BY MBONEKO MUNYAGA
When a receptionist in Arusha shared her manager’s phone number to secure a client, she thought she was being helpful. Today, under Tanzania’s new data protection law, that simple act could potentially land her employer in trouble.
Across the country, everyday habits like forwarding contacts, posting photos or casually handling client information are coming under fresh scrutiny as the Personal Data Protection Act takes full effect nationwide.
The law introduces strict rules on how personal information must be collected, used and shared — with penalties ranging from Sh 5,000 to as high as Sh 5,000,000 for serious breaches involving sensitive data.
From banks and telecom companies to hospitals, schools, government agencies, security and small businesses, any entity that handles personal data is now required to comply from May 1, 2026. These organisations are formally recognised as data controllers and processors and must ensure that information is handled lawfully, securely and only for specific purposes.
They are also required to register with the Personal Data Protection Commission (PDPC), declaring what data they collect and how it is protected.
Mr Innocent Mungy, Head of Public Relations at the Commission, during a recent stakeholders meeting in Arusha, said the law was intended to bring accountability across all sectors.
“This law is about protecting the rights and dignity of individuals in an increasingly digital environment. Any institution that collects personal data must now take full responsibility for how that information is handled,” he said.
While the law applies nationwide, its impact is already being felt in daily life.
In offices, sharing a colleague’s number without permission — once routine — is now being reconsidered.
On social media, posting photos taken in private settings is no longer a casual decision.
“Before, we would take pictures of customers and post them immediately,” said a manager at a restaurant in Arusha. “Now we pause. We ask. And sometimes people refuse — which we must respect.”
Even security cameras are not exempt. Experts caution that CCTV systems should not capture areas beyond their intended premises as this could raise privacy concerns.
Failure to comply carries significant consequences, including fines, compensation claims from affected individuals and in serious cases, criminal liability for responsible officers.
The law also strengthens individual rights, giving people the power to know how their data is used, to access it and to request corrections or deletion where necessary.
However, experts warn that compliance may be challenging, particularly for small and medium-sized enterprises that lack formal data protection systems.
“Many small businesses are not yet fully aware of what is required,” said an ICT consultant in Arusha. “But the reality is, ignorance will not be a defence.”
Regionally, Tanzania joins countries such as Kenya and Ghana in enforcing similar laws, reflecting a broader shift towards stronger data protection across Africa.
As enforcement begins nationwide, institutions are being urged to review their internal policies, train staff and invest in secure systems, while the public is being reminded to think twice before sharing personal information.
