THE TANZANIA PDPA: A PRACTICAL COMPLIANCE GUIDE
Tanzania's Personal Data Protection Act, 2022 moved data protection from optional best practice to legal obligation. If your organization collects personal data on Tanzanian citizens, here is what compliance actually requires — and where to start.
# WHAT THE PDPA COVERS
The Personal Data Protection Act 2022, together with its supporting regulations, establishes the rules for how personal data is collected, processed, stored and shared in Tanzania. It created the Personal Data Protection Commission as the supervisory authority and introduced obligations that will be familiar to anyone who has worked with GDPR — adapted to the Tanzanian context.
Core principles the law expects you to uphold:
- Lawful basis — you must have a valid reason (often consent) to process personal data.
- Purpose limitation — data collected for one purpose should not be silently repurposed.
- Data minimization — collect only what you genuinely need.
- Security safeguards — appropriate technical and organizational measures to protect the data.
- Data subject rights — individuals can access, correct and, in defined cases, request deletion of their data.
Any organization — Tanzanian or foreign — that collects or processes the personal data of individuals in Tanzania. Banks, telecoms, hospitals, schools, retailers and NGOs are all in scope. Registration with the Commission is a key early obligation.
# A PRACTICAL COMPLIANCE ROADMAP
1. Data mapping
You cannot protect what you cannot see. Begin by inventorying what personal data you hold, where it lives, who has access, and where it flows — including third parties and cross-border transfers.
2. Gap assessment
Measure your current practices against the Act's requirements. This produces a prioritized list of what needs to change, from consent mechanisms to retention schedules.
3. Governance & documentation
Appoint accountability for data protection, write the policies the law expects, and register with the Commission. Documentation is not bureaucracy here — it is your evidence of compliance.
4. Technical safeguards
Encryption, access controls, logging and monitoring, and a tested incident-response plan. The PDPA expects breaches to be handled and, where required, reported promptly.
5. Training & sustainment
Compliance is continuous. Staff need awareness training, and your program needs periodic internal audits to stay aligned as your data processing evolves.
Much of what the PDPA requires overlaps with an ISO 27001 information security management system. Organizations pursuing both at once avoid duplicated effort — one control set, two compliance outcomes.
NEED A PDPA GAP ASSESSMENT?
Request a compliance review — a specialist responds within 24 hours.