Zambia’s Data Protection Act has strengthened the legal framework for collecting and processing personal data, but regulators say enforcement and compliance remain a challenge.
Data Protection Commissioner Mr. Likando Luywa said that registering organizations handling personal data is the first step toward effective oversight.
“We need to understand who is collecting this data, what they are collecting it for, where they have the data and how they store it,” he said.
Luywa explained that registration will create accountability among data controllers and processors, enabling authorities to monitor compliance.
However, he noted that weak internal systems and limited awareness continue to undermine adherence.
“Compliance is not a one‑off activity, institutions need policies in place and staff who are properly trained,” he said.
Meanwhile, Legal Expert Ms. Christine Mwambazi said the Act introduces stronger accountability measures than before, but gaps in implementation persist.
She warned that regulators may struggle to hold organizations accountable without adequate capacity and monitoring mechanisms.
And Ecobank Head of Information Security Miriam Chungu stressed that failures often stem from human behaviour and organizational culture rather than technology.
“Weak adherence to established controls can undermine even the most robust data protection systems,” she said.
Stakeholders agree that while the Act has improved governance and accountability, its long‑term success will depend on sustained enforcement, greater awareness, and stronger institutional capacity.