The problem
Compliance requirements exist โ PDPA, ISO 27001, BoT guidelines โ but most SMEs have no clear picture of where they stand. You might have fragments of compliance (some data inventory, some policies) but no integrated programme. Worse, when an audit happens, you discover critical gaps. We help you understand what you need to comply, then build a realistic path to get there.
Our methodology
- Current state assessment โ document what you have (policies, data inventory, access controls, incident procedures)
- Gap analysis against Tanzania PDPA, ISO 27001, and relevant BoT guidelines
- Compliance maturity scoring โ where you are vs. where you need to be
- Risk-based prioritisation โ identify what must be fixed immediately vs. what can be addressed over time
- Remediation roadmap โ clear sequence of actions, owners, timelines, and success criteria
- Deliverables review โ we provide templates for policies, data registers, and assessment tools
What you will receive
- Compliance gap analysis report (current state vs. requirements)
- Maturity assessment scorecards (PDPA, ISO 27001, BoT)
- Prioritised remediation roadmap (quick wins, medium-term, long-term)
- Policy templates (data handling, access control, incident response, etc.)
- Data processing register template (ROPA for PDPA)
- Risk register template aligned to compliance requirements
Estimated timeline
3-4 weeks
Your Compliance Roadmap
Compliance is not a one-time project โ it is an ongoing programme. We help you understand what you need, prioritise what matters most, and build a sustainable approach.
After this engagement, you will have a clear roadmap. You will know exactly what to fix and in what order. You will be able to explain your compliance state to auditors, customers, and regulators with confidence.
Frequently asked questions
What is Tanzania PDPA and why does it matter?
Tanzania's Personal Data Protection Act (2022) requires organisations to protect personal data, disclose how it is used, honour data subject rights, and report breaches within 72 hours. It applies to any organisation processing resident data. Non-compliance can result in fines and reputational damage.
Do we need ISO 27001 certification?
Certification is optional unless your contracts require it (e.g., government contracts, large B2B clients). But the ISO 27001 framework is excellent for structuring your information security programme. We help you assess against ISO 27001 and prioritise what matters most for your business.
What are BoT guidelines?
Bank of Tanzania cybersecurity guidelines apply to licensed fintech and mobile money operators. If you operate in fintech/mobile money, BoT compliance is mandatory. If not, they still provide a useful benchmark for secure operations.
How long does compliance take?
Depends on your current state. If you have existing policies and data inventory, 3-4 weeks to a roadmap. If you are starting from scratch, plan 6-8 weeks of work (across your team and ours) to reach 'ready for audit' state. Our roadmap helps you spread this work across months if needed.
What if we cannot fix everything immediately?
That is normal. We prioritise โ identify what must be fixed immediately (critical data risks, regulatory deadlines) vs. what can be addressed over 6-12 months. We help you explain your remediation plan to auditors, who generally accept a realistic plan even if some gaps remain.
Ready to get started?
All engagements begin with a free 30-minute discovery call. No commitment, no jargon โ just an honest conversation about your situation.