Understanding SI 155 of 2024: New Regulations on Data Protection Licensing and Data Protection Officers in Zimbabwe

In an increasingly digital world, the protection of personal data and the regulation of cyber activities are crucial for safeguarding individual privacy and maintaining trust in technology. Zimbabwe’s Statutory Instrument (SI) 155 of 2024 Cyber and Data Protection Licensing Regulations was promulgated on the 13th September 2024 outlining a framework for the appointment of Data Protection Officers. This statutory instrument represents a significant step in strengthening the legal and regulatory framework for data protection and cybersecurity in Zimbabwe following the enactment of the Cyber and Data Protection Act [Chapter 12:07] which came into effect on the 11th of March 2022.

​​

Purpose and Scope of the Cyber and Data Protection Licensing Regulations

Purpose:

The primary objective of SI 155 of 2024 is to create a structured and comprehensive regime for licensing entities engaged in cyber and data protection activities. It sets forth essential standards for the management and protection of personal data, ensuring compliance with existing data protection laws.

Scope:

The regulations apply to all entities operating in Zimbabwe that handle personal data, including but not limited to businesses, government agencies, financial institutions, banks, pension funds and universities. It covers the licensing requirements for data protection service providers and the appointment and responsibilities of Data Protection Officers (DPOs).

Licensing Requirements

Entities Requiring Licenses:

Entities that offer data protection services, such as data processing, storage, or cybersecurity solutions, must obtain a license under these regulations from the Data Protection Authority. This ensures that these entities meet prescribed standards and operate within a regulated framework.

Application Process:

Organizations seeking to be licensed must submit detailed applications to the Data Protection Authority. This typically includes information about their data protection practices, technical and organizational measures, and compliance mechanisms.

Compliance Standards:

Licensed entities are required to adhere to specific standards, which may include implementing robust data protection policies, conducting regular audits, and ensuring the security of data processing systems.

Data Management Protocols:

Implementing best practices for handling personal information, which is vital in an era where data breaches are increasingly common.

Licensing of Data Controllers:

Any person who processes personal data with the intention to decide the means, purpose or outcome of the processing, collect personal data, or obtain commercial gain must apply for a data controller license from the Data Protection Authority (DPA). Data controllers will be categorized into four tiers based on the number of data subjects they process information for, with varying license fees.


Appointment of Data Protection Officers (DPOs)

Data controllers must appoint a DPO and notify the DPA (POTRAZ) within 90 days of the regulations coming into effect or the termination of the previous DPO’s contract.

DPOs must have relevant qualifications and experience in areas such as data science, information security, law, or audit, and must undergo a certification course approved by the DPA

Role and Responsibilities:

SI 155 of 2024 outlines the role of Data Protection Officers (DPOs) in organizations. DPOs are responsible for overseeing data protection practices, ensuring compliance with relevant laws and regulations, and serving as a point of contact for data subjects and regulatory authorities.

Appointment Criteria:

  • Qualifications: DPOs must possess relevant qualifications and experience in data protection and cybersecurity. This ensures that they have the expertise to effectively manage data protection issues.
  • Independence: DPOs should operate independently within the organization, free from conflicts of interest, to maintain the integrity of their role.
  • Reporting Structure: DPOs typically report directly to the highest level of management to ensure that data protection issues are given appropriate attention and resources.

Data Security and Breach Notification:

Data controllers must implement appropriate technical and organisational measures to ensure the security, confidentiality, and integrity of personal data.

Further, data breaches must be reported to the DPA within 24 hours, and affected data subjects must be informed within 72 hours if the breach poses a high risk to their rights and freedoms.



Compliance and Enforcement

Monitoring and Audits:

The regulations establish mechanisms for monitoring compliance with licensing requirements and data protection standards.

Penalties for Non-Compliance and Sanctions:

Non-compliance with SI 155 of 2024 can result in various penalties, including fines, suspension, or revocation of licenses. Organizations and individuals found in violation of the regulations may face legal actions and sanctions.-explain further. Failure to comply with the regulations can result in fines of up to level 11 (approximately $5,000) or imprisonment for up to seven years, or both.

Impact and Implementation

Impact on Organizations:

The introduction of SI 155 of 2024 will have a significant impact on organizations handling personal data. They must align their data protection practices with the new regulations, appoint qualified DPOs, and obtain the necessary licenses to operate legally.

Implementation Timeline:

Organisations will be given a specified timeline to comply with the new regulations. During this period, they must take the necessary steps to ensure compliance, including applying for licenses and appointing DPOs.


Relationship with Other Regulations

Harmonization with Existing Laws:

SI 155 of 2024 should be seen in conjunction with other data protection and cybersecurity laws in Zimbabwe. It aims to harmonize with existing legal frameworks to create a cohesive and comprehensive approach to data protection.

In summary, Statutory Instrument 155 of 2024 establishes a regulatory framework for licensing data protection entities and appointing Data Protection Officers in Zimbabwe. It aims to enhance data protection practices, ensure compliance with legal standards, and protect personal data in the digital age. Organizations operating in Zimbabwe will need to align their practices with these new regulations to ensure compliance and avoid penalties.

--

Read the original publication at Muvingi Mugadza