Every January, Data Privacy Day invites organisations and individuals to reflect on how they handle personal information.
This year, two themes stand out, writes Mwandu Mwelwa, chief technology officer at inq Zambia.
For organisations, the call is to prioritise privacy by design by building privacy into systems from the outset rather than bolting it on later. For individuals, the message is to take control of your data, understanding where it flows, who accesses it, and how it is protected.
In Africa, privacy is not only a policy or awareness issue but an operational one. If privacy controls do not withstand real-world conditions, such as unstable power, fragile last-mile connectivity, shared devices, and decentralised branch environments, then privacy exists only on paper.
Privacy by design is cheaper than privacy retrofits
Privacy-by-design is a systems discipline. The principle is that security and privacy controls should be embedded in architecture, workflows, and default configurations, not added after deployment.
Regulators and privacy authorities have been pushing this direction for years because retrofitting privacy controls into live environments is costly, disruptive, and often incomplete. An accessible overview of the principle is outlined by the Office of the Privacy Commissioner of Canada here.
In practice, privacy-by-design means identity controls that enforce least-privilege access by default. It means encryption baked into data storage and transport, continuous monitoring, audit trails, and policy enforcement that do not depend on manual intervention.
And, most importantly, it means visibility to know where sensitive data lives, how it moves, and when something deviates from normal behaviour.
For many African organisations, the challenge is the realities of infrastructure. Many businesses have distributed branches, limited on-site IT staff, shared networks, and an increasing reliance on cloud platforms and remote access. Without built-in controls and managed visibility, privacy risks accumulate quickly.
Individuals must take control, but systems must support them
The second global theme (encouraging individuals to take control of their data) is equally important. Simple actions, such as using strong passwords, enabling multi-factor authentication, limiting oversharing, and recognising phishing attempts, significantly reduce risk.
But organisations cannot rely on awareness alone. People make mistakes, devices are lost, links fail, and credentials are reused. Privacy-by-design accepts this and assumes human error will occur. Systems are then built to contain damage, limit lateral movement, and provide clear evidence when incidents happen.
In African environments, this combination of human behaviour and infrastructure variability makes managed, always-on controls even more important. A branch that loses connectivity or power should not become a blind spot.
A temporary network workaround should not bypass the security policy. A remote user should not be granted broader access simply because identity controls are inconvenient to enforce.
Data centres matter, but the edge decides the outcome
Africa’s data centre ecosystem is expanding rapidly. New facilities, interconnection growth, and hyperscaler investment are strengthening local hosting, improving latency, and addressing data sovereignty requirements.
But even the most resilient data centre only delivers privacy and security outcomes if the path between the user and the facility is reliable, visible, and protected.
This is where many privacy strategies fail. The core may be secure, but the edge (branch offices, retail sites, depots, clinics, and field locations) remains exposed. Privacy-by-design must therefore extend to the edge. Otherwise, privacy becomes dependent on good fortune rather than engineered control.
Turning privacy intent into operational control
At inq., we see privacy, security, and connectivity as inseparable. Visibility, monitoring, managed enforcement, and clear reporting are the foundation. Without them, privacy risk cannot be measured, let alone reduced.
That is why our managed connectivity and security services focus on delivering operational outcomes: continuous link monitoring, built-in threat protection, vulnerability visibility, identity-aware access, and evidence-driven incident reporting. These capabilities allow organisations to prove control rather than merely claim it.
For African organisations, this approach matters. It recognises that infrastructure constraints exist. It acknowledges that in-house security teams are often stretched thin. And it replaces fragile manual processes with managed, automated controls that function even when conditions are less than ideal.
A practical next step
Data Privacy Day should not be treated as a one-off compliance reminder. It is an opportunity to ask, can we prove that our systems enforce privacy even when networks fail, devices move, and people make mistakes?
For organisations, this starts with reviewing where sensitive data resides, who has access, and what controls are enforced by default. For individuals, it begins with understanding digital habits and tightening basic hygiene.
And for technology leaders, it means ensuring privacy-by-design is not a document on a shelf, but a property of the architecture itself.
Privacy that works only in ideal conditions is not privacy. In Africa, systems must be designed to succeed in real situations. That is where trust is built and where it is most easily lost.