News / National
Potraz plots crackdown on firms
2 hrs ago |
98 Views
THE Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) is preparing to intensify enforcement against organisations failing to comply with the country's Cyber and Data Protection laws, with large-scale compliance audits expected to begin in the fourth quarter of 2026.
The regulator has warned that company executives, including chief executive officers, could face criminal penalties - including imprisonment of up to seven years - for breaching provisions of the Cyber and Data Protection Act [Chapter 12:07].
Speaking on the upcoming enforcement measures, POTRAZ Director for Data Protection Ms Tsitsi Mariwo said the authority had spent the past three years prioritising awareness campaigns, training programmes and voluntary compliance, but would now move towards stricter enforcement.
"At the moment our approach is to ask institutions for compliance. However, from the fourth quarter, our approach is that we are going to enforce compliance and intensify audits," said Ms Mariwo.
"We are giving businesses, the public sector and non-governmental organisations an opportunity to clean up and put their houses in order. We have been using a carrot for the past three years, but in the fourth quarter of 2026, we will intensify audits."
The planned crackdown targets all organisations handling personal information relating to more than 50 individuals, particularly institutions processing commercially sensitive or personally identifiable data.
Under Section 4 of the Cyber and Data Protection Regulations, Statutory Instrument 155 of 2024, all entities processing personal data for commercial purposes are required to obtain a Data Controller licence through Form DP1.
The licences are valid for 12 months and must be renewed at least three months before expiry.
The regulations also require organisations to appoint Data Protection Officers (DPOs), who are responsible for ensuring compliance with the law, conducting staff training, overseeing internal audits and managing data protection impact assessments.
DPOs are further tasked with monitoring adherence to data protection laws, coordinating data breach reporting, acting as liaison officers between organisations and the Data Protection Authority, and implementing policies that meet regulatory standards.
Ms Mariwo said POTRAZ had already trained close to 1 200 Data Protection Officers to strengthen the country's compliance capacity.
"We have trained close to 1 200 Data Protection Officers and we believe we now have the critical mass of skills needed to assist with implementation of this Act so that the desired goals of the National Development Strategy 1 and National Development Strategy 2 - a secure and safe digital ecosystem - are realised," she said.
She explained that the law applies broadly to any institution processing personally identifiable information, including names, national identity numbers, IP addresses, banking and financial records, political opinions and religious affiliations.
"If you are processing any of the listed categories of information, then you are required to obtain a licence from POTRAZ," she said.
"You must ensure that you have a designated Data Protection Officer. If you do not have one internally, you can outsource because we now have about 1 200 trained professionals in the market who can serve as part-time DPOs while organisations build internal capacity."
POTRAZ, which serves as Zimbabwe's designated Data Protection Authority under Section 5 of the Act, has powers to conduct compliance audits and investigations, issue directives and warnings, and initiate criminal proceedings against offenders.
Ms Mariwo warned that the legislation currently provides for criminal sanctions against both institutions and accountable executives who fail to comply.
"There is also a jail term attached to it for the CEO because that is the accountable person," she said.
"That is up to seven years. For now, if you do not comply, criminal sanctions will apply. We are pushing for administrative sanctions, but they are not yet in place."
Under the law, CEOs and accountable officers may face fines not exceeding Level 7 or imprisonment of up to seven years if convicted of violating provisions of the Act.
The regulator has warned that company executives, including chief executive officers, could face criminal penalties - including imprisonment of up to seven years - for breaching provisions of the Cyber and Data Protection Act [Chapter 12:07].
Speaking on the upcoming enforcement measures, POTRAZ Director for Data Protection Ms Tsitsi Mariwo said the authority had spent the past three years prioritising awareness campaigns, training programmes and voluntary compliance, but would now move towards stricter enforcement.
"At the moment our approach is to ask institutions for compliance. However, from the fourth quarter, our approach is that we are going to enforce compliance and intensify audits," said Ms Mariwo.
"We are giving businesses, the public sector and non-governmental organisations an opportunity to clean up and put their houses in order. We have been using a carrot for the past three years, but in the fourth quarter of 2026, we will intensify audits."
The planned crackdown targets all organisations handling personal information relating to more than 50 individuals, particularly institutions processing commercially sensitive or personally identifiable data.
Under Section 4 of the Cyber and Data Protection Regulations, Statutory Instrument 155 of 2024, all entities processing personal data for commercial purposes are required to obtain a Data Controller licence through Form DP1.
The licences are valid for 12 months and must be renewed at least three months before expiry.
The regulations also require organisations to appoint Data Protection Officers (DPOs), who are responsible for ensuring compliance with the law, conducting staff training, overseeing internal audits and managing data protection impact assessments.
DPOs are further tasked with monitoring adherence to data protection laws, coordinating data breach reporting, acting as liaison officers between organisations and the Data Protection Authority, and implementing policies that meet regulatory standards.
Ms Mariwo said POTRAZ had already trained close to 1 200 Data Protection Officers to strengthen the country's compliance capacity.
"We have trained close to 1 200 Data Protection Officers and we believe we now have the critical mass of skills needed to assist with implementation of this Act so that the desired goals of the National Development Strategy 1 and National Development Strategy 2 - a secure and safe digital ecosystem - are realised," she said.
She explained that the law applies broadly to any institution processing personally identifiable information, including names, national identity numbers, IP addresses, banking and financial records, political opinions and religious affiliations.
"If you are processing any of the listed categories of information, then you are required to obtain a licence from POTRAZ," she said.
"You must ensure that you have a designated Data Protection Officer. If you do not have one internally, you can outsource because we now have about 1 200 trained professionals in the market who can serve as part-time DPOs while organisations build internal capacity."
POTRAZ, which serves as Zimbabwe's designated Data Protection Authority under Section 5 of the Act, has powers to conduct compliance audits and investigations, issue directives and warnings, and initiate criminal proceedings against offenders.
Ms Mariwo warned that the legislation currently provides for criminal sanctions against both institutions and accountable executives who fail to comply.
"There is also a jail term attached to it for the CEO because that is the accountable person," she said.
"That is up to seven years. For now, if you do not comply, criminal sanctions will apply. We are pushing for administrative sanctions, but they are not yet in place."
Under the law, CEOs and accountable officers may face fines not exceeding Level 7 or imprisonment of up to seven years if convicted of violating provisions of the Act.
Source - Business Times
Join the discussion
Loading comments…
