By 
The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) has laid out its enforcement roadmap for data protection compliance, signalling a structured yet firm approach to ensuring adherence to the Cyber and Data Protection Act (CDPA). With a mix of advisory measures and escalating penalties, the regulator aims to foster a culture of accountability among data controllers while cracking down on persistent violators.
At the heart of this strategy is a clear timeline of enforcement actions, beginning with voluntary compliance measures in 2025 and culminating in stricter penalties including fines and criminal sanctions by 2026.
By Gamuchirai Mapako
According to POTRAZ’s Director General, Doctor Gift Kalisto Machengete, the enforcement strategy is designed to encourage voluntary compliance before resorting to punitive measures. This approach reflects the regulator’s recognition that many businesses are still adapting to data protection requirements.
The first phase of enforcement focuses on education, support, and warnings, giving businesses ample opportunity to align with the law. In his presentation during the data controllers licences handover, Dr Machengete pointed out that POTRAZ will issue public notices outlining regulatory priorities and compliance expectations and high-risk sectors like banking, healthcare, telecoms will receive targeted guidelines to help them meet data protection standards.
Businesses are encouraged to self-assess their compliance status and POTRAZ will provide corrective warnings with clear deadlines for rectifying deficiencies before penalties apply.
The Data Controller License remains mandatory, with another handover ceremony scheduled for October 10, 2025.
Speaking during the license handover ceremony Dr Machengete explained that unlicensed entities risk regulatory scrutiny, suspension, or revocation of operations.
POTRAZ will also conduct routine inspections to verify compliance.
Investigations will be triggered by consumer complaints, whistle-blower,
cross-border data transfer violations and suspected unlicensed data processing.
While 2025 emphasises collaboration, 2026 marks a shift toward stricter enforcement.
Non-compliant organisations may incur hefty fines, with amounts scaled based on violation severity and repeat offenders risk losing their Data Controller License, effectively halting their data processing activities. In extreme cases like large-scale breaches, deliberate negligence, POTRAZ may pursue criminal charges against responsible parties.
Who Needs It? Any organisation processing personal data must register. And businesses transferring data outside Zimbabwe must notify POTRAZ or risk investigations or penalties.
POTRAZ Director General, Dr. G.K. Machengete, emphasised that “compliance is not a nuisance but a necessity”, drawing parallels to “wearing a seatbelt”, essential for protection, even if inconvenient.
The risks of non-compliance extend beyond fines business could face reputational damage, operational disruptions and legal consequences.
Comments