Compliance 8 min read

Tanzania PDPA: A Practical 90-Day Compliance Roadmap for SMEs

A phased, practical guide to achieving Tanzania Personal Data Protection Act compliance in 90 days — what the law requires, where most SMEs fall short, and how to close the gaps.

Ebrahim Gulamali

Tanzania’s Personal Data Protection Act (PDPA) came into force in 2022, establishing a legal framework for how organisations collect, store, use, and share personal data about Tanzanian residents. Four years on, most SMEs still fall short of its requirements — not out of negligence, but because the guidance on how to comply has not been widely accessible.

This post sets out a practical 90-day roadmap that any SME can follow. No legal jargon. No enterprise-level overhead. Just what you need to do, in what order.

What the PDPA Actually Requires

The Tanzania PDPA is modelled on international data protection frameworks — similar in spirit to the GDPR in Europe or South Africa’s POPIA. At its core, it requires organisations to:

  1. Know what personal data they hold — and be able to document it
  2. Have a lawful reason to process it — consent, contract, legitimate interest, or legal obligation
  3. Tell people how their data is used — through clear, accessible privacy notices
  4. Protect it appropriately — technical and organisational security measures
  5. Respect individuals’ rights — to access, correct, or delete their data
  6. Report breaches — notify the Personal Data Protection Commission (PDPC) and affected individuals when required

The PDPC is the enforcement authority. It can investigate, issue corrective orders, and — for serious or repeated violations — impose financial penalties.

Why Most SMEs Are Non-Compliant

The gap is rarely intentional. Three patterns come up repeatedly:

“We did not know this applied to us.” The PDPA applies to any organisation that processes personal data of Tanzanian residents, regardless of where the organisation is registered. If you have customers, employees, or suppliers in Tanzania — it applies.

“We do not really collect much personal data.” Every business collects personal data: names, phone numbers, email addresses, payment records, employee files. The question is not whether you collect it — it is whether you have documented what you hold and why.

“We do not have the resources for this.” The PDPA does not require an enterprise compliance programme. It requires proportionate measures — scaled to the size and nature of your organisation. An SME with 15 staff processing customer contact details faces very different requirements from a financial institution processing thousands of sensitive records.

The 90-Day Roadmap

Days 1–30: Know What You Have

The first month is about mapping your data landscape. You cannot protect what you have not found.

Week 1–2: Data inventory Work through each function of your business — sales, operations, HR, finance, customer support — and ask: what personal data do we collect here, who collects it, where is it stored, and who has access?

Create a simple spreadsheet with columns: data category, where collected, where stored, who has access, shared with third parties (yes/no, who), retention period. This becomes your data inventory.

Week 3–4: Identify your legal bases For each data processing activity, confirm what your legal basis is. Most customer data is processed under contract or legitimate interest. Employee data is typically processed under legal obligation (employment law) and contract. Marketing data often requires explicit consent.

If you cannot identify a lawful basis for processing a particular dataset, stop collecting it or get consent.

End of month deliverable: A draft data inventory and a list of processing activities with their legal bases.

Days 31–60: Get Your Documentation Right

The second month focuses on the documents the PDPA requires you to have.

Record of Processing Activities (ROPA) The ROPA is a structured register of every data processing activity in your organisation. The PDPC can request this at any time. Build it from your data inventory: one row per processing activity, documenting the data involved, the purpose, the legal basis, retention period, and any third parties involved.

Privacy Notices You need a customer-facing privacy notice on your website that explains what data you collect, why, how you store it, and how individuals can exercise their rights. If you have employees, you need a separate HR/employee privacy notice.

Privacy notices should be written in plain language — if you would not understand it, your customers will not either.

Data Retention Schedule How long do you actually keep data? Customer records after a purchase is complete? Employee records after someone leaves? Define specific retention periods for each data category, document them, and set up a process to actually delete data when the retention period expires.

End of month deliverable: ROPA, website privacy notice, employee privacy notice, and retention schedule.

Days 61–90: Controls, Training, and Breach Preparedness

The final month implements the operational controls.

Data security controls Review the basic technical controls that protect personal data: access controls (who can see what), encryption of sensitive data at rest and in transit, MFA on systems that hold personal data, and regular backups with tested recovery. If you are on Microsoft 365, a Cloud Security Posture Assessment will surface the gaps quickly.

Staff training Every staff member who handles personal data should understand what the PDPA is, what they are required to do, and how to recognise a potential data breach. A 30-minute training session with a simple reference card is the minimum.

Breach response runbook The PDPA requires you to notify the PDPC of a personal data breach within 72 hours of becoming aware of it. You cannot do that if you do not have a documented procedure for detecting, containing, assessing, and reporting a breach. Build the runbook now, before you need it.

Data Subject Rights procedure Define how you will handle a request from a Tanzanian resident to access, correct, or delete their personal data. Who receives the request? Who handles it? What is the turnaround time?

End of month deliverable: Basic technical controls reviewed, staff trained, breach runbook in place, data subject rights procedure documented.

Common Mistakes to Avoid

Confusing compliance with a certificate. There is no PDPA compliance certificate. Compliance is an ongoing state, not a one-time achievement. Documents need to be maintained, processes need to be followed, and training needs to be repeated.

Writing privacy notices for lawyers, not users. If your privacy notice is four pages of legal language that no customer will read, it does not serve its purpose. Plain language is both more effective and more compliant.

Collecting data “just in case.” The PDPA requires purpose limitation — you should only collect data you actually need for a defined purpose. Data you collect but do not use is liability without value.

Forgetting about third parties. Your suppliers who process personal data on your behalf — cloud storage providers, payroll services, marketing platforms — need to have appropriate data protection controls and, where required, data processing agreements.

Treating the ROPA as a one-time document. Your business changes. New processing activities get added, old ones end, vendors change. The ROPA needs to be a living document, reviewed at least annually.

When to Get Professional Help

For most SMEs, the 90-day roadmap above is achievable with internal effort and the guidance in this post. There are situations where professional support is warranted:

  • You process sensitive personal data at scale (health, financial, biometric data)
  • You are subject to a BoT examination or regulatory inquiry
  • A data breach has already occurred
  • Your clients require you to demonstrate formal PDPA compliance
  • You are unsure whether your cross-border data transfers are lawful

If any of these apply to your situation, a structured compliance engagement will be faster, more thorough, and more defensible than a self-guided approach.

The 90-day roadmap gives you the foundation. Professional support closes the gaps and provides the documentation that regulators and clients expect.

Hawrat Cyber offers a Tanzania PDPA Compliance Pack that delivers the gap assessment, ROPA, privacy notices, DPIA template, and breach runbook as a fixed-scope engagement. If you would like to discuss your organisation’s specific situation, book a free discovery call.

← Back to Insights
Free call

Want to talk through what this means for your business?

Book a free 30-minute discovery call. No commitment — just an honest conversation.

Book a free call