Safeguarding Privacy: Mastering Data Protection Compliance in 2025

“In the digital age, privacy is not a privilege; it’s a right that must be fiercely protected.”

April 2024 marked a significant milestone for Tanzania with the launch of the Personal Data Protection Commission (PDPC) under the Personal Data Protection Act, 2022. During the inauguration, the President issued a clear directive; that by 31^st December 2024, all public and private institutions that process or control personal data must be registered with the Commission. This directive signifies the government’s commitment to safeguarding personal data in an era where data breaches and misuse are growing global concerns.

UNDERSTANDING PERSONAL DATA AND ITS GOVERNANCE

If you have observed recent trends, there has been a surge in discussions surrounding personal data. This heightened attention stems from the rapid evolution of the digital landscape, where system automation, AI integration, and the borderless nature of the FinTech space have elevated data to an invaluable commodity. Today, data is often likened to a mine; a resource as rich and essential as precious minerals. Many e-businesses thrive on the collection, analysis, and sale of data, underscoring its critical role in driving economies and shaping industries.

So, what is data? The General Data Protection Regulation (GDPR), formulated by the European Union, which has also served as a key inspiration for Tanzania’s legal framework on data protection defines “personal data” as any information relating to an identified or identifiable natural person (data subject). A person can be identified directly or indirectly through various identifiers, such as a name, identification number, location data, online identifiers, or characteristics specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. 

For example, an online retailer collecting information such as your name, email address, phone number, home address, purchase history, and IP address is handling personal data under the GDPR. While identifiers like your name and home address directly identify you, others, such as your email, phone number, or IP address, indirectly link you to your identity. Additionally, your purchase history and browsing patterns further contribute to your profile, making you identifiable even without direct identifiers. Therefore, if such data is misused, it could cause serious harm to individuals, highlighting the necessity for businesses to handle it responsibly and comply with regulations.

In Tanzania, personal data is regulated by three key regulations. The Personal Data Protection Act 2022 which serves as the primary framework, outlining the rights of individuals and the obligations of organizations to safeguard personal data; The Personal Data Protection (Personal Data Collection and Processing) Regulations 2023 providing a detailed guidelines on obtaining consent, data storage, and security measures, as well as managing cross-border data transfers; and The Personal Data Protection (Complaints Settlement Procedures) Regulations 2023 which outline the process for addressing complaints related to data breaches or violations, ensuring a clear path for individuals to seek redress. Together, these regulations aim to protect individuals’ privacy and promote responsible data handling practices in Tanzania.

THE RISKS AND CONSEQUENCES OF POOR DATA PROTECTION

Institutions failing to protect personal data face significant consequences. These risks are not only financial but also reputational and operational:

1. Reputational Damage: Customers and partners lose trust in organizations that fail to safeguard their data, leading to reduced engagement and potential business losses.
2. Identity Theft: A data breach can expose individuals to identity theft, where personal details are misused for fraudulent purposes, such as unauthorized financial transactions.
3. Financial Loss: Institutions may face lawsuits, fines, or penalties for failing to comply with regulations. The costs of resolving breaches, including compensation to victims, can be staggering. A stark example occurred in 2018 when British Airways suffered a data breach that exposed the personal details of 420,000 individuals such as usernames, passwords, credit card details, and essential flight-related data. The Information Commissioner’s Office imposed a £20 million fine on BA, deeming their failure to protect customer data “unacceptable.”
4. Regulatory Non-Compliance: Organizations may incur fines, sanctions, or legal action for failing to adhere to the Personal Data Protection Act. The Act imposes fines ranging from 100,000 to 20,000,000, and officials may face imprisonment for up to 10 years.
5. Operational Disruption: Breaches can lead to downtime, loss of critical data, or unauthorized access to sensitive systems. A prime example is ransomware attacks where a malware is designed to deny a user or organization from accessing their files in exchange for a ransom for the decryption key. This not only halts normal operations but also leads to significant operational disruptions since employees are locked out of essential systems.

Data breaches can cause harm not just to institutions but to individuals whose data is compromised. Common consequences include:

1. Financial Harm: Victims may suffer unauthorized withdrawals or fraudulent charges.
2. Discrimination: Breaches involving sensitive data, such as health conditions or ethnicity, could lead to unfair treatment.
3. Loss of Autonomy: Individuals lose control over their personal information, which could be misused without their consent.
4. Psychological Harm: Victims may experience anxiety or distress from being targeted by cybercriminals.

THE ROLE OF INSTITUTIONS IN SAFEGUARDING DATA

The Act has introduced three key roles in data protection:

1. Data Controller: An individual, organization, or public body that determines the purpose and methods for processing personal data.
2. Data Processor: An entity that processes personal data on behalf of the controller under its instructions.
3. Data Protection Officer (DPO): An individual appointed by the data controller or data processor charged with ensuring compliance with the obligations provided for in the Act. 

The first step in being compliant and safeguarding data is registration of an institution as either a Data Controller or Processor. Furthermore, an institution must appoint a DPO whose primary role is to ensure that the control measures are in place to processed personal data collected or processed. 

Additionally, data controllers and processors must adhere to the following principles to ensure proper handling of personal data:

1. Lawfulness, Fairness, and Transparency: Collect data lawfully, with clear consent from the data subject.
2. Purpose Limitation: Use data only for the purpose for which it was collected.
3. Data Minimization: Collect only the data necessary for the intended purpose. For instance, a hospital may need a patient’s medical history but not their criminal record.
4. Data Accuracy: Maintain accurate records. Data subjects have the right to verify and correct inaccuracies.
5. Data Security: Ensure data is securely stored and handled confidentially, embrace encryption of data.
6. Storage Limitation: Retain data only for a specified period, after which it should be securely destroyed.
7. Accountability: The DPO is responsible for ensuring compliance with these principles.

PRACTICAL STEPS FOR SAFEGUARDING DATA

Organizations can strengthen their data protection measures by adopting the following practices:

1. Limit Internal Access: Restrict data access to authorized personnel only, and always ensure that user access permissions are promptly revoked when an employee leaves the organization. Since many cyberattacks are carried out by insiders, safeguarding access is critical to protecting sensitive information from potential misuse.
2. Maintain Access Logs: Keep detailed records of who accesses data to ensure traceability and transparency.
3. Staff Training: Educate employees on data protection best practices, including how to recognize phishing and other cyber threats. (MWEBESA LAW offers tailored training to help your organization stay secure.)
4. Implement Data Protection Policies: Create and enforce robust policies to govern data handling.
5. Centralize Data Storage: Consolidate data into secure systems to reduce the risk of unauthorized access.
6. Avoid Unnecessary Retention: Dispose of data that is no longer needed to minimize exposure to breaches. Cyberattacks are prone to organizations storing a lot of data. 
7. Embrace Encryption: Protect data during transfers using strong encryption protocols.
8. Update Systems Regularly: Install updates and patches promptly to address security vulnerabilities.
9. Conduct Regular Audits: Assess your systems periodically to identify and resolve weaknesses.
10. Privacy by design: Embedding data privacy measures proactively throughout entire lifecycle of a product, system or service. 

CONCLUSION

Institutions are urged to align with these regulations by the December 2024 deadline, not only to ensure compliance but to uphold the trust and privacy of those they serve. Businesses that are not yet registered with the Personal Data Protection Commission (PDPC) may face challenges in renewing their licenses come 2025.