Implementation of the Data Protection Act: Are you compliant?

The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) this past Sunday issued Public Notice 1of 2022 advising on the implementation of the Data Protection Act Chapter 11:12

According to the notice, all data controllers and or processors who hold or process personal information for individuals and have in their possession personal information for more than 30 people are now required to register with the authority.

Definition of a data controller is any entity or body that holds or processes data for living persons. That includes businesses of all categories, clubs, associations, NGOs and CSOs.

Most marketers automatically fall into this category as custodians of data personal contact information for individuals. This data is often processed into demographics for audience groupings.

Compliance checklist

1.???Notification to POTRAZ that the organization or individual holds or processes data for more than 30 individuals.

2.???Purpose for which the data is collected and processed.

3.???Appoint a Data Protection Officer whose qualifications must be a minimum of A Levels

4.????Provide POTRAZ with the Officer’s name and contacts of the officer

5.???In case where data collection and processing is done through a third party entity, that organisation’s legal status must be provided. Presumably that means the organisation’s registration paperwork is needed.

6.???The third party organization’s physical address must be backed by proof of residence in the form of a telephone, rates of electricity bill.

What else you should know

·?????The laws are uniformly applicable in the digital and physical spaces

·?????Compliance with all other relevant laws is mandatory and must be proved at any time that POTRAZ may so require

·?????Data breaches must be reported to POTRAZ on the email: [email protected]

·?????Processing and or sharing of personal information of individuals without the individuals’ express consent is a prosecutable offence.

·?????Members of the public whose data has been processed or shared without their consent should report directly to POTRAZ.

Conclusion

The purpose of the Data Protection Act is to ensure that data controllers do not take the information that they would have been given by individuals for an express purpose and pass it on to third parties or misuse it any other way.

The requirements are not complex and there is really no reason for any organization not to be compliant.

It should also be noted that it is the responsibility of the organization to update POTRAZ records when necessary, such as one data officer leaves the organization or the job is reassigned to a new person.