The Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) has issued a stern regulatory notice to all organizations and individuals processing personal data, signaling an end to the grace period for data protection compliance. Under Regulatory Notice 1 of 2026, the authority expressed concern that numerous entities continue to handle personal information without the requisite licenses, despite the original deadline having passed nearly a year ago.
The Legal Framework and Expired Deadlines
The mandate for licensing stems from the Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (Statutory Instrument 155 of 2024), which was promulgated in September 2024. These regulations required all natural and legal persons processing personal data to obtain a Data Controller Licence by March 12, 2025.
Despite this clear statutory requirement, POTRAZ has noted with “concern” that many organizations have failed to regularize their operations. As the designated Data Protection Authority, POTRAZ is now moving to enforce full compliance with the Cyber and Data Protection Act [Chapter 12:07].
Who Is Affected?
The directive is broad in scope, applying to any non-exempt natural or legal person permanently established in Zimbabwe, or those who process personal data using Zimbabwean resources. Specifically, the licensing requirement covers data processed through:
- Print and electronic means.
- Surveillance systems.
- Biometric systems.
In addition to licensing, the law mandates the appointment of Data Protection Officers, who are responsible for ensuring that organizations adhere to data protection principles and safeguard the information they handle.
Why Compliance Matters
POTRAZ Director General, Dr. Gift Machengete, emphasized that this framework is a critical component of accountability and transparency. Beyond being a mere statutory obligation, the authority views licensing as a demonstration of commitment to safeguarding the sensitive data entrusted to organizations by their stakeholders, including customers and employees.
Failure to comply is no longer being treated with leniency. Organizations operating without a license risk:
- Regulatory fines and legal sanctions.
- Enforcement actions.
- Reputational damage and potential legal liability.
Call to Action for Tech Leaders
The regulator has urged all unlicensed entities to regularize their activities with immediate effect. To facilitate this, POTRAZ has provided an online application portal at https://dclicensing.potraz.zw/.
