partners

Business Advisory

Data Protection Regulations of 2024 and Compliance                     

March 27, 2025 by 200 Views
Interpleader Proceedings in Magistrate’s Court
20 March 2025
Data Protection and Appointment of Data Protection Officers
03 April 2025
Business Advisory
Data Protection Regulations of 2024 and Compliance                     
March 27, 2025 by in Business Advisory

Introduction

The Cyber and Data Protection Act (Chapter 12:07) (No.5 of 2021) (hereinafter referred to as “the Act”) was enacted in 2021. Further, Statutory Instrument 155 of 2024 – Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (hereinafter referred to as “the SI” or “the Regulations”) were promulgated on 13th September 2024.

Briefly about the Act

According to the Act, it is an Act to provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest; to establish a Cyber Security Centre; a Data Protection Authority and to provide for their functions; to create a technology driven business environment and encourage technological development and the lawful use of technology; to amend sections 162 to 166 of the Criminal Code (Codification and Reform) Act [Chapter 9:23] to provide for investigation and collection of evidence of cyber crime and unauthorised data collection and breaches, and to provide for admissibility of electronic evidence for such offences and to provide for matters connected with or incidental to the foregoing.

The object of the Act is to increase data protection   in order to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects.

The Regulations

The Regulations were made by the Minister of Information Communications Technology, Postal and Courier Services in consultation with the Authority (Postal and Telecommunication Regulatory Authority or POTRAZ), in terms of section 32 of the Cyber and Data Protection Act [Chapter 12:07]. These were gazetted on 13 September 2024.

Salient provisions of the Regulations

For purposes of this article I list the following as the key or salient provisions in the regulations:

  • Processing of data (section 3)
  • Licensing of data controllers (section 4)
  • Obligations of data controllers (section 10)
  • Appointment of data protection officers (section 12)
  • Qualifications of data protection officers (section 13)
  • Functions of data protections officers (section 14)
  • Security of data (section 16)
  • Security breach notification (section 17)

Data processing

According to section 3 of the Regulations:

  • Subsection 1 – No person shall process personal information for the purposes indicated in subsection (2) unless they are licensed with the Authority.
  • Subsection 2 – Subject to section 4, any person who processes personal information with the intention to—

(a) decide the means, purpose or outcome of the processing;

(b) decide what personal data should be collected;

(c) decide which individuals to collect personal data from;

(d) obtain a commercial gain or other benefit from the processing of personal data; shall apply for a licence in terms of these regulations.

  • Subsection 3 – Any person who processes personal information in terms of this section without a data controller licence within the stipulated time frames shall be guilty of an offence and liable to a fine not exceeding level 11 or to imprisonment for a period not exceeding seven years or to both such fine and such imprisonment.

According to section 4(1) any person whether alone or jointly with others, who determines the purposes and means of the processing of personal data shall apply for a data controller licence.

Key definitions

According to the Act “data” means any representation of facts, concepts, information, whether in text, audio, video, images, machine-readable code or instructions, in a form suitable for communications, interpretation or processing in a computer device, computer system, database, electronic communications network or related devices and includes a computer programme and traffic data.

In terms of the Act a “data controller” or “controller:

  • refers to any natural person or legal person who is licensable by the Authority
  • includes public bodies and any other person who determines the purpose and means of processing data.

According to the Act “data protection officer” or “DPO” refers to any individual appointed by the data controller and is charged with ensuring, in an independent manner, compliance with the obligations provided for in this Act. “Data subject” refers to an individual who is an identifiable person and the subject of data.

Deadline for the registration of data controllers

According to section 4(5) of the Regulations, a data controller was required to submit an application to POTRAZ by 12th March 2025, being 6 months after the promulgation of the Regulations done on 13th September 2024.

Timeframe for the appointment of data protection officer

According to section 12:

  • A data controller is required to appoint a Data Protection Officer within 90 days from the date of promulgation of these regulations (from 13th September 2024) or date of termination of the DPO contract
  • A data controller who fails to appoint a data protection officer in terms of subsection these regulations shall be guilty of an offence and liable to fine not exceeding level 7 or to imprisonment not exceeding two years or to both such fine and such imprisonment.

Further articles

Space permitting, I promise to write more articles on the salient provisions listed above but not covered in this article.

Conclusion

The Act is relatively new. The regulations are recent. There are deadlines to be met. It is important to consult legal and IT professionals to be compliant. This area also presents career opportunities for IT professionals.

Disclaimer

This simplified article is for general information purposes only and does not constitute the writer’s professional advice.

Godknows (GK) Hofisi, LLB(UNISA), B.Acc(UZ), Hons B.Compt (UNISA), CA(Z), ACCA (Business Valuations) MBA(EBS, Heriot- Watt, UK) is the Managing Partner of Hofisi & Partners Commercial Attorneys, chartered accountant, insolvency practitioner, commercial arbitrator, registered tax accountant and advises on deals and transactions. He has extensive experience from industry and commerce and is a former World Bank staffer in the Resource Management Unit.  He sits on the Council of Estate Administrators in Zimbabwe and was recently appointed to the Board of an Engineering company. He writes in his personal capacity. He can be contacted on +263 772 246 900 or ghofisi@hofisilaw.com or gohofisi@gmail.com.  Visit www//:hofisilaw.com for more articles.

Comments
Share
Godknows Hofisi

logo