1. Preamble

The Zambia Data Protection Act No. 3 of 2021 establishes a comprehensive legal framework for the secure and responsible management of personal data. It outlines the rights of data subjects and the obligations of data processors and controllers, both public and private. The Data Protection Commissioner (DPC) is mandated to oversee, enforce, and regulate the implementation of the Act.

2. Background

The Government of Zambia, through the Smart Zambia Institute (SZI), is implementing the Digital Zambia Acceleration Project (DZAP) with support from the Cooperating partners. This project aims to accelerate digital transformation by strengthening digital public infrastructure, including robust systems for data governance and protection.

As part of the DZAP, the Government aims to operationalize the Data Protection Commission and strengthen Zambia’s data governance infrastructure. A strategic plan will provide a clear roadmap to enable full enforcement of the Act and position Zambia as a regional leader in data protection.

3. Purpose

The Data Protection Commission (DPC), which began operations in 2023, intends to develop a Strategic Plan for the period 2025–2027. The strategy will reinforce institutional capacity, regulatory enforcement, stakeholder engagement, and public trust. It will also align national priorities with emerging international best practices in data protection, privacy, and digital rights.

4. Problem Statement

Despite the enactment of the Act the Data Protection Commission has not fully been operationalised to regulate the collection, storage, usage, processing, security and sharing of personal data in line with its mandate. This gap has led to:

1. Impaired Enforcement Mechanisms: Without a fully operationalised Commission, there is no effective enforcement of data protection laws, thereby impairing implementation.

2. Low Public Awareness: Many Zambians are unaware of their data protection rights and the risks associated with sharing personal information online or otherwise.

3. Limited Compliance by Organisations: Majority Businesses and government agencies despite being the stakeholders that handle huge volumes of personal data, remain uncompliant.

4. Erosion of Trust: The absence of a data protection framework undermines public trust in digital services, impacting the growth of the digital economy.

5. Objectives

The assignment has several objectives which should be SMART and proved to work in other jurisdictions and include the following: –

• Setting Goals and Mandate delivery – Establishment of measurable targets that align with the commission’s mandate, mission and vision and ensures that the Office of the Data Protection Commissioner fulfils its mandate/functions as derived from Data Protection Act no. 3of 2021

• Effective Resource Allocation – Ensure that financial resources, operational resources, human capital development are balanced and used efficiently, while attaining stakeholder satisfaction and the commission’s targets.

• Organizational Alignment – Strengthen and recommend the appropriate organization structure that will meet the commission’s overall objectives of registration of data controllers and processors, attain total enforcement, manage the licensed auditors and manage the audits, full awareness of the Act, Ensure team work by aligning all departments, manage the accredited partners and above all improve efficiencies and deliverables.

• Monitoring and Evaluating Performance – Create mechanisms to monitor progress and evaluate outcomes and call for adjustments to strategies when needed.

• Regional and international Alignment: Align implementation of the data protection framework is in line with regional and international best practices for the betterment of Zambia.

• Methodical implementation: Ensure implementation is methodical and in line with the set goals during the period.

• Institutional capacity: Strengthen institutional capacity and resource mobilization for effective operations to ensure the Commission attains self-sustenance financially;

• Public awareness plan: Development of an awareness plan that suits the Zambian operating environment that will enhance public awareness on data protection rights and obligations;

6. Scope of Work

The Consultant will be responsible for undertaking a comprehensive set of activities aimed at developing a robust, actionable, and inclusive Strategic Plan for the Data Protection Commission. These include:

• Situational and Comparative Analysis:

  • Review the current state of data protection legislation, policies, and institutional arrangements in Zambia.

  • Benchmark against best practices from regional and global jurisdictions (e.g., GDPR, AU frameworks).

  • Identify legal, institutional, technical, and operational gaps.

• Stakeholder Engagement and Consultation:

  • Map and engage key stakeholders across government, private sector, academia, civil society, and vulnerable populations.

  • Conduct focus group discussions, interviews, and validation workshops to incorporate stakeholder views.

  • Assess stakeholder roles, interests, power dynamics, and capacity.

• Sector-Specific Risk Assessment:

  • Identify key sectors handling personal data (e.g., health, finance, telecoms, education).

  • Analyze specific data protection risks and propose tailored mitigation strategies.

• Integration of Emerging Issues:

  • Analyze the implications of emerging technologies (e.g., AI, IoT, blockchain) on data protection.

  • Recommend policy guidance for ethical and privacy-aware adoption of digital innovations.

• Strategic Communications and Awareness Planning:

• Develop a public engagement and communications strategy tailored to Zambia’s socio-cultural context.

• Include multilingual materials, grassroots campaigns, and use of digital platforms.

• Legal and Policy Recommendations:

• Identify gaps in current legislative and regulatory instruments.

• Propose amendments or new policy measures to enhance legal coherence and enforcement capacity.

• Institutional Development and Capacity Building:

  • Recommend an optimized organizational structure for the Commission.

  • Identify digital tools and infrastructure requirements (e.g., case management, audit systems).

  • Propose staffing plans, training needs, and resourcing models.

• Monitoring, Evaluation, and Learning (MEL) Framework:

  • Design a comprehensive MEL framework aligned with strategic objectives.

  • Propose baseline indicators, targets, reporting mechanisms, and tools.

• Roadmap and Implementation Plan:

  • Develop a phased implementation roadmap with timelines, cost estimates, and sequencing.

  • Include short-, medium-, and long-term priorities and quick wins.

• Validation and Finalization:

  • Organize and facilitate a national validation workshop.

  • Revise the draft strategy based on feedback and submit final versions including all deliverables to the Office of the Data Protection Commissioner.

7. Deliverables

1. Inception Report

• Detailed methodology and phased work plan.

• Stakeholder engagement and consultation strategy.

• Preliminary institutional and legal gap analysis.

• Risk assessment and mitigation measures.

1. Situational Assessment and Benchmarking Report

• Analysis of Zambia’s data protection ecosystem, including legal, institutional, and technical dimensions.

• Comparative review of regional and international data protection frameworks.

• SWOT analysis and identification of gaps.

• Proposal for a revised or optimized organizational structure.

1. Draft Strategic Plan

• Vision, mission, core values, and strategic pillars.

• SMART objectives, key results areas, and performance indicators.

• Institutional capacity development and resource mobilization framework.

• Recommendations on legal and policy reforms.

• Preliminary communications and public awareness strategy.

• Draft roadmap with prioritized activities, timelines, and estimated costs.

1. Validation Workshop Materials

• Presentation materials for stakeholder validation.

• Summary report of feedback received during the validation session.

• Revised draft reflecting inputs from the workshop.

1. Final Strategic Plan and Implementation Framework

• Final version of the Strategic Plan with all annexes.

• Detailed implementation roadmap (short, medium, long term).

• M&E framework including tools, reporting templates, and baseline indicators.

• Strategic communications and awareness plan.

• Risk matrix and mitigation strategies.

• Executive summary and policy brief for senior decision-makers.

1. Submission of Copies

• One electronic version (Word and PDF).

• At least 200 professionally bound hard copies submitted to the Data Protection Commission.

8. Duration

The assignment is expected to be completed within four (4) months from the date of contract signing.

9. Required Firm Profile and Consultant Qualifications

The assignment is intended for a qualified consulting firm with a proven track record in data protection strategy development and institutional strengthening. The firm must demonstrate the following requirements:

• Accredited by at least one African data protection supervisory authority, or having completed a similar assignment, or both.

• At least 5 years of experience supporting national data protection commissions or similar institutions.

• Demonstrated delivery of at least two strategic plans or regulatory frameworks in data governance, privacy, or cybersecurity.

• Familiarity with international standards such as GDPR, AU Data Policy Framework, and regional data protection guidelines.

• Previous experience in conducting stakeholder consultations, public awareness campaigns, and legal/policy reviews.

Technical Team Composition and Qualifications:

1. Team Leader / Lead Consultant

• Master’s degree in law, Public Policy, Data Protection, ICT, or related field.

• Minimum 10 years of experience in strategic planning, data privacy, or regulatory development.

• Experience leading national or institutional strategy development.

• Strong understanding of regional data protection frameworks and international best practices.

1. Legal and Regulatory Expert

• Degree in Law with specialization or professional experience in ICT or privacy law.

• At least 7 years of experience in legal drafting, regulatory compliance, or legislative reform.

• Familiarity with regional legal environments; experience working in Zambia will be considered an added advantage. GDPR knowledge is an advantage.

1. Institutional Development / Governance Specialist

• Master’s degree in public administration, Organizational Development, or related discipline.

• Experience designing institutional structures, capacity building plans, and change management strategies.

1. ICT/Data Protection Specialist

• Degree in Computer Science, Information Security, or Data Protection.

• Experience in data governance, digital systems for data management, and cybersecurity.

• Familiarity with technical aspects of data registries, case management systems, and audit tools.

1. Monitoring & Evaluation (M&E) Specialist

• Degree in Economics, Development Studies, or related field.

• At least 5 years’ experience designing M&E frameworks and performance tracking tools.

• Experience working with SMART indicators and results-based planning.

1. Communications and Awareness Expert

• Degree in Communications, Media Studies, or related field.

• Demonstrated experience in designing and implementing public awareness campaigns, preferably on digital rights or regulatory topics.

1. Gender and Inclusion Advisor (Optional but preferred)

• Expertise in gender mainstreaming and social inclusion in institutional programs.

• Experience conducting stakeholder consultations and ensuring inclusive participation.

10. Evaluation Criteria

To qualify for financial evaluation, the proposal must score at least 80% of the technical score.

11. Submission Requirements For Technical and Financial Proposals

Administrative documents (Company registration certificates, Tax clearance certificates and Social Security clearance).

Technical Requirements

• Signed submission letter

• Corporate profile and methodology

• Team structure and CVs

• References and recommendation letters

Financial Requirements

• Summary and activity-based pricing

• Miscellaneous expenses

12. Reporting and Coordination

The firm will report to the National Coordinator at the Smart Zambia Institute and coordinate closely with the Data Protection Commission.