Zimbabwe has officially ushered in modern data protection reform through Statutory Instrument 155 of 2024, which operationalizes the Cyber and Data Protection Act (Chapter 12:07). These regulations took effect on September 13, 2024, marking a pivotal shift in how personal data is handled across both public and private sectors. The deadline for compliance was March 12/13, 2025, six months from enactment.
Pindula News
News NewsDay
Key Provisions and Regulatory Framework
1. Licensing of Data Controllers
-
Any entity processing personal data for commercial gain or benefit must register as a Data Controller with POTRAZ, Zimbabwe’s designated Data Protection Authority. Reddit+9NewsDay Zimbabwe+9Mondaq+9
-
Licensing fees are tiered based on volume:
-
Tier 1 (50–1,000 records): US $50
-
Tier 2 (1,001–100,000): US $300
-
Tier 3 (100,001–500,000): US $500
-
Tier 4 (500,000+): US $2,500 Mondaq+2MISA Zimbabwe+2Linking Communities News+2
-
2. Appointment of Data Protection Officers (DPOs)
-
Organizations must appoint a certified DPO (through a government-approved training provider).
-
Notify POTRAZ within 90 days of the regulations — effectively by early December 2024. Pindula News
3. Data Security & Breach Notification
-
Controllers must implement robust technical and organizational safeguards.
-
Data breaches must be reported to POTRAZ within 24 hours and to affected individuals within 72 hours. Reddit+12NewsDay Zimbabwe+12Pindula News+12
4. Rights of Data Subjects
-
Individuals have clear rights to access, rectify, and erase their personal data.
-
Processing children’s data requires parental consent and impact assessments. NewsDay Zimbabwe
5. Restrictions on Data Transfers Abroad
-
Any transfer of personal information outside Zimbabwe must be notified to and approved by POTRAZ. GGG
Surprising Scope — Including WhatsApp Groups!
-
The regulations classify WhatsApp group administrators (especially those used for business or community data handling) as potential data controllers.
-
Even non-traditional data processors, like public-facing groups or church registries, are required to comply. MISA Zimbabwe+3Techzim+3Linking Communities News+3
Why It Matters: Costs & Implications
Benefits:
-
Aligns Zimbabwe with international standards like the EU GDPR and AU Malabo Convention. Supports investor confidence and regional integration. Linking Communities News
-
Creates stronger confidence in how organizations manage personal data — particularly in sensitive sectors. Linking Communities NewsMISA Zimbabwe
Challenges:
-
DPO certification costs are steep (~US $1,250), which is burdensome for smaller entities and NGOs. MISA Zimbabwe
-
MISA Zimbabwe has identified risks of politicized licensing, especially considering POTRAZ’s governance structure, potentially affecting independent media or startups. MISA Zimbabwe+1MISA Zimbabwe+1
-
Small grassroots organizations argue that licensing may stifle informal innovation, driving operations underground. Linking Communities News
Timeline for Compliance
| Requirement | Deadline |
|---|---|
| Appoint and notify Data Protection Officer | December 2024 |
| Apply for Data Controller Licence | By March 12/13, 2025 |
Failure to comply can result in significant fines or even imprisonment — up to seven years under certain charges. Pindula News+2GGG+2Mondaq+2Reddit+5MISA Zimbabwe+5Mondaq+5Pindula+1Mondaq+1
What Businesses Must Do Now
-
Determine applicability — assess if they’re “processing personal data” (names, phone numbers, emails, biometrics).
-
Submit Licence Application (Form DP1) and pay the appropriate fee.
-
Appoint a certified DPO and notify the Data Protection Authority (Form DP2).
-
Create or update:
-
Data protection policies
-
Breach response plans
-
Subject rights request handling processes
-
-
Train employees and ensure regular audits of compliance and data access controls.
The Debate: Protector or Regulator?
-
While many businesses welcome clarity and alignment with global norms, critics argue the framework may overregulate — especially for casual entrepreneurs and community organizations. MISA Zimbabwe+4Linking Communities News+4NewsDay Zimbabwe+4NewsDay Zimbabwe+1Pindula News+1Reddit
-
POTRAZ and the government maintain that widespread coverage is necessary to build digital trust and individual rights enforcement, but call for exemptions or regulatory relief for NGOs, schools, and non-commercial entities. MISA ZimbabweGGG
Conclusion: Opening a New Chapter in Data Governance
Zimbabwe’s SI 155 of 2024 marks a major policy step toward safeguarding privacy, aligning with international data standards, and reinforcing digital accountability across all sectors—from corporations to community groups.
Compliance is not optional. Organizations — big and small — need to act quickly to secure licences, appoint DPOs, and embed data protection into their operations. At the same time, onlookers advocate for balancing enforcement with support, especially for grassroots innovation and civil society.
Need help navigating these new data obligations?
We provide compliance support, DPO training, policy design, and privacy impact assessments — tailored for Zimbabwe’s unique regulatory landscape.
