Zimbabwe’s Cyber and Data Protection Act poses new challenges for churches

Thembelihle Mhlanga

On a Sunday morning in Harare, Pastor Emmanuel Zuze of the World Pentecost Assembly scans the congregation before service begins. His mind, however, is not just on his sermon—it’s on the $2,500 his church needs to train a Data Protection Officer (DPO) before the government’s March 2025 compliance deadline.

“It is a costly move by the government to demand such an amount, given that most churches are not profit-making,” he says, shaking his head. Like many religious leaders across Zimbabwe, Pastor Zuze is grappling with the financial and administrative burden of the Cyber and Data Protection Act.

The law, enacted in 2022 and strengthened by Statutory Instrument 155 of 2024, requires any institution handling personal data for more than 50 people to appoint a certified DPO. This means churches—some with congregations in the thousands—must comply or face legal consequences. However, with high training costs and limited resources, many religious organisations fear they won’t meet the deadline.
Religious leaders warn that the law raises deeper concerns beyond compliance—trust, digital security, and the sustainability of churches in an era of growing government oversight. Some churches are now considering outsourcing data protection services, while others hope for policy adjustments to ease the financial strain.

The Financial Strain of Compliance
The estimated cost of training each Data Protection Officer is about $2,500, which is a significant sum for many churches that rely on donations and volunteer support. The Roman Catholic Church, for instance, has approximately 1.5 million members, while the Anglican Church counts about 1 million members. The United Methodist Church has roughly 600,000 members, and the Seventh-day Adventist Church (SDA) has around 400,000 members. Pentecostal churches collectively boast around 2 million members, with major groups like the Apostolic Faith Mission and the Zimbabwe Assemblies of God Africa (ZAOGA) having about 500,000 and 1 million members, respectively.

For larger congregations, the financial implications multiply quickly, making compliance an overwhelming challenge. Smaller churches, in particular, are struggling to find the necessary funds.

Margaret Zizhou, an independent ICT and Data Specialist, highlighted the importance of the training: “It is paramount to train them to protect congregants’ data from manipulation by data pirates.” However, many religious leaders argue that while training is essential, the cost is prohibitive.

Legal and Administrative Challenges
According to the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ), churches must ensure their DPOs are trained and certified before the enforcement date. Failure to meet the compliance deadline could result in penalties or legal action. Mr. Rodwell Chitiyo, a Data and Media official at POTRAZ, emphasized, “The churches are not exempted from having DPOs as long they collect and process personal data for more than fifty people. However, they can outsource the DPO since there are some trained personnel in data handling already.”
Some churches have explored outsourcing options, but even this comes at a cost. Others have requested the government to allow a single DPO per religious association rather than requiring each church to appoint an individual officer. Pastor Thulani Ncube of House of Worship stated, “We are engaging the government in request of training one DPO an association as compared to doing as an individual church.”
POTRAZ, however, has indicated that each church must have its own designated officer, making collective compliance efforts difficult.

Trust and Congregational Concerns
Beyond finances and legal obligations, religious leaders worry about how these regulations will affect trust within their communities. Archbishop Alex Kiliyani voiced his apprehension: “We do not collect detailed personal data of anyone for public consumption. I think there is no danger to us. All our communications are for internal use only.”
Despite such assurances, concerns about data security persist. As churches are required to store and manage personal information, the risk of data breaches and misuse becomes a pressing concern. Pastor Zuze pointed out that “this development will create some trust issues from ordinary worshippers.” Congregants may hesitate to disclose personal information if they feel their data is not secure, which could impact church operations and engagement.

Community Engagement and Digital Adaptation
The intersection of faith and technology is becoming more pronounced as churches increasingly rely on digital platforms for communication, outreach, and administration. From online sermons to social media engagement, technology offers churches new avenues for connecting with congregants. However, this digital transformation also raises challenges in terms of data protection.
To address concerns, some churches are proactively engaging their members in discussions about data protection. Hosting informational sessions can help educate congregants about the importance of data security and the steps being taken to protect their information. Transparency in data handling practices fosters trust and reassures congregants that their personal information is being managed responsibly.
Pastor Zuze and other church leaders emphasise the importance of finding collaborative solutions. “By working together, churches can create a network of support that enables them to navigate the complexities of data protection legislation more effectively,” he said.

A Path Forward for Churches
Despite the challenges, churches recognise that adapting to the Cyber and Data Protection Act is necessary. Compliance with the law will prevent legal repercussions and strengthen the trust between churches and their congregants. Churches must be proactive in adopting best practices for data management. This includes implementing secure systems for storing personal information, conducting regular audits, and educating congregants about data privacy.

Engaging with legal and ICT experts can also help churches develop comprehensive data protection strategies. “This collaborative approach can help organisations not only comply with the law but also enhance their overall data security posture,” said Chitiyo.
Looking ahead, religious institutions hope for a more flexible regulatory framework that acknowledges their financial and operational constraints. While some churches push for amendments to ease the financial burden, others invest in internal training programs to reduce costs.