🏪 BizSecure — Complai Africa

Affordable CDPA Compliance for Zimbabwean SMEs

If you collect customer names, phone numbers or payment data from 50 or more people, you are a Data Controller under the CDPA. BizSecure gives you everything you need for Tier 1 POTRAZ compliance.

⚖ Ask DPO AI Free
📁 BizSecure Document Bundle
🏪
SME Data Protection Policy
Tier 1 POTRAZ
Included
📋
Customer Consent & Privacy Notice
Web and physical display
Included
🤝
Staff Confidentiality Agreement
All staff
Included
🔍
DPIA Template
New processing activities
Included
📑
Supplier Data Processing Agreement
Payroll, IT, and marketing
Included
🚨
Breach Response Protocol + DP3
72-hour rule
Included
📊
Business Data Asset Register
POTRAZ DP1 ready
Included
Your Legal Obligations

What the CDPA Requires from Your Organisation

These are mandatory legal requirements under Zimbabwe law, currently being enforced by POTRAZ.

CDPA S.3
Am I a Data Controller?
Any organisation collecting and using personal data for 50+ individuals (customers + employees + website visitors combined) is a Data Controller and must register with POTRAZ. Complai Africa helps you prepare for that filing with templates and guidance.
S.I. 155 S.6
Tier 1 for Most SMEs
Most SMEs fall under Tier 1 (50–1,000 data subjects) at USD $50 per year paid directly to POTRAZ. Your licence renews annually.
CDPG 1/2025
DPO Exemption Possible
Some general SMEs processing standard personal data may qualify for a DPO exemption under CDPG 1 of 2025. POTRAZ determines eligibility based on your processing nature.
CDPA S.14
Marketing Consent Required
Sending marketing via SMS, WhatsApp or email requires explicit opt-in consent from each customer. Pre-ticked boxes or implied consent do not meet the CDPA standard.
What Your Plan Includes

Comply Foundations for General Business Operations

BizSecure is built mainly from the Comply toolkit line. Add DPO Shield only if you need recurring oversight, named DPO support, or ongoing operational review.

🏪
SME Data Protection Policy
Tier 1 POTRAZ
Comply
📋
Customer Consent & Privacy Notice
Web and physical display
Comply
🤝
Staff Confidentiality Agreement
All staff
Comply
🔍
DPIA Template
New processing activities
Comply
📑
Supplier Data Processing Agreement
Payroll, IT, and marketing
Business+
🚨
Breach Response Protocol + DP3
72-hour rule
Corporate+
📊
Business Data Asset Register
POTRAZ DP1 ready
Included
🔎
Compliance Gap Assessment
27-point checklist
Business+
📑
Record of Processing Activities (ROPA)
All business data
Business+
📋
DSAR Response Kit
Customer requests
Business+
Comply Tier Foundations

ROPA and Impact Assessments from Your Comply Tier

These frameworks come from your Comply package. BizSecure is intentionally simpler because most SMEs start with the core toolkit line before adding any managed DPO cover.

📊

Record of Processing Activities (ROPA)

Required under CDPA Section 13. This sits inside Comply Business and above, and becomes the foundation of your POTRAZ-facing operating record.

Your BizSecure ROPA covers:

  • Customer names and contact details
  • Customer purchase and transaction history
  • Customer payment data (if stored)
  • Loyalty programme data
  • Delivery address records
  • Employee personal records
  • Employee payroll and bank account data
  • Supplier and vendor contact data
  • Website contact form submissions
  • CCTV footage
  • Social media and WhatsApp records
Included in: Comply Business and above
🔍

Data Protection Impact Assessment (DPIA)

Required under CDPA Section 18 before any high-risk processing activity. Comply provides the base framework, and DPO Shield is added only if you need recurring oversight.

A DPIA is required when you:

  • Launching a customer loyalty or rewards programme
  • Implementing CCTV surveillance on premises
  • Introducing a new customer database or CRM
  • Starting a WhatsApp marketing broadcast list
  • Adopting cloud-based accounting or payroll software
  • Any processing of employee health records
Included in: all Comply tiers, with scope varying by package
Common Questions

Frequently Asked Questions

I have a small shop. I collect customer phone numbers for deliveries. Do I need to comply? +
If you have 50+ customers' phone numbers, yes. Phone numbers are personal data under the CDPA. You need to register with POTRAZ ($50), have a data protection policy, and use numbers only for the stated purpose — not unsolicited marketing. Complai Africa helps you prepare the documentation, but the filing remains yours.
We send WhatsApp marketing to our customer list. Is this legal? +
Only if each customer explicitly opted in to receive marketing from you via WhatsApp. If you collected numbers for delivery and are now sending promotions, this is likely a violation. You need separate marketing consent.
We use a payroll service provider. Do we need a contract with them? +
Yes — a Data Processing Agreement under CDPA Section 17. Your payroll provider processes employee personal data on your behalf. They must sign a DPA before accessing this data. Your BizSecure toolkit includes a pre-drafted version.
What is the penalty if we ignore the CDPA? +
POTRAZ is in active enforcement mode. Penalties include fines up to Level 11 (~USD $3,000+) for operating without a licence and Level 12 (~USD $5,000+) for unlawful processing. Directors can be personally liable. Imprisonment up to 10 years applies for serious violations.

Need help interpreting the SME requirements?

⚖ Ask AskDPO AI — Free, instant guidance

Choose Your BizSecure Path

For most SMEs, start with Comply Essentials. Add DPO Shield Essential if you need recurring guidance, oversight, or a named DPO relationship.

Start Your Compliance
Please enter your organisation name, your name, and a valid email.

🔒 Secure payment via the Complai Africa client portal