AI Governance · Legal Technology · Zimbabwe
The Cyber and Data Protection Act 2021 has governed how organisations process personal data for over four years. It applies to every organisation in Zimbabwe that collects, stores, uses, or shares personal information, including through artificial intelligence tools. Most organisations have never formally assessed their obligations under the Act. Curia Advisory exists to change that.
Find out where you standOrganisations across Zimbabwe are using AI tools daily without governance frameworks or a documented legal basis. The Cyber and Data Protection Act 2021 already applies to this processing. The obligations exist now, and the National AI Strategy 2026-2030 is accelerating regulatory expectations. The time to act is before enforcement makes it urgent.
"Curia Advisory started from a simple observation. Many organisations are already covered by the Cyber and Data Protection Act, but do not always recognise it in practice. The gap between regulation and awareness is exactly what this firm is focused on closing."
Zimbabwe National AI Strategy 2026-2030
The governance bodies are being operationalised now. Phase 1 requires organisations to begin aligning with the Strategy's governance framework by December 2026.
Deadline: 31 December 2026, Harare time · Zimbabwe National AI Strategy 2026-2030, Cabinet approved 14 October 2025, launched 13 March 2026
The Strategy commits to specific governance bodies and legislative milestones during Phase 1. There is no government dashboard tracking that progress publicly. Curia maintains this one independently, and updates it as the position changes.
The Cyber and Data Protection Act 2021 (Chapter 12:07) establishes eight data protection principles that every data controller in Zimbabwe must comply with. Answer the questions on the right to assess your organisation's current position.
This assessment covers the core compliance obligations. It is not a substitute for a formal CDPA audit, but it will indicate where your organisation stands and what to prioritise.
"Does your organisation have a documented policy identifying all personal data it collects, and why?"
"Has your organisation identified a documented lawful basis for each category of personal data it processes?"
"Does your organisation collect only the minimum personal data necessary for its stated purpose?"
"Does your organisation have a process to ensure personal data it holds is kept accurate and up to date?"
"Does your organisation have a documented data retention schedule, specifying how long personal data is kept before deletion?"
"Are there documented technical and organisational security measures protecting the personal data your organisation holds, including data processed through AI tools?"
"If POTRAZ contacted your organisation today about its data processing practices, could you demonstrate compliance with the CDPA with documented evidence?"
"When personal data from your organisation is processed by a third-party AI tool or vendor, is there a written Data Processing Agreement in place?"
Curia Advisory offers eight specialist services across AI governance, data protection, legal technology, and regulatory advisory. All services are grounded in Zimbabwe's regulatory framework and tailored to your sector and organisation size.
"Does your organisation know which AI tools it uses and what legal obligations each one creates?"
"When did you last formally assess your data practices against all 8 principles of the CDPA?"
"What would a formal assessment reveal about the legal risks in your current AI operations?"
"Are you making decisions based on what the regulatory landscape actually says, or what you assume it says?"
"Do your AI vendor contracts protect your data rights and limit your CDPA exposure before you sign?"
"Does your team understand the regulatory environment they are already operating in?"
We build a complete, practical governance framework for how your organisation uses artificial intelligence. This is not a theoretical document. It is a working framework that maps every AI tool you use to your legal obligations under the CDPA, identifies where gaps exist, establishes a lawful basis for processing, and produces the policies and oversight structures your organisation needs to operate compliantly.
A formal, written assessment of your organisation's data practices against all eight principles of the Cyber and Data Protection Act 2021 (Chapter 12:07). We assess what you are currently doing, identify where your practices fall short, quantify the risk level of each gap, and provide a prioritised action plan. Every organisation processing personal data in Zimbabwe is legally required to comply with these principles. Most have never formally checked whether they do.
A focused assessment of the specific legal and governance risks created by your organisation's use of artificial intelligence. Unlike a general CDPA audit, an AI risk assessment examines the specific ways AI tools create data protection exposure: biometric KYC in financial services, AI-assisted legal research in law firms, and beneficiary data processing in NGOs. We produce a written risk report and a sector-specific AI Use Policy.
Accurate, well-researched written analysis of specific regulatory and governance questions. A policy brief is a 2,000 to 4,000 word document written for decision-makers, examining a regulatory question and making specific recommendations. A research memo is a shorter, more targeted answer to a precise legal or regulatory question. Both are verified against primary sources. No AI-generated citations, no generic summaries.
Before signing a contract with an AI tool provider, platform, or data processing vendor, Curia Advisory reviews the agreement for data protection risks and CDPA compliance gaps. Most vendor contracts for AI tools are drafted for the vendor's benefit. We identify the gaps, recommend amendments, and flag clauses that create compliance exposure before you are contractually bound.
Half-day and full-day training sessions on CDPA compliance, AI governance, and legal technology for teams across all sectors. Delivered in Harare, tailored to your organisation's sector, and including materials your team can use after the session. Regulatory Horizon Scanning is a monthly retainer service: we monitor developments in AI regulation and data protection across Zimbabwe and the region and deliver a concise briefing to your team on the last working day of each month.
Every engagement follows five steps. Built for Zimbabwean conditions, aligned with ISO/IEC 42001 principles, written for the people who will actually use the deliverables.
We map every AI tool and data flow already operating in your organisation. Most clients find exposures they did not know they were carrying.
Each activity is mapped against the eight CDPA principles, the National AI Strategy obligations, and any sector regulation that applies.
Every gap is rated High, Medium, or Low. You receive a written risk matrix with prioritised actions, owners, and timelines.
We draft the policies, registers, and oversight structures your organisation needs. Working documents, not theoretical templates.
Optional retainer. We track regulatory developments and refresh your framework quarterly. You stay current without building the capability in house.
Where law meets intelligence.
The exposure of a bank is not the exposure of an NGO. Each engagement is scoped to the regulatory obligations, AI deployment patterns, and risks specific to your sector.
Automated credit decisions, biometric KYC, fraud detection, AI driven underwriting. The sector with the most regulators looking at it simultaneously.
Confidentiality, AI assisted research, hallucinated citations, professional indemnity exposure. The Pulserate ruling changed what is expected of firms overnight.
Beneficiary data, donor reporting, cross border transfers, and GDPR roll down from European funders. Often already exposed without knowing it.
Operational AI, HR decision tools, customer profiling, vendor SaaS systems, board level accountability. Most do not yet realise how much AI they are already running.
Citizen data, administrative AI, public procurement of AI tools, and alignment with the National AI Strategy. The largest data controllers in the country.
Products built on AI, automated onboarding, algorithmic pricing, third party model dependencies. Compliance built in from day one is cheaper than retrofitting it after launch.
Curia Advisory publishes original analysis on AI governance, data protection law, and legal technology with a specific focus on Zimbabwe and the Southern African region. All published work is verified against primary sources.
A detailed legal analysis of the proposed constitutional amendments, examining their implications for legislative oversight, constitutional balance, and the rights framework under Zimbabwe's 2013 Constitution.
The Bill raises questions about oversight mechanisms that Zimbabwe's legal community needs to engage with carefully and early, before the amendments are in place.Read on LinkedIn
An in-depth analysis of Zimbabwe's National AI Strategy, its six pillars, three implementation phases, and the governance architecture (the NAIC, AISIO, and NDRC) being operationalised to oversee AI development across the country.
The governance bodies exist on paper. The question is whether they are operationalised before the window for proactive compliance closes on organisations across Zimbabwe.Read on LinkedIn
No. Curia is a specialist advisory firm. We build governance frameworks, audits, policies, and training. We do not give legal opinions in the regulated sense. For matters that require an admitted legal practitioner, we work alongside trusted Zimbabwean firms and can refer.
Most Zimbabwean organisations are already using AI without recognising it. Automated credit scoring, CV filtering, fraud detection, and customer chatbots all fall within the CDPA. The Act applies whether you call the tool AI or not.
Engagement fees are scoped to organisation size, sector, and complexity. Audits and risk assessments are delivered on a fixed fee basis. The 30 minute Discovery Call is free, and at the end of it you will have an honest answer on whether you need our services.
Yes. Every engagement is governed by a written confidentiality undertaking signed before work begins. Nothing about your organisation or its compliance position is shared with any third party without your written authorisation.
The CDPA obligations already exist. Acting proactively costs significantly less than responding after a regulator, a journalist, or a litigant is already involved. Regional enforcement patterns show the shift from voluntary to active can happen within a single year, often without warning.
No. We advise international organisations operating in Zimbabwe, multinational subsidiaries with Zimbabwean entities, and African organisations with Zimbabwean exposure. Our specialism is Zimbabwean law and the regional landscape around it.
A free monthly briefing on AI governance and regulatory developments across Zimbabwe and the region. Verified against primary sources. Delivered on the last working day of every month.
New subscribers receive the CDPA Quick Reference Card on signup. One page. Every obligation that already applies to your organisation.
Curia Advisory (Private) Limited is Zimbabwe's dedicated AI Governance and Legal Technology advisory firm, registered under the Companies and Other Business Entities Act [Chapter 24:31]. We provide specialist advisory services to law firms, financial institutions, NGOs, corporates, and government bodies: compliance frameworks, risk assessments, regulatory research, and training. Everything we deliver is grounded in Zimbabwe's actual legal framework and practical enough to implement.
Specialist focus. Zimbabwean jurisdictional depth. A direct line to the founder on every engagement. The combination a Big Four bench-in cannot offer.
Ruwa Lauryn, Founder
Every engagement begins with a confidential 30 minute Discovery Call. We listen to where you are, where your sector is going, and where the gaps are likely to be. By the end of the call you will have an honest answer on whether you need our services or not.
We offer a no-obligation 30-minute discovery call to all new enquiries. Tell us about your organisation, your sector, and what you need. We will tell you honestly whether and how we can help.
ruwa@curiaadvisory.co.zw contact@curiaadvisory.co.zw +263 781 042 668 WhatsApp Harare, Zimbabwe