Advisory practice
A Data Protection Officer, on subscription.
Most Zimbabwean controllers do not need a full-time DPO. They need a named, qualified DPO embedded into the business on a quarterly cadence, paired with a system that holds the evidence. We provide both.
Practice lead · Tendai Moyo · Head of Compliance Practice
Stewardship, not consultancy. Renewal earns the year before.
A consultant audits and leaves. The custodian stays embedded, runs the programme on a regular cadence, and signs off on the compliance posture in their own name. We earn renewal by being the reason last year’s audit was quiet.
- 01A named Data Protection Officer, accountable to your board
- 02Forms DP1, DP2, and DP3 prepared, filed, and tracked through POTRAZ
- 03A signed quarterly compliance statement
- 04Programme reviews against CDPA, SI 155, RBZ, and IPEC
- 05DPIA support on high-risk processing
- 06Vendor and DPA review on a renewal calendar
- 07Awareness training for staff and tailored briefings for executives
- 08Incident and breach response inside the 72-hour window
Year one, written down.
Month 0
Onboarding and licence
POTRAZ tier assessment, Form DP1 prepared and filed, Form DP2 designation lodged, and the controller licence issued before the §4(5) clock runs out.
Months 1–3
Foundation programme
RoPA built from the operating reality, not from a template. Vendor register populated. Privacy notice generated and reviewed. First DPIA on the highest-risk processing.
Quarterly
Standing review and sign-off
A scheduled review with a named DPO. Findings written up against controls, owners, and dates. A signed compliance statement the customer can put in front of a regulator or board.
On call
Incident and breach response
When the 72-hour clock starts, a DPO is on the line. Form DP3 prepared, regulator notified, customer notification copy drafted, and the timeline recorded as the audit trail.
How an engagement starts.
A 90-minute working session against your control catalogue and your last audit. We bring Custodian GRC live, mapped to your frameworks. You bring the open items. We leave with a starting plan, named owners, and the next thirty days written down.
Pricing is engagement-led. Standing retainers start at USD 1,500 per month for Tier 2 controllers and scale with the size of the programme. The Custodian GRC platform is included.
Ninety minutes · Your stack
A working session against your control catalogue and your last audit.
We bring Custodian GRC live, mapped to your frameworks. You bring the open items. We leave with a starting plan.