Executive Summary

In December 2021 Zimbabwe

promulgated a new law, the Cyber and Data Protection Act [Cap 12:07] that seeks

to regulate interactions in the cyber space and the digital world, create

technology driven business environment, encourage technological development and

lawful use of technology. Among other critical aspects ushered by this new law include

the investigation and collection of evidence of cybercrimes, data breaches and

the admissibility of electronic evidence in courts of law. This emerges from

its preamble or long title. It is trite that the development of such law was

long overdue if one considers that the nation had widely adopted the use of

digital technologies for over a decade prior to the coming in of this

relatively new law. This new law has been met with mixed feelings, like any

other law. In a world where internet and social media are prominent methods of

communication, the Act presents businesses with enormous potential for growth

and success with its provisions on cyber security, data protection, protection

of business image. On the downside, the Act has potential to stifle free speech

and political criticism which is detrimental to any liberal society. In this

article, we explore opportunities that can see businesses maximize profit

generation and security of their critical data through the strategic use of the

Cyber and Data Protection Act. This article will put emphasis on provisions on

cyber security, responsible use of data and data technologies as catalysts for

business growth. With the increase in the digital supply chain, most African

countries are developing regulatory frameworks that seek to govern the digital ecosystem

in an effort to make the digital world safe for everyone. Businesses can

complement government efforts by strategizing new risk mitigating initiatives.

ICT Code of Conduct

Businesses can ring fence their assets and capital by developing ICT codes of conduct (COC) to ensure responsible use and handling of data by data controllers in their employ thereby protecting themselves from liability arising from irresponsible use of and handling of data belonging to their data subjects. Section 30 of the Act provides entities, corporations, trade associations and bodies representing data controllers with an opportunity to develop new codes of conduct or amend the existing ones before submitting them for approval to the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTARZ).  Businesses can now get rid of unscrupulous

persons who might intentionally or negligently commit data breaches in the course of duty.

Consent Forms

Among other mechanisms that can be utilized by businesses when collecting data from their clients is the use of consent forms. Section 10 of the Act says personal information may only be processed if the data subject consents to such processing of data. Data can be anything from personal names, ID numbers, addresses, details of next of kin to phone numbers, emails, marital status, health status, product preferences, biometric information such as photographs and CCTV generated footages. It is important for data controllers to properly distinguish between sensitive and non sensitive data as this will help in identifying the level of consent required. The Act provides that sensitive data must be processed with the written consent of the data subject whereas non sensitive data may be processed with oral or implied consent. Consent will enable businesses to utilize personal data for legitimate purposes. 

Data Subject and Data Controller

In some scenarios a business can be a data subject, whereas in other instances it can be a data controller. The latter seems to be common in business such as banks, insurance, mobile

telephone service providers, retails, among others. The Act defines a data subject as o an individual who is an identifiable person and the subject of data.  The increasing use of mobile money transfer services and points of sale also makes every person including juristic entities, data subjects thereby vulnerable to scamming, identity theft and data kidnapping.

Protection against Scamming

Businesses can now utilize mechanisms brought by the Cyber and Datat Protection Act to employ high standard data security measures and protect clients from suffering losses due to scamming. By adherence to the same standards, businesses will also protect themselves from liability emanating from data processing. In Hawarden v Edward Nathan Sonnenburgs Inc (High Court of South Africa Gauteng Province) Case No. 13849/20, a case of what has been termed ‘Business email Compromise (BEC), a plaintiff made an electronic payment of the amount of R5.5 million into what she believed was the Defendants’ (law firm’s) account, details of which had been emailed to her by a conveyancing secretary in the employ of the defendant. The ENS account details were set out in a pdf attachment under cover of an email. Unbeknown to the plaintiff, her email account was hacked and the email containing the ENS account details was intercepted by an unknown fraudster and altered to reflect the fraudster’s bank account details, resulting in the funds electronically transferred by the plaintiff being deposited in the fraudster’s bank account as opposed to the ENS account. The court of south Africa after assessing evidence at trial concluded that the law firm was aware of the risks of BEC prior to the fraudulent incident and that it had failed to warn the plaintiff of the known risks of email and pdf manipulation or of precautions that could be taken against BEC prior to the plaintiff effecting the electronic payment. The law firm was held liable to pay R5.5 million including costs.

From the above case, we learn that issues of data processing are crucial to both the data subject and the data controller. In that case, he court also enlightened businesses to utilize other security procedures such as using technical safety measures or multi-channel verification (in-person or telephonic confirmation) in financial transactions. The court also stressed the need to keep client’s information confidential in light of professional duties and found that the defendant had committed confidentiality breaches by copying private and highly confidential data of the plaintiff and to compound matters added them to trial documents bundle. in Zimbabwe, the Cyber and Data Protection Act brings in obligations of data controllers and rights of data subjects which are enforceable at law.

Data Processor

Businesses can now employ data processors on special contracts that exonerates the business from liability resulting from improper handling of data by the data processor. The Act provides that every data controller shall appoint a data processor who shall provide sufficient guarantees regarding the technical and organizational security measures employed to protect the data associated with the processing undertaken and ensure strict adherence to such measures. By making use of a data processor under strict adherence of the law, businesses can now enhance their reputation thereby attracting more clients. Data processors play a crucial role in the image of the business.

Business Image

Businesses can now advance and protect their image in the digital space by utilizing rights of data subject. In a highly competitive business world, businesses can easily get their image ruined by the click of a button. The Act provides for remedies that businesses can rely on in protecting and advancing their business image. Section 164C of the Act protects businesses from economic harm resulting from intentional transmission or broadcasting of false information through computer or information systems. This provision provides a business with an opportunity to expand its goodwill and reputation in the cyber space thereby reaching a wider client base.

Conclusion

In conclusion, the Cyber and Data Protection Act presents an opportunity for the business world to enhance their business image, protect their data and information against scamming among other opportunities as means of improving their competitiveness and sources of revenue. In a world full of competition, businesses need to adopt the provisions of this new law with speed as a way of maximizing opportunities. Businesses can also ringfence their assets by utilizing cyber security provisions which are now part of our law.