As data protection reforms roll out across Zambia and southern Africa, data risk must be a priority for business and incorporated into an organisation’s risk oversight function, says leading corporate law expert Sharon Sakuwaha of Moira Mukaka Legal Practitioners. 

“Companies that take early preparatory steps to comply will be in a better position as the penalties for non-compliance are quite stiff under the new legislation,” says Sakuwaha. 

The Data Protection Act, 2021 (DPA), came into force in Zambia in April and extended liability to officers and shareholders. This has meant that data risk has become a governance issue that corporate boards should be concerned with. This is particularly so for directors who sit on boards of companies that process high volumes of data, such as financial services or the telecommunications sector.

The importance of the reforms has been overlooked thus far, says Sakuwaha, as ahead of the Zambian general elections on August 12, public focus had been on the more controversial Cyber Security Act, enacted at the same as the time DPA, and Electronic Communications and  Transactions legislation. 

“I think certainly post-election, as more awareness is created, businesses will focus on these other two pieces of legislation, particularly data protection which cuts across every industry.”

Businesses would be wise to take a proactive approach to compliance, says Sakuwaha, as while the enforcement body (the Office of the Data Protection Commissioner) is yet to be established and regulations still need to be issued, the DPA itself is already in force. 

“This provides an opportunity for businesses to take proactive steps to understand the impact of the DP, get executive buy-in, and conduct initial training and awareness and determine an approach to compliance,” says Sakuwaha. “As has been said, data is the new oil of the 21st century. There is an opportunity for businesses to harness and unlock the value of data within the confines of the new law to develop new innovative business models.”

While there will be increased compliance costs for businesses whose models are premised on the use of personal data, says Sakuwaha, the benefits of compliance should be weighed with the much higher cost of non-compliance, including fines, imprisonment, and damages. 

Sakuwaha and her colleagues are helping businesses deal with the DPA, which is similar to data protection reforms enacted across 33 African nations. This follows on from the HIPSSA Project (Harmonization of ICT policies in Sub-Saharan Africa) but with local nuances.

“Compliance programmes adopted by organisations with operations in Zambia will need to address these nuances,” she cautions. “Adopting a one-size-fits-all approach is not prudent.”

To prepare and protect its clients, Moira Mukaka is undertaking data audits, drafting and reviewing compliance frameworks, undertaking data impact assessments, holding awareness training for staff, training for boards on data risk and risk oversight, and conducting compliance reviews for cross-border transfers of personal data by multinationals. 

The evolution of the digital economy is evidence of the changing world we live in, says Sakuwaha, and the DPA reforms are a welcome development overall. 

“Covid has accelerated the transformation. Most businesses are now beginning to use digital channels, either for delivery of their services or delivery of their goods, or as a mechanism through which they conduct their business. Certainly, it’s a welcome scenario.”

For more great content join Africa Legal's mailing list - click here