Data science vs Data protection in Zimbabwe: Striking a balance for business advancement
TINAYE MAKONI
In Zimbabwe’s dynamic business environment where data science is gradually taking center stage, companies must navigate the fine line between leveraging data to drive innovation and safeguarding citizens’ rights under the Cyber and Data Protection Act.
This article discusses the challenges and opportunities that come with integrating data science into business operations in Zimbabwe.
It emphasizes the need to align technological advancements with ethical considerations, legal frameworks, and the consequences faced by data controllers for non-compliance.
Understanding Key Terms: Data, PII, and data subject
Before exploring the intricacies of data science and data protection, let’s define key terms. The full definitions are found in section 3 of the Act. Data encompasses any information collected, processed, or stored by organizations, ranging from customer preferences to operational metrics. Personally Identifiable Information (PII) includes data that can identify an individual, such as names, addresses, or contact details.
The Data Subject is the individual to whom the PII relates, and whose rights are safeguarded under data protection regulations. Data Controller refers to and individual or entity that determines the purpose or means of processing the data.
Need for consent to process personal and sensitive information
One fundamental principle of data protection is obtaining consent from individuals before processing their personal and sensitive information. While data science thrives on large datasets, companies in Zimbabwe must prioritize obtaining explicit consent from data subjects. This not only ensures compliance with the Act but also establishes a foundation of trust between businesses and their customers.
Other principles, rights, and notification
In adherence to data protection principles, data controllers and processors must uphold key tenets such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.
Data subjects are endowed with specific rights, including the right to access their data, rectify inaccuracies, object to processing, and request erasure. Controllers are obligated to provide clear information about data processing to data subjects.
In the event of a data breach, controllers must report such incidents within 24 hours as outlined in section 19 to the Data Protection Authority which is Postal and Telecommunications Regulatory Authority Zimbabwe (POTRAZ). The controller should also ensure that affected data subjects are duly informed of any compromise to their data.
Offences and penalties for data controllers
The Cyber and Data Protection Act outlines severe penalties for data controllers who contravene its provisions. Offences include processing sensitive information without consent from the data subject (section 11), failing to follow the duties of the controller of processing fairly, lawfully, and with respect for the right to privacy (section 13), and not providing sufficient guarantees regarding the technical and organizational security measures employed to protect the processed data (section 18(4) and section 28). The penalties for such contraventions include a level seven fine or imprisonment for a period not exceeding 7 years.
Data science and cross-border transfers under the Cyber and Data Protection Act
Data Science involves using third-party tools and services to effectively process big data at scale and with speed. Most of these tools are not developed and housed locally. This necessitates the need to leverage cloud services where data centers are outside the country. In the case of start-ups, it would be virtually impossible to fund the CAPEX required to set up all the tool required. However, the Cyber and Data Protection Act provides a framework (section 28 and 29) for the transfer of personal information outside Zimbabwe, outlined as follows.
A data controller in Zimbabwe cannot transfer someone’s personal information to a foreign country unless there is a proper level of protection for that information in the recipient country. The transfer should only happen if it’s necessary for tasks the data controller is responsible for. The level of protection in the foreign country must be evaluated considering various factors, such as the type of data, the purpose and duration of the data processing, the laws related to data protection in the foreign country, and the security measures followed there.
The regulator of a specific industry for example the RBZ for banks and IPEC for Insurance or at the helm POTRAZ will specify the types of data processing operations and situations where transferring data outside Zimbabwe is not allowed.
The Minister in charge of Cybersecurity, in consultation with another Minister, can provide instructions on how to follow these rules when transferring personal information out of Zimbabwe.
In some instances, regulators may prohibit the processing and storage of information outside Zimbabwe, adding a layer of complexity to the integration of data science into business operations. For example, it is difficult to convince banks and other lending institutions to use applications that are deployed in the cloud where the data centers are outside Zimbabwe although they are developed by Zimbabweans.
Balancing cloud computing benefits and data protection
Cloud providers like AWS offer undifferentiated heavy lifting, providing virtually unlimited storage and computing capacity. Renting computers from cloud services allows businesses to avoid substantial capital expenditure on acquiring and maintaining servers. Where the regulation explicitly prohibits storage of information outside Zimbabwe, companies can leverage the benefits of cloud computing while ensuring compliance with the regulations by adopting hybrid mechanisms. This involves storing data on-premises and before processing the data on cloud, the companies could strip PII information or anonymize the data. This not only reduces the risk of data breaches but also aligns with the principles of data minimization. This ensures compliance with data protection regulations without compromising the advantages of cloud computing.
Regional specificity in data protection
Certain regulations are developed with the infrastructure and capacity of developed countries in mind, where high-performance computing and extensive resources are more readily available. For example, GDPR covers the entire European region, providing a big market where companies implementing data science can find diverse resources spread across multiple countries. This contrasts with Zimbabwe’s situation, where the regulatory territory is confined to the country itself. As a developing nation, Zimbabwe may lack the robust infrastructure needed to fully support the demands of data science. The discrepancy in market size and available resources underscores the unique challenges faced by developing countries like Zimbabwe in establishing comprehensive data science infrastructure. Considering these challenges, I would urge the Authority to be more lenient with regulations in Zimbabwe, taking cognizance of the fact that we are a developing nation, and overly strict regulations may inadvertently impede the speed of innovation.
An effective approach to balance data science and data protection is to specify storage and processing requirements within a regional context. For instance, allowing storage or processing of personal information of Zimbabweans within the Southern African Development Community (SADC) region. This provides a pragmatic compromise, acknowledging the limitations of big cloud providers setting up data centers in every country, especially smaller markets.
Policy considerations and industry consultations
To prevent unintended consequences and foster a regulatory environment conducive to technological advancement, policymakers must actively consult with industry players. It is crucial for policymakers to understand the nuances of data science applications and its impact on businesses. Zimbabwe should not merely replicate regulations from developed countries but tailor them to its unique socio-economic context.
Industry collaboration and advocacy
Data science organizations and companies utilizing data science can collaborate to form lobby groups that advocate for favorable regulations without compromising the rights of data subjects. These advocacy groups can work in tandem with policymakers to strike a balance between promoting innovation and safeguarding individuals’ privacy.
Conclusion
The integration of data science into businesses in Zimbabwe requires a delicate balance between technological innovation, data protection, and adherence to legal frameworks. By prioritizing explicit consent, adhering to sector-specific regulations, adopting hybrid cloud solutions, and actively engaging with policymakers, companies can harness the transformative power of data science while upholding the rights of data subjects. In doing so, Zimbabwe can pave the way for a data-driven future that is both progressive and ethically sound, while also fostering an environment where startups can emerge and thrive in a cost-effective manner.
