Data privacy breaches can have a significant impact on individuals and corporations alike in terms of reputational and financial repercussions. Online financial services are used more widely in Africa than anywhere else in the world. As Zimbabwe moves more towards being a cashless society, the finance sector is facing an increasing amount of cybercrime, including phishing and bank card cloning – both of which are on the rise.
Such breaches are not unique to Zimbabwe. For example, several Kenyan financial institutions have lost millions of dollars to cybercrime over the past few years, while a leading bank in Rwanda lost $10.3 million to fraudulent customer withdrawals in under three months.
It’s a critical concern for individuals and businesses globally, and more so for those operating in Africa, where the digital economy is growing by leaps and bounds.
In an effort to counteract these risks and safeguard the data of its citizens and businesses, Zimbabwe formally enacted the Data Protection Act [Chapter 11:24] on December 3, 2021. While the Act deals with aspects of cybersecurity and cybercrime, its primary focus is on data privacy and ensuring data protection for all data collected within the country, as well as outside the country and processed in Zimbabwe. It also includes some of the strictest penalties for non-compliance and breaches for data handlers.
Lorreta Songola, Regional Chief Commercial Officer, Central Africa Region at Liquid Intelligent Technologies, unpacks ten ways to help Zimbabwean organisations and individuals proactively improve and manage their data privacy practices:
- Foster a top-down approach.
Ensure active involvement and support from senior management in data protection efforts. For instance, a multinational corporation might require all its senior executives to undergo annual data protection training that is filtered down to staff and allocate a portion of their budget to cybersecurity initiatives.
- Designate a Data Protection Officer to oversee data protection efforts.
This senior-level person should have expertise in data protection laws and regulations and oversee compliance within the organisation. This role is crucial in ensuring that data privacy is prioritised and implemented effectively. For example, a healthcare company might recruit a seasoned legal professional with expertise in healthcare data privacy laws, responsible for ensuring compliance with regulations and conducting regular data privacy audits.
- Provide regular training to employees on data protection best practices.
Ongoing training helps create a culture of data privacy within the organisation. An e-commerce company might implement a quarterly training programme covering topics such as recognising phishing attacks and secure handling of customer data. Employees also need to be aware of the risks involved with the use of artificial intelligence tools in terms of the information about your organisation that is (potentially) shared and (definitely) stored.
- Implement a data classification system to categorise data based on its sensitivity.
Classify data based on its sensitivity, for instance as ‘public’, ‘internal-only’, ‘confidential’, and ‘restricted’. A financial institution, for example, might categorise its data into these levels, setting access controls accordingly. This helps control access to sensitive information and ensures that appropriate security measures are in place for each data category.
- Always be mindful of retaining customer trust.
Build customer trust by being transparent about data collection and usage practices. For instance, an online retailer might prominently display its privacy policy on its website, detailing how customer data is collected, used, and protected. Clearly communicate to your customers how their information is being used and stored and implement privacy policies that outline your organisation’s commitment to data privacy.
- Understand the concept of data privacy and its importance.
Data privacy refers to the protection of personal information from unauthorised access, use, or disclosure. A tech startup might include a module on data privacy in its onboarding programme for new hires, explaining the principles of data protection and the company's commitment to safeguarding personal information. By defining data privacy and ensuring that all stakeholders understand its importance, organisations can create a framework for protecting sensitive information.
- Always ensure meticulous regulatory compliance.
Ensure compliance with data protection laws and regulations relevant to your jurisdiction. For example, a global company operating in multiple jurisdictions might conduct regular audits to ensure compliance with GDPR and other relevant data protection regulations. Stay updated with changes in legislation and implement necessary changes to remain compliant.
- Implement robust cyber security measures to protect against cyber threats.
Protect against cyber threats by using encryption, firewalls, and anti-virus software. A bank, for example, might implement multi-factor authentication for all online transactions, encrypt sensitive data, and regularly update its firewall and antivirus software to protect against the latest threats. Organisations like Liquid Zimbabwe can assist businesses with implementing the appropriate solutions.
- Have regulatory approved/recommended agreements in place for cross-border data transfer.
Establish required agreements, such as intergroup transfer agreements, and recommended standard contractual clauses for lawful data transfers outside your country of operation. For instance, a multinational e-commerce company uses approved agreements to securely transfer customer data between its African offices. These agreements ensure that data is transferred securely and complies with data protection regulations.
- Invest in local data storage solutions.
Local storage solutions not only ensure that local data regulatory requirements are met, but
Also provide a cost-effective way to run sensitive latency business applications, with the
required security features. For example, where a financial services company operates in
multiple African countries, each will have its own set of data protection regulations. To
comply with these regulations and ensure the security of customer data, the company
invests in local data storage solutions in each country.
By proactively addressing and managing the security of data, organisations in Zimbabwe can strengthen their data privacy practices, mitigate risks, and build trust with customers and stakeholders.