1. Executive Summary Data protection has gained global importance, for various reasons. Data has been viewed as the new oil, though it is not oil, as it is non-rivalrous, and replenished unlike oil. Data has been seen as driver of economic growth, with its economic value estimated in billions, causing countries to rush towards a digital economy. Data has again been viewed as part of a fundamental right to privacy, though it is not the same as the right to privacy and albeit deserving protection as violations of personal data results in economic, social, emotional and discriminatory harms. This report does not debate or distinguish the value or importance of data but focuses on the increased efforts to protect data privacy within the Southern African Development Community (SADC) region, as a political and economic bloc.1 This report contributes to the growing literature on data protection authorities (DPA) in Africa, focusing on countries in the Southern African Development Community (SADC). For purpose of this report only Eswatini, Zimbabwe, Botswana, Zambia, Lesotho, South Africa and Mauritius are referenced and reviewed. As technology evolves, new challenges emerge, that data protection authorities are not sufficiently designed to resolve or address, and therefore their independence becomes irrelevant or insufficient, as the pressing matters are not entirely about independence, but technical, political and administrative. There are several challenges for data protection, and data protection authorities; these are automated data processing; cross border data transfers; handling of sensitive data including health related data from COVID-19; surveillance and smart cities; and data breaches. The report highlights some of the pressing needs for DPAs including financial support, administrative issues, and enforcement of decisions. The enforcement of data protection laws is dependent on the existence of a functioning data protection authority whether as a single institution or several institutions that might have shared mandates. While the absence of independent data protection authorities capable of enforcing data protection is usually the main issue of concern, there are other emerging aspects weakening the capacities of data protection authorities to advance data privacy and data protection as a fundamental right. This report makes further assertions that while independence of the data protection authority is essential, it cannot be the only issue undermining the effective protection of data privacy in the SADC region. The report makes specific recommendations to data protection authorities; legislature and civil society. SADC has Member States, namely Angola, Botswana, Comoros, Democratic Republic of Congo, Eswatini, Lesotho, Madagascar, Malawi, Mauritius, Mozambique, Namibia, Seychelles, South Africa, Tanzania, Zambia, and Zimbabwe. PAGE