Overview of the Draft

There are five parts to the Draft: Part I deals with the licensing and registration of data controllers; Part II deals with the appointment of data protection officers ('DPOs'); Part III deals with the requirements for processing; Part IV deals with codes of conduct; and Part V deals with security. There are also four template forms which can be used by data controllers: Form DP1 (data controller self-assessment); Form DP2 (data controller application); Form DP3 (DPO designation/appointment notification); and Form DP4 (breach notification).

Licensing and registration of data controllers

A data protection licence can be applied for by a data controller or joint data controllers. To be eligible for a data protection licence, a data controller must carry out a self-assessment in terms of the licensing eligibility tool available on the Postal and Telecommunications Regulatory Authority of Zimbabwe's ('POTRAZ') website and Form DP1 contained in the Draft. The wording of the Draft and Form DP1 indicates that a data processor can also conduct a self-assessment and apply for a licence. Part II of Form DP1 is the application form which can be completed by the data controller or data processor. Upon registration, POTRAZ shall maintain a register of licensed data controllers.

Data controllers eligible for licensing shall apply for the license using Form DP2 contained in Part II of the First Schedule of the Draft and pay an applicable application or renewal fee specified in the Second Schedule. The license fees are paid upon registration and renewal fees are paid thereafter on an annual basis. There are two ways to determine the type of license fees payable by a data controller.

The Draft provides for different categories of licences.

• The Tier 1 license is for organisations with a maximum of 50 employees or a minimum annual gross turnover of, or exceeding, $500,000. The application/renewal licence fees are $200.
• The Tier 2 licence is for small to medium-sized enterprises or joint controllers with a minimum of 50 employees and a maximum of 75 employees, or a minimum annual gross turnover of $1 million. Tier 2 application or renewal licence fees are $400.
• The Tier 3 licence is for large enterprises or joint controllers with a minimum of 76 employees or a total annual gross turnover of more that $1 million. Tier 3 application or renewal licence fees are $600.
• The fourth category is for a special data protection licence. This license is issued to public authorities, statutory bodies, and religious organisations. The application/renewal licence fees are $100.
• The last category is for data controllers, who are exempt from licensing. Data controllers are exempt from applying for a data protection licence if they are carrying out judicial functions, not-for-profit purposes, or personal, family, or household affairs.

DPOs

The Draft provides for three instances where a DPO is to be appointed by a data controller. First, if a public authority or public body is carrying out processing activities, it must appoint a DPO. Secondly, if the core activities of a data controller or data processor consist of data processing operations, which require regular and systematic monitoring of more than 3,000 subjects, a DPO must be appointed. Thirdly, if the core activities of the data controller and data processor consist of processing of special categories of data or personal data relating to criminal convictions and offences where the processing operations cover more than 1,000 people, a DPO must be appointed. It is important that the data controller notify POTRAZ of the appointment of the DPO. The notification is done by completing an online form or completing and submitting Form DP3 which is attached to the Draft. Similarly, the details of a DPO must be published on the website of the data controller, in widely read newspapers, or prominent notice boards to notify members of the public. If a DPO has been dismissed or has resigned, the data controller must notify POTRAZ within 14 days. Upon the promulgation of the Draft, data controllers who require a DPO must ensure that such DPOs are appointed within six months.

The Draft stipulate the duties, as well as the qualifications, of DPOs. Some of the duties of the DPO include ensuring compliance by the data controller with the provisions of the Cyber and Data Protection Act, dealing with requests made to the Data Controller by the Authority, monitoring compliance with the Data Protection Act ('the Act') and other data protection laws, organisational data protection policies including managing internal data protection activities, raising awareness of data protection issues, training staff, and conducting internal audits. Some of the required skills of a DPO are expertise in national data protection laws and practices including an in-depth understanding of the Act, processing activities in their organisation, IT, and data security.

Unlike other jurisdictions, the Draft makes it a requirement for a DPO to undergo certification courses. The certification course may be offered or approved by POTRAZ, or institutions appointed or designated by POTRAZ, such as National Training Institutions, within three months of the coming into effect of the Draft. The DPO is also required to undergo certification renewal once a year, which aims to ensure that appointed DPOs are well trained and equipped to carry out their duties in an organisation.

Legitimate Interest Assessments

The Draft also provides guidelines for conducting a Legitimate Interest Assessment ('LIA') in instances where the data controller is relying on legitimate interests as the basis for processing personal data. To rely on legitimate interests, the data controller must identify the specific legitimate interest, such as organisational interests, interests of third parties, commercial interests, individual interests, or broader societal benefit. Secondly, the data controller must show that the processing is necessary and there is no other less intrusive way to achieve the same result. Thirdly, the data controller must balance legitimate interests against the individual's interests, rights, and freedoms. If the data subject would not reasonably expect the processing, or if the processing would cause unjustified harm, the individual interests may override the data controller's legitimate interests. The Draft also make it clear that the data controller must include details of its legitimate interests in its privacy policy.

Codes of conduct

The Regulations also provides for the approval of codes of conduct by POTRAZ. The codes of conduct should reflect the specific needs of controllers and processors within a specific sector. Before POTRAZ can approve the codes, it must ascertain whether the code complies with the Act, the code owner's ability to represent controllers or processors covered by the code, the identification of the processing operations that the code covers, and the categories of controllers or processors that it applies to, as well as the data protection issues that it intends to address. POTRAZ would also need to see whether there were stakeholder consultations and the outcomes from such engagements. In addition, POTRAZ may seek the views of affected data subjects, or their representatives. A register of all approved codes will be maintained by POTRAZ.

Security

The Draft also contains provisions on dealing with security and security breaches. In the event of a personal data breach, a data controller is required to report it to POTRAZ within 24 hours of becoming aware of the breach. The 24-hour window is quite narrow when compared to other jurisdictions where data controllers have up to 72 hours to report or to report within a reasonable period after becoming aware of the breach. The Draft contains a Form DP4 (data breach notification form) which must be completed and submitted by the data controller. Information that must be included in Form DP4 includes the contact information of the data controller/processor contact details of their DPO, date of the data breach, date when the breach was identified, information systems which were breached, the personal data which was affected, the likely impact of the data breach, and steps taken or to be taken to address the breach.

The Draft also requires a data controller to inform affected individuals if the breach is likely to result in a high risk of adversely affecting their rights and freedoms. There is no set time to notify individuals, but this must be done without undue delay.

To ensure proper compliance with the Act, a data controller must have in place proper internal procedures and processes for detecting, investigating, and reporting data breaches, as well as keeping any records of the breaches. The Draft also emphasises the importance of appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of the data controller's systems and services and the personal data being processed. Developing and implementing organisational policies is one of the measures specifically mentioned in the Draft. This means that a data controller should see to it that appropriate privacy policies, information security policies, and other relevant policies, such as relating to records management, are adopted and implemented. Conducting risk analysis and the implementation of pseudonymisation and encryption are some of the technical measures that a data controller or processor are required to adopt.

Conclusion  

Compliance with the Draft is relatively easier for businesses operating in Zimbabwe or intending to operate in Zimbabwe. The Act and the Draft align with most data protection laws around the world. Entities and organisations in similar industries, professions, or sectors, such as the banking sector, telecommunications sector, and credit bureaux, may, in the interim, start doing preparatory work in developing their codes of conduct while waiting for the effective date of the Draft. Further, businesses can conduct the self-assessment tests to check the tier they fall under and check if they are required to appoint a DPO. It is very important that the position of DPO is occupied by someone who meets the requirements, as set out in the Draft. For multinational entities with subsidiaries in Zimbabwe, a group DPO may be sufficient to act as a DPO for the operations in Zimbabwe. This is because there is no requirement for a DPO to be someone physically based in Zimbabwe. There is also no prohibition to outsource the functions of a DPO to someone who is not an employee of an organisation. While the Draft is silent on the appointment of deputy DPOs, it is recommended to have such appointments, especially in instances where there are high risk processing activities.

Businesses also need to prepare for the additional compliance cost to comply with the Draft. The registration fees, renewal fees, and certification and training fees are costs that need to be included in a business' or organisation's budget.

The efforts made by the Government of Zimbabwe in ensuring effective enforcement and compliance with the national data protection laws is commendable. The requirement for payment of application fees and renewal fees by data controllers and data processors ensures that POTRAZ has sufficient funds to carry out and execute its duties as set out in the Act. Apart from receiving licensing fees from data controllers, POTRAZ will also generate revenue through training and accreditation fees. The Draft provides that no person shall provide certification training for purposes of the Act and the Draft, unless the person is accredited by POTRAZ and has paid the fees set out in the Second Schedule.

Melody Musoni Independent Privacy Professional
[email protected]