Service

Tanzania PDPA Compliance Pack

Get ahead of the Personal Data Protection Act — before regulators come to you.

The problem

Tanzania's Personal Data Protection Act (2022) is now in effect. Most SMEs do not know what personal data they hold, who they have shared it with, or what they are required to do if there is a breach. The Personal Data Protection Commission (PDPC) is actively engaging with organisations, and non-compliance carries real legal and reputational risk. Waiting until a regulator contacts you is not a strategy — it is a liability.

Our methodology

Gap assessment against Tanzania PDPA requirements and PDPC guidance
Optional mapping to ISO 27701 for businesses with international data flows
Data inventory workshop (facilitated remotely) to identify all personal data your business holds
Record of Processing Activities (ROPA) development
Privacy notice drafting for website, customers, and employees
Data Protection Impact Assessment (DPIA) template creation
Breach response runbook development aligned to PDPA notification requirements

What you will receive

Gap assessment report against Tanzania PDPA
Data inventory register (Excel/spreadsheet format)
Record of Processing Activities (ROPA)
Privacy notice — website version
Privacy notice — employee/HR version
Data Protection Impact Assessment (DPIA) template
Breach response runbook

Estimated timeline

3–4 weeks from engagement start

Overview

The Personal Data Protection Act 2022 introduced legal obligations for every Tanzanian business that handles personal information. Understanding what those obligations are — and demonstrating compliance — requires structured documentation, clear processes, and tested procedures.

The PDPA Compliance Pack delivers everything you need to operate compliantly: assessed, documented, and ready for regulatory review.

Why This Matters Now

The PDPC has begun engaging with organisations across Tanzania. Early movers who have their documentation in order — ROPA, privacy notices, breach procedures — are well positioned when regulatory contact comes. Those who wait until they receive a notice from the PDPC face compressed timelines, elevated scrutiny, and potential enforcement action.

The cost of getting this right now is a fraction of the cost of getting it wrong later.

What We Deliver

Gap Assessment

We assess your current data practices against every material requirement of the PDPA. You receive a gap report showing where you are compliant, where gaps exist, and what priority to close them in.

Data Inventory

Through a facilitated workshop, we map every category of personal data your business processes — customer records, employee data, payment information, supplier contacts. This becomes the foundation of your ROPA.

ROPA (Record of Processing Activities)

A structured, maintained register documenting every processing activity: the data involved, the legal basis, retention periods, and third parties with whom data is shared. The PDPC can request this at any time.

Privacy Notices

Clear, plain-language privacy notices for your website (customer-facing) and your HR processes (employee-facing). Written to satisfy PDPA disclosure requirements without legal jargon that confuses the reader.

DPIA Template

A reusable Data Protection Impact Assessment template for use whenever your business introduces a new data processing activity, technology system, or significant change to how personal data is handled.

Breach Response Runbook

Step-by-step procedures for detecting, containing, and notifying a personal data breach — including the PDPC notification timeline requirements under the PDPA.

Frequently asked questions

What is the Tanzania PDPA and does it apply to my business?

The Personal Data Protection Act 2022 applies to any person or organisation that processes the personal data of Tanzanian residents — including employees, customers, and suppliers. If your business collects names, contact details, financial information, health data, or any other information that identifies a person, the PDPA applies. This includes businesses registered outside Tanzania that serve Tanzanian customers.

What if we are already non-compliant? Will you report us?

No. Our role is to help you achieve compliance, not to report you to regulators. Everything you share with us during the engagement is treated as confidential and governed by a mutual NDA. We are here to solve the problem, not create new ones.

Do you handle ongoing compliance after the initial engagement?

The PDPA Compliance Pack gives you the foundation — the documents, processes, and knowledge to operate compliantly. For ongoing oversight — annual DPIA reviews, policy updates, training, and regulatory monitoring — we offer this as part of our vCISO retainer or as a standalone annual review. We can discuss the right arrangement for your business.

What is a ROPA and why do we need one?

A Record of Processing Activities (ROPA) is a documented inventory of every way your organisation handles personal data — what you collect, why, how it is stored, who it is shared with, and how long you keep it. The PDPA requires organisations to maintain this record. It also functions as the foundation for all other compliance work — you cannot protect data you have not mapped.

How long does the data inventory workshop take?

The facilitated workshop typically takes 2–3 hours and is conducted remotely via video call. We guide you through each business function — HR, sales, operations, finance — to surface where personal data exists. You do not need any technical knowledge to participate.

Ready to get started?

All engagements begin with a free 30-minute discovery call. No commitment, no jargon — just an honest conversation about your situation.

Request a quote View all services