Source: POTRAZ cracks down on data protection compliance – herald
Ivan Zhakata
Herald Correspondent
THE Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) has intensified enforcement of the country’s data protection laws, with 880 data controllers licensed as of December 2025, signalling growing compliance with the Cyber and Data Protection Act (Chapter 12:07).
Speaking on progress made since the enactment of the law, POTRAZ director-general Dr Gift Machengete said the legislation marked a turning point in how Zimbabwe governed personal data in an increasingly digital economy.
“The Cyber and Data Protection Act signalled Zimbabwe’s commitment to ensuring that the processing of personal data is lawful, secure and respectful of the rights of data subjects, while at the same time enabling innovation and digital transformation,” he said.
POTRAZ is the designated Data Protection Authority under the Act, which came into force in 2021.
The regulatory framework was strengthened further with the promulgation of the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (Statutory Instrument 155 of 2024).
The regulations compel organisations that process personal data to register and obtain licences, as well as appoint certified Data Protection Officers (DPOs), with full compliance expected by March 2025.
Dr Machengete said the number of licensed data controllers showed that organisations were increasingly taking their legal obligations seriously.
“The licensing of 880 data controllers is a clear indication that organisations are beginning to take data protection obligations seriously,” he said.
To improve efficiency and transparency, POTRAZ is also piloting an electronic licensing system, which is currently being tested by a selected group of data controllers.
“This digital approach is about efficiency, transparency and accessibility. We want compliance to be robust, but also practical,” Dr Machengete said.
Beyond regulation, POTRAZ has invested heavily in capacity building and awareness. Through a partnership with the Harare Institute of Technology (HIT), the Authority has trained 1 026 Data Protection Officers, with participants drawn not only from Zimbabwe but also from Malawi, Eswatini and Botswana.
“Data protection is ultimately about people. By equipping DPOs with the right knowledge and practical skills, we are embedding a culture of privacy and cybersecurity across sectors and borders,” said Dr Machengete.
The authority has also rolled out more than 50 nationwide awareness campaigns since 2023, targeting schools, communities, businesses and public institutions across all ten provinces.
“These engagements demystify data protection. They empower citizens to understand their rights, and organisations to understand their responsibilities,” he said.
In addition, POTRAZ has conducted 46 in-house training sessions for executives and managers from sectors such as health, education, NGOs, parastatals and constitutional commissions to translate legal requirements into operational compliance.
“Compliance must be operational, not theoretical,” Dr Machengete said.
Despite the progress, POTRAZ has acknowledged ongoing challenges, particularly gaps in the appointment of qualified DPOs and the failure by some organisations to register as data controllers.
“These gaps undermine the effectiveness of the framework. That is why enforcement, guidance and training must move hand in hand,” said Dr Machengete.
He said POTRAZ was working with key stakeholders to introduce new regulations providing for civil sanctions against non-compliant entities as Zimbabwe seeks to strengthen protection of personal data.
“Data protection is not a destination; it is a continuous process. As technology advances, the rights and trust of Zimbabwean citizens must advance with it,” Dr Machengete said.
COMMENTS