The Postal and Telecommunications Regulatory Authority of Zimbabwe ('POTRAZ') announced, on 16 November 2022, a new Draft for the Cyber and Data Protection Regulations, 2022 ('the Draft'). In particular, the Draft details that the Minister of Information and Communications Technologies has released the Draft after consultations with the POTRAZ, in accordance with Section 32 of the Cyber and Data Protection Act ('the CDPA').

In particular, the Draft specifies new provisions regarding the licensing and registration of data controllers, and on the designation of a data protection officer ('DPO') in the following cases:

• the processing is carried out by a public authority or body;
• the core activities of the controller or the processor consist of data processing operations, which require regular and systematic monitoring of more than 3,000 data subjects; or
• the core activities of the controller or the processor consist of processing of special categories of data or personal data relating to criminal convictions and offences where the processing operations cover more than 1,000 data subjects.

Moreover, the Draft establishes several data security provisions, such as if a controller chooses to rely on legitimate interests for processing data, a Legitimate Interest Assessment ('LIA') must be conducted first, and a record of such LIA should be kept properly to demonstrate compliance, or the establishment of codes of conduct which are voluntary accountability tools aimed at helping the controllers to comply with the CDPA. Further, the Draft specifies that personal data shall be processed securely by means of appropriate technical and organisational measures, which shall entail the following:

• conducting of risk analysis;
• development and implementation of organisational policies;
• implementation of appropriate physical and technical measures. such as pseudonymisation and encryption; and
• controllers and processors should take into account additional requirements about the security of processing depending on the circumstances and risk posed by processing.

Lastly, the Draft provides that a controller should report personal data breaches to the POTRAZ within 24 hours of becoming aware of the breach affecting the data being processed by the concerned controller or processor.

You can read the Draft here.