On September 13, 2024, the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations 2024 were published. Among other things, the Regulations establish requirements for licensing data controllers, appointing data protection officers (DPOs), and implementing data security measures.

What are the key requirements?

Under the Regulations, entities processing personal data for commercial or organizational purposes must obtain a data controller license. Entities already processing data before the regulations' promulgation must apply for a license within six months. Data controllers processing personal data for certain purposes such as law enforcement, personal affairs, journalistic, or archival purposes are exempted by the regulations from the requirement to apply for a data controller license.

Additionally, the Regulations require data controllers to:

• appoint a DPO and notify the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) within 90 days of the promulgation of the Regulations or after a DPO's contract termination;
• comply with data protection principles, including data minimization, accuracy, and accountability;
• safeguard children's data, process data responsibly, and facilitate the exercise of data subject rights;
• report data breaches to POTRAZ within 24 hours of becoming aware of the incident and if the breach is likely to result in a high risk to individuals' rights and freedoms, inform the affected data subject within 72 hours.

Under the Regulations, data controllers and processors must also adopt technical and organizational measures to ensure the confidentiality, integrity, and availability of personal data.

Entities that breach the Regulations' requirements may face penalties, including fines, imprisonment for up to seven years, or both, depending on the offense.

You can read the Regulations here.