Cyber Security: Understanding Data Protection in Zambia

As we continue to use online platforms for various activities, it is cardinal that we are aware of some of the regulations that govern the digital platforms. Being compliant to the guidelines that have been set by statutory bodies is important as it helps to avoid unnecessary mishaps which may in turn negatively affect an individual’s or organisation’s activities online.

One of the main concerns that have constantly arisen in the online sphere is the protection and use of personal data.

On the international scene, one notable milestone that has been achieved in this discussion is the enactment of the General Data Protection Regulation (GDPR) which came into force on May 25, 2018. 

Matt Burgess of WIRED writes that, “GDPR can be considered as the world’s strongest set of data protection rules, which enhance how people can access information about them and places limits on what organisations can do with personal data.’’  

He explains that at the heart of GDPR is personal data. Broadly, this is information that allows a living person to be directly, or indirectly, identified from data that is available. This can be something obvious, such as a person’s name, location data, or a clear online username, or it can be something that may be less instantly apparent such as IP addresses and cookie identifiers can be considered as personal data. 

Similar to the GDPR, is Zambia’s Data Protection Act of 2021 that was enacted by the parliament of Zambia. The Data Protection Act of 2021 underlines that the act is meant to, ‘provide an effective system for the use and protection of personal data; regulate the collection, use, transmission, storage and otherwise processing of personal data; establish the Office of the Data Protection Commissioner and provide for its functions; the registration of data controllers and licensing of data auditors; provide for the duties of data controllers and data processors; provide for the rights of data subjects; and provide for matters connected with, or incidental to, the foregoing.’

Following the article published on Cyber Security, we continue the conversation with Alinani Simuchimba, a Cyber Security Consultant as he unpacks some of the contents of the Data Protection Act of 2021. 


LM: In your own words, could you give us a brief description of the Data Protection Act of 2021?

AS: Our Data Protection Act of 2021 is very similar to other data protection acts. For example, the GDPR in Europe that has championed the recognition of cyber security as being important to businesses and them meeting their goal. In our local context, the Data Protection Act is there to ensure that data that people that are collecting and using is being used in a way that does not compromise the security of the person whom they have gotten that data from.


LM: How would you summarise the components of this act?

AS: There are three main factors within the act, namely, the Data Controller which is the organisation or body that collects the information or personal data and decides how it will be used. Data Processor, which may either be from the organisation of the data controller or may be outsourced from another organisation, for example a company running payroll on behalf of another company; and Data Subject which is the individual. Hence the act is concerned with how the data is used. Essentially asking if the data is being used for what it is intended to be used for.


LM: What are the penalties attached, should a breach occur? 

AS: To paraphrase under Part 2, section 49, incase of a breach of an organisation within the country, the data controller is required to report a breach to the office of the Data Protection Commissioner within 24 years. However we don’t have this office yet as it has not yet been established from the act.

The penalties of disclosure of personal info by data controller in part under Part 3,section 55, subsection 1 and 2 reads,  “…a body, a corporate or organisation that contravenes the provision of this part commits an offence and is liable upon conviction to 2 percent annual turnover of the preceding financial year or 2 million penalty units whichever is higher.” One penalty unit is currently at 30 ngwee. 

Further, individuals breaching this act are liable to two hundred thousand and three hundred thousand penalty points or face two years imprisonment. In the event that you are a victim you can seek compensation if your data has been leaked under section 72 of the act. 


LM: What are some of the challenges that can be highlighted within the Act?

AS:Most of the things within the act are not clear and hence have not been actualised such as setting up the office of the Data Protection Commissioner. There is need for further clarity by way of statutory instruments issued by the minister. In addition, one of the biggest arguments is the aspect of data being kept internally which will essentially call for huge investments. We need to host our data locally but the investment that will be required is huge therefore we need clarity from the act with regards what sort of data should be kept in country and what sort of data can be kept out of country. 


Alinani advised that those operating in the online space should ensure to put measures in place that allow for safety. 

Indeed, online platforms have brought countless opportunities in every sphere of society. However, the online space does present the need for one to be responsible with how activities are conducted to minimise the occurrence of harm. 

As BongoHive we are committed to create platforms for discussions on cyber security. As a technology and innovation hub we understand the importance in ensuring that safety is upheld, as a core factor in our products and services.

Reach out to us for your digital transformation and innovation consultancy needs – here