Zimbabwe's Data Protection Act has been in force for a while now, and the regulator is active. The good news: getting compliant isn't the legal mountain it sounds like. Most of it is practical housekeeping. Here's a plain-English checklist you can work through — in order — to get from "we've done nothing" to genuinely covered.
Quick grounding first: if you collect any personal information about people — names, phone numbers, emails, ID numbers, payment details — the Act applies to you. That's almost every business. For the full background, see our overview of the Data Protection Act 2021. This piece is the action list.
1. Know what data you hold
You can't protect what you haven't mapped. Write down what personal data you collect, where it lives (spreadsheets, your website, WhatsApp, a CRM), who can access it, and how long you keep it. This single exercise surfaces most of your risk.
2. Have a lawful reason for collecting it
For each type of data, you should be able to say why you have it — a contract, the customer's consent, a legal requirement. If you're collecting something "just in case" with no real reason, stop collecting it.
3. Publish a clear privacy policy
Your website needs a privacy policy that tells people, in plain language, what you collect, why, who you share it with, and how they can ask to see or delete their data. This is one of the most visible signs of compliance — and one of the easiest to fix.
4. Get consent properly
- Don't pre-tick boxes — consent has to be a genuine choice.
- Separate marketing consent from the main transaction — let people buy without being forced onto your mailing list.
- Make opting out easy — an unsubscribe link that actually works.
5. Secure the data (the technical part)
The Act expects "appropriate" security. In practice that means the basics done properly:
- HTTPS on your website and any form that collects data.
- Strong, unique passwords and two-factor authentication on admin accounts.
- Access control — only staff who need the data can reach it.
- Backups and a patched, up-to-date website.
A security assessment is the fastest way to know whether your "appropriate security" would actually hold up.
6. Have a breach plan
Decide now what you'd do if data were exposed — who's responsible, how you'd contain it, and how you'd notify the regulator and affected people. Our guide on what to do when your website is hacked walks through the response.
7. Respect people's rights
People can ask what data you hold about them, ask you to correct it, or ask you to delete it. Have a simple process so that when a request comes in, you're not scrambling.
The short version
Map your data, justify why you hold it, tell people the truth in a privacy policy, get consent honestly, secure it properly, and know what you'd do in a breach. Do those six things and you're ahead of the overwhelming majority of Zimbabwean businesses — and genuinely protecting the customers who trusted you with their information.
Want help getting compliant?
We'll assess where your business stands against the Data Protection Act and give you a clear, prioritised plan — plus fix the technical security side ourselves.
Request an AssessmentOr message +263 77 690 2542 on WhatsApp.
Donovan Mudarikwa
CompTIA A+, Security+ & PenTest+ certified
CompTIA A+, Security+, and PenTest+ certified security professional and web developer. Based in Harare, working with businesses across Zimbabwe and beyond.
