We need to talk about Zambia’s ODPC registration deadline.
Zambia has officially entered the era of active data protection enforcement. With the Office of the Data Protection Commissioner (ODPC) now fully operational, the once-theoretical requirements of Zambia’s Data Protection Act, 2021 are now enforceable mandates.
And here’s the headline: if your organisation processes the personal data of anyone in Zambia—regardless of where you’re based—you must register with the ODPC by 30 April 2025. Non-compliance isn’t a minor administrative hiccup; it carries fines of up to ZMW 200,000 (USD ~7,000) and/or five years’ imprisonment.
Let’s unpack what this means—and why it matters far beyond Zambia.
Zambia’s digital leap: The ODPC goes live
The Act was enacted in 2021 but remained dormant until June 2023, when Zambia appointed its first Data Protection Commissioner. Fast-forward to today, and the ODPC has launched its registration portal and issued guidance, marking a decisive shift from legislative intent to regulatory action.
This brings Zambia in line with continental commitments like the African Union’s Malabo Convention and mirrors global frameworks like the GDPR, with familiar concepts such as:
- Consent as a basis for processing
- Data subject rights
- Breach notification requirements
- Data localisation mandates
Zambia is not dabbling—it’s building a modern, sovereignty-focused data economy with teeth.
Who needs to register?
Anyone processing personal data about individuals in Zambia must register as either a data controller or data processor.
This includes:
- Zambian companies handling personal data
- Multinational platforms tracking users from Zambia
- Cloud providers processing Zambian personal data
- Individuals and micro-businesses handling sensitive data like health or financial records
The law doesn’t care if you’re big, small, profitable, or a public interest project. If you process, you register.
Not just about location: Data localisation is serious
One of the most striking features of the DPA is its firm localisation requirement:
- All sensitive personal data must be stored and processed inside Zambia.
- Even general personal data must be localised unless you meet strict conditions for cross-border transfers (e.g. consent plus Commissioner-approved contracts or adequacy).
For cloud-first companies used to hosting data in Dublin or Johannesburg, this introduces real architecture and compliance questions—and possibly, new business relationships with local data centres.
What’s the registration process?
Registration is online via https://www.dataprotection.gov.zm/registration/, but don’t expect a click-and-go experience. Here’s what to prepare for:
- Apply via Form I (online or downloadable)
- Be ready to provide further information (Form II)
- Get your certificate (Form III) if approved within 14 days
- Display the certificate publicly at your principal place of business
- Update the ODPC within 7 days if your details change
One compliance quirk to note: The validity period of registration certificates is inconsistent. The regulations say 1 year; the ODPC’s own FAQ says 2 years. Until clarified, build in a compliance check 9 months after issuance.
Registration categories and fees
Your fee depends on your size:
| Category | Type | Application (ZMW) | Certificate of Registration (ZMW) |
| Individual | Data Controller | 66.8 | 666.8 |
| Micro Organisation | 66.8 | 666.8 | |
| Medium Organisation | 133.2 | 1,333.6 | |
| Large Organisation | 400 | 4,000 | |
| Data processor | Data Processor | 400 | 4,000 |
Last updated: 12 April 2025.
What happens if you don’t register?
You risk:
- A ZMW 200,000 fine
- Up to 5 years’ imprisonment
- Enforcement audits
- Suspension or cancellation of your ability to process data
- Additional fines potentially tied to turnover
This is no paper tiger. Registration is the gateway into an environment where active compliance is expected and enforced.
Beyond registration: real compliance begins
This isn’t a once-off. Once you’re registered, your obligations include:
- Implementing lawful bases for all data processing
- Respecting data subject rights (access, deletion, objection)
- Conducting Data Protection Impact Assessments (DPIAs)
- Appointing a Data Protection Officer (DPO) if required
- Notifying the ODPC of any data breach within 24 hours
- Maintaining a Record of Processing Activities (RoPA)
You’ll need policy frameworks, technical controls, contracts with third parties, staff training, and governance processes to demonstrate compliance.
How ITLawCo can help
If your organisation touches Zambian personal data—or might in the future—don’t leave this to chance. ITLawCo offers:
- Registration support and compliance gap analysis
- Cross-border data transfer guidance
- DPO outsourcing and training
- Custom compliance programmes tailored to African markets
- Ongoing advisory as the ODPC rolls out sector-specific codes and enforcement practices
Zambia’s data protection regime may be new, but the obligations are real—and so are the risks. Contact us today.
Final thought: don’t wait for the deadline
The 30 April 2025 deadline will come quickly—and regulators will have no sympathy for “we didn’t know”. Register early. Clarify ambiguities. Build compliance into your operations.
Zambia’s ODPC is open for business. Is your organisation ready?
