Data protection, appointment of officers

Business Law

On March 27, 2025, I wrote an article titled “Data Protection Regulations of 2024 and Compliance.” I had numerous inquiries thereafter.

I was requested to write on the appointment of data protection officers, which I hereby do.

In the article, I covered the Cyber and Data Protection Act (Chapter 12:07) (No.5 of 2021) (hereinafter referred to as “the Act”) and Statutory Instrument 155 of 2024 — Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (hereinafter referred to as “the SI” or “the Regulations”) were promulgated on September 13, 2024.

In the same article, I covered data controllers.

I explained that in terms of the Act, a “data controller” or “controller:

refers to any natural person or legal person who is licensable by the authority

includes public bodies and any other person who determines the purpose and means of processing data.

In this article, I look at Data Protection Officers as required by the Act and the Regulations.

Data protection officers

According to the Act “data protection officer” or “DPO” refers to any individual appointed by the data controller and is charged with ensuring, in an independent manner, compliance with the obligations provided for in this Act.

Appointment of data protection

The appointment of data protection officers is regulated by section 12 of the Regulations.

Section 12(1) has the following key provisions:

A data controller shall appoint a data protection officer and notify the Authority (POTRAZ) in writing.

A data controller must notify the Authority of any change to the data protection number, email address within 14 days.

A data controller must notify the Authority of the dismissal or resignation of a Data

protection officer in writing within 14 days.

Guidelines to the qualifications of data protection officers

This is regulated by section 13 of the Regulations. According to section 13(1) a data protection officer shall have skill, qualification or experience in any of the following:

data science

data analytics

information security systems

information systems audit

law

audit

any other relevant qualification

knowledge of national data protection laws and practices; and

an understanding of the data controller’s business operations and processing activities.

According to section 13(2) every data protection officer shall be required to undergo a certification course approved by the Authority.

In terms of section 13(3) no person shall provide certification training for purposes of the Act and these Regulations, unless the person is accredited by the authority and has paid the fees set out in the second schedule.

Functions of data protection officers

These are regulated by section 14 of the Regulations and include the following:

(a) monitoring compliance with the Act and these regulations, and with organisational data protection policies, including—

(i) managing internal data protection activities;

(ii) raising awareness on data protection;

(iii) training staff on data protection; and

(iv) conducting internal data protection compliance audits;

(b) dealing with requests made to the data controller by the Authority and data subjects pursuant to the Act;

(c) advising employees about their obligations to comply with the Act and these regulations;

(d) advising on and monitoring data protection impact assessments;

(e) working with the authority in relation to the performance of its functions in relation to the data controller;

(f) act as the contact point of data subjects regarding the processing of their data

Further articles

Space permitting, I promise to write more articles on data protection compliance.

Conclusion

I reiterate that the Act is relatively new. The regulations are recent. There are deadlines to be met. It is important to consult legal and IT professionals to be compliant. This area also presents career opportunities for IT professionals.

Disclaimer

This simplified article is for general information purposes only and does not constitute the writer’s professional advice.

Godknows (GK) Hofisi, LLB(UNISA), B.Acc(UZ), Hons B.Compt (UNISA), CA(Z), ACCA (Business Valuations) MBA(EBS, Heriot- Watt, UK) is the Managing Partner of Hofisi & Partners Commercial Attorneys, chartered accountant, insolvency practitioner, commercial arbitrator, registered tax accountant and advises on deals and transactions.

He has extensive experience from industry and commerce and is a former World Bank staffer in the Resource Management Unit. He sits on the Council of Estate Administrators in Zimbabwe and was recently appointed to the Board of an Engineering company.

He writes in his personal capacity. He can be contacted on +263 772 246 900 or ghofisi@ hofisilaw.com or gohofisi@ gmail.com. Visit www//:hofisilaw.com for more articles.-herald