← Case Studies

East African Fintech (identity withheld)

BoT-Licensed Fintech Achieves PDPA Compliance in Six Weeks

Duration: 6 weeks
Tanzania PDPA Compliance Pack Cloud Security Posture Assessment

Challenge

No data inventory, no privacy notices, and 60 days until a regulatory audit.

Outcome

Full PDPA documentation suite delivered in six weeks. Microsoft 365 misconfigurations remediated. Client passed regulatory review.

The Situation

A Bank of Tanzania-licensed payment aggregator came to us with a straightforward problem and a tight timeline: a regulatory review was scheduled in approximately 60 days, their legal team had flagged significant gaps against the Tanzania PDPA, and they had no existing compliance documentation to build from.

The business had grown quickly. A team of 28 people, a licensed product with real transaction volume, a client base that included merchants and financial institutions — and no data inventory, no privacy notice, and no documented breach response procedure. Their Microsoft 365 environment, deployed two years earlier, had never been reviewed against security baselines.

They needed a structured programme of work, quickly, that would produce defensible documentation for the regulatory review.

What We Found

We began with a scoping session to understand the data landscape before doing any formal assessment. Several things became clear quickly:

The business was processing substantial volumes of personal data — merchant owner details, transaction records, mobile money account references, customer contact information — across multiple systems. None of this was documented in a structured inventory.

Their Microsoft 365 environment had legacy authentication protocols enabled, no Conditional Access policies, and external sharing unrestricted in SharePoint. Three accounts held Global Administrator privileges, including one that was a daily-use email account. SPF and DKIM records existed but DMARC was not configured.

Their contracts with sub-processors — the cloud services and third-party tools they used — did not include any data protection clauses.

What We Delivered

Week 1–2: Data inventory and gap assessment

We ran a facilitated data inventory workshop, mapping every personal data category the business handled: merchant onboarding data, transaction records, employee files, customer service records. This produced a draft ROPA covering 14 distinct processing activities.

The gap assessment against the Tanzania PDPA was completed in parallel. The findings were clear: complete absences in documentation (ROPA, privacy notices, breach procedures), partial coverage on technical controls, and no staff awareness of PDPA obligations.

Week 3–4: Documentation

We produced the full PDPA documentation suite:

  • Record of Processing Activities (ROPA) — 14 processing activities documented
  • Privacy notice for their merchant-facing website
  • Privacy notice for employees
  • Data Protection Impact Assessment template
  • Breach response runbook with PDPC notification timeline built in
  • Data retention schedule across all data categories
  • Data subject rights procedure

Weeks 4–5: Cloud Security Posture Assessment

In parallel with the final documentation review, we ran the Microsoft 365 assessment. Prowler surfaced 31 findings across critical, high, and medium severity. We produced a prioritised remediation roadmap and worked with their IT resource to implement the critical and high findings — Conditional Access policies, legacy authentication blocking, DMARC enforcement, and SharePoint sharing restrictions.

Week 6: Remediation and review

Final documentation review, remediation confirmation, and preparation of the evidence package for the regulatory review.

The Outcome

The client presented to the BoT examination with a complete PDPA documentation suite, a remediated Microsoft 365 environment, and evidence of the remediation work completed. The regulatory review was completed without significant findings against their data protection controls.

The compliance documentation was subsequently used as the basis for their ongoing compliance programme — policies are now reviewed quarterly, and the breach runbook has been incorporated into their incident response procedures.

What This Engagement Illustrates

The most important insight from this engagement was not the regulatory outcome — it was the timeline. Six weeks is tight for building a compliance programme from scratch. It is achievable, but it requires focus, access to the right stakeholders, and an organisation that is genuinely committed to the work.

The alternative — beginning this work proactively, before the regulatory timeline is imposed — would have allowed a less compressed engagement, more thorough training, and more time for staff to internalise the procedures rather than simply have them documented.

If your organisation faces a similar regulatory situation, the free discovery call is the right first step. We can assess the timeline, scope what is achievable, and give you an honest view of what the engagement looks like.

Facing a similar challenge?

Book a free 30-minute discovery call. We'll give you an honest assessment of your situation and what a structured engagement would look like.

Book a free call View all case studies