POTRAZ plots crackdown on firms
…CEOs face up to seven years in jail
PHILLIMON MHLANGA
The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) is preparing to intensify enforcement against companies failing to comply with the country’s Data Protection Act, with large-scale audits expected to begin in the fourth quarter of 2026, Business Times can reveal.
The regulator has warned that company executives, including chief executive officers, could face criminal penalties, including imprisonment of up to seven years, for breaching provisions of the Cyber and Data Protection Act [Chapter 12:07].
Speaking to Business Times, POTRAZ Director for Data Protection, Tsitsi Mariwo, said the regulator had spent the past three years focusing on awareness campaigns, training and voluntary compliance, but would soon adopt a tougher enforcement approach.
“At the moment our approach is to ask institutions for compliance. However, from the 4th quarter, our approach is that we are going to enforce compliance, intensify audits,” Mariwo told Business Times, a market leader in business, financial and economic reportage.
“We are giving businesses, the public sector and non-governmental organisations an opportunity to clean up and put their houses in order. We have been using a carrot for the past three years, but in the fourth quarter of 2026, we will intensify audits.”
The warning targets all organisations handling databases containing personal information for more than 50 individuals, particularly those processing commercially sensitive or personally identifiable information.
Under Section 4 of the Cyber and Data Protection Regulations, Statutory Instrument 155 of 2024, all entities processing personal data for commercial purposes are required to apply for a Data Controller licence through Form DP1.
Licences are valid for 12 months and must be renewed at least three months before expiry.
The regulations also compel organisations to appoint Data Protection Officers (DPOs), who are responsible for ensuring compliance with the Act, conducting staff training, overseeing internal audits and managing data protection impact assessments.
DPOs are also tasked with monitoring adherence to data protection laws, coordinating data breach reporting requirements, acting as contact persons between organisations and the Data Protection Authority, and implementing policies that meet regulatory standards.
Mariwo said POTRAZ had already trained nearly 1,200 Data Protection Officers to build the skills base required for implementation of the law.
“We have trained close to 1,200 Data Protection Officers and we believe we now have the critical mass of skills needed to assist with implementation of this Act so that the desired goals of the National Development Strategy 1 and National Development Strategy 2, a secure and safe digital ecosystem, are realised,” she said.
Mariwo said the law applies to any institution processing personally identifiable information, including names, national identity numbers, IP addresses, banking and financial records, political opinions, and religious affiliations.
“If you are processing any of the listed categories of information, then you are required to obtain a licence from POTRAZ,” she said.
“You must ensure that you have a designated Data Protection Officer. If you do not have one internally, you can outsource because we now have about 1,200 trained professionals in the market who can serve as part-time DPOs while organisations build internal capacity.”
POTRAZ, which is designated as Zimbabwe’s Data Protection Authority under Section 5 of the Act, has powers to conduct compliance audits and investigations, issue warnings and directives, and initiate criminal proceedings against offenders.
Mariwo said the law currently provides for criminal sanctions against non-compliant institutions and their executives.
“There is also a jail term attached to it for the CEO because that is the accountable person,” she said.
“That is up to seven years. For now, if you do not comply, criminal sanctions will apply. We are pushing for administrative sanctions, but they are not yet in place.”
Under the legislation, CEOs and accountable officers may face fines not exceeding Level 7 or imprisonment for a period of up to seven years if found guilty of violating provisions of the Act.
