If you’re a marketer, we expect that you’ve heard of the GDPR? And if you’re part of the few who have been following the European online marketing industry, you would have definitely heard of GDPR.  Briefly stated, the GDPR is an EU statute that will regulate the way marketers obtain, store, and manage the personal data of “data subjects” within the EU.

EU legislation isn’t applicable to Zimbabwean businesses.

Or is it?

Surely EU legislation should have no bearing on Zimbabwean online marketing activities?

The reality is that as of the 25th of May 2018, the GDPR applies to your online marketing activities. Your business being in Zimbabwe doesn’t exempt you from the GDPR if you control or process the data of “data subjects” within the EU.

Data subjects, who are they?

The GDPR defines a data subject as anyone within the EU at the time their personal data is processed.

The majority of local online marketers will find the GDPR inapplicable, those who market to data subjects in the EU need to be GDPR compliant.

Companies using Digital marketing to entice data subjects in the EU fall under the GDPR.

Your target audience!

Common examples:

  • Local banks offering Mortgages to Diasporans in the EU.
  • Local retailers offering Diasporans grocery packages for delivery in  Zimbabwe.
  • Local businesses offering their services to clients in the EU.

So GDPR applies to us. What are the consequences?

Article 58 of the GDPR determines how administrative fines shall be imposed. Where there is non–compliance with technical measures, the fine imposed may be up to an amount greater than 10 million or 2% of global annual turnover (revenue).

In terms of non–compliance with key provisions of the GDPR, regulators may levy a fine in an amount that is up to the greater of 20 million or 4% of global annual turnover in the previous year.

Key areas of your Digital Strategy that may need to evolve.

In terms of data collection the two areas your business should pay attention to are transparency and data minimization.

Transparency requires businesses which attract visitors to their websites intending to collect their personal data to make it explicitly clear what purpose their data shall be used for.

Additionally the individual must give their full consent to your proposed use of their data, whilst having the ability to withdraw consent at any stage.

Data minimization requires that a businesses only collect the data necessary for an intended purpose.

Data Storage has four aspects for consideration:

Purpose and Usage Limitation

The purpose and usage limitation is self explanatory and means organisations can only use the data of EU data subjects for specified, explicit and legitimate purposes.


Once data has been collected, your organisation needs to ensure that it stored in a secure manner and in accordance with the Security provisions of the GDPR.


Data Subjects in the EU citizens are entitled to ask your organisation at any time to correct or update their data if the information is no longer accurate.


Accountability places the responsibility on your business to ensure compliance with GDPR obligations.

At some stage the reason you collect data is concluded and the relationship with the data subject comes to an end. The end of the relationship involves issues of Retention and Deletion.

Retention requires that businesses hold onto personal data for as long as is necessary to fulfill the intended purpose of its collection.

Deletion, simply means that when an individual requests that their data should be deleted, the data should be deleted and confirmation of delete sent to confirm this.

So where do you stand?

Currently there aren’t many local players marketing to data subjects in the EU. For those who are, it’s best to make sure your organisation is GDPR compliant to prevent the hefty non-compliance fines.

Global consensus is that GDPR is a progressive step for ethical marketing and will curb common unethical practices such as email list buying and spamming. Perhaps in due course we shall see similar progress on the continent. Till then stay safe and be GDPR compliant.