In an increasingly digital world, the protection of personal data and the regulation of cyber activities are crucial for safeguarding individual privacy and maintaining trust in technology. Zimbabwe’s Statutory Instrument (SI) 155 of 2024 Cyber and Data Protection Licensing Regulations was promulgated on the 13th September 2024 outlining a framework for the appointment of Data Protection Officers. This statutory instrument represents a significant step in strengthening the legal and regulatory framework for data protection and cybersecurity in Zimbabwe following the enactment of the Cyber and Data Protection Act [Chapter 12:07] which came into effect on the 11th of March 2022.
The primary objective of SI 155 of 2024 is to create a structured and comprehensive regime for licensing entities engaged in cyber and data protection activities. It sets forth essential standards for the management and protection of personal data, ensuring compliance with existing data protection laws.
The regulations apply to all entities operating in Zimbabwe that handle personal data, including but not limited to businesses, government agencies, financial institutions, banks, pension funds and universities. It covers the licensing requirements for data protection service providers and the appointment and responsibilities of Data Protection Officers (DPOs).
Entities that offer data protection services, such as data processing, storage, or cybersecurity solutions, must obtain a license under these regulations from the Data Protection Authority. This ensures that these entities meet prescribed standards and operate within a regulated framework.
Organizations seeking to be licensed must submit detailed applications to the Data Protection Authority. This typically includes information about their data protection practices, technical and organizational measures, and compliance mechanisms.
Licensed entities are required to adhere to specific standards, which may include implementing robust data protection policies, conducting regular audits, and ensuring the security of data processing systems.
Implementing best practices for handling personal information, which is vital in an era where data breaches are increasingly common.
Any person who processes personal data with the intention to decide the means, purpose or outcome of the processing, collect personal data, or obtain commercial gain must apply for a data controller license from the Data Protection Authority (DPA). Data controllers will be categorized into four tiers based on the number of data subjects they process information for, with varying license fees.
Data controllers must appoint a DPO and notify the DPA (POTRAZ) within 90 days of the regulations coming into effect or the termination of the previous DPO’s contract.
DPOs must have relevant qualifications and experience in areas such as data science, information security, law, or audit, and must undergo a certification course approved by the DPA
SI 155 of 2024 outlines the role of Data Protection Officers (DPOs) in organizations. DPOs are responsible for overseeing data protection practices, ensuring compliance with relevant laws and regulations, and serving as a point of contact for data subjects and regulatory authorities.
Data controllers must implement appropriate technical and organisational measures to ensure the security, confidentiality, and integrity of personal data.
Further, data breaches must be reported to the DPA within 24 hours, and affected data subjects must be informed within 72 hours if the breach poses a high risk to their rights and freedoms.
The regulations establish mechanisms for monitoring compliance with licensing requirements and data protection standards.
Non-compliance with SI 155 of 2024 can result in various penalties, including fines, suspension, or revocation of licenses. Organizations and individuals found in violation of the regulations may face legal actions and sanctions.-explain further. Failure to comply with the regulations can result in fines of up to level 11 (approximately $5,000) or imprisonment for up to seven years, or both.
The introduction of SI 155 of 2024 will have a significant impact on organizations handling personal data. They must align their data protection practices with the new regulations, appoint qualified DPOs, and obtain the necessary licenses to operate legally.
Organisations will be given a specified timeline to comply with the new regulations. During this period, they must take the necessary steps to ensure compliance, including applying for licenses and appointing DPOs.
SI 155 of 2024 should be seen in conjunction with other data protection and cybersecurity laws in Zimbabwe. It aims to harmonize with existing legal frameworks to create a cohesive and comprehensive approach to data protection.
In summary, Statutory Instrument 155 of 2024 establishes a regulatory framework for licensing data protection entities and appointing Data Protection Officers in Zimbabwe. It aims to enhance data protection practices, ensure compliance with legal standards, and protect personal data in the digital age. Organizations operating in Zimbabwe will need to align their practices with these new regulations to ensure compliance and avoid penalties.
--
Read the original publication at Muvingi Mugadza