Data is an important asset in any organization and as such data protection compliance should be a top priority for all businesses. More so, the increased rate of cybercrimes within the African continent, including Nigeria, and the growing demand for cyber security, has demonstrated the importance of data protection compliance particularly amongst businesses and corporate organizations as most, if not all businesses, are digitally driven in their business and product marketing through the use of world wide web as a business development tool.
The introduction of the Nigeria Data Protection Regulation (NDPR) in 2019 created legal obligations on data processors and data controllers as well as an awareness of data protection and privacy issues in various sectors of the Nigeria economy. The NDPR was enacted to regulate those who have access and control of personal data.
What is data protection compliance?
Data protection compliance is the legal obligation on data controller/processors to protect individuals (data subjects) regarding the processing of personal data and its free movement. It entails establishing policies that outline how data protection is achieved in an organization in line with existing laws and regulations. In order to be compliant, an organization (the data controller or processor) who collects and processes the personal data of a data subject must ensure that they exercise the highest level of care in collecting, storing and managing such data.
A data subject is any individual or a natural person whose personal data is collected for any reason whatsoever. A data subject is one who can be identified directly or indirectly with respect to a name, identification number, location data or online identifier or through any other means which relates to that person.
The personal data here refers to any information relating to an identified or identifiable natural person (data subject) such as email, bank details, phone number, e.t.c
A data controller is one who single handedly or with the help of other persons, determines either the reason why a data subject’s personal data is processed, or how such data is to be processed.
A data processor could be either a natural person or entity who processes personal data on behalf of a data controller alone or with the help of others.
A good example of a data controller and a data processor is a digital savings platform that requires personal information of its users such as; email, phone number, National identity card number (NIN), bank verification number (BVN), e.t.c so as to verify such users and create an account with them. In other to send SMS notifications about their product updates, they subscribe to a bulk SMS platform such as MTN, where they supply customers phone numbers to the latter to enable them send notifications. The data controller in this case is the digital savings platform because they are the ones in direct contact with the customers and determine what the data they retrieve would be used for, while the data processor is the bulk SMS platform i.e MTN in this case, who processing the information provided on behalf of the digital savings platform.
Another example is a gym that uses an automated system to sign in their members. They obtain information such as name, addresses, emails, phone numbers of anyone signing into their gym. The gym wishes to host a physical promotional event. To this effect, it provides a printing company with the names and addresses of all its customers from its data base. The printing company uses this information to print the said invitations. The data controller in this case, is the gym, while the data processor in this case is the printing company.
WHAT LAWS GOVERN DATA PROTECTION IN NIGERIA?
The National Information Technology Development Agency (NITDA) is the primary body responsible for the administration and monitoring of the use of electronic data and other forms of electronic communication transaction.
The following are the laws that govern data protection in Nigeria
- Nigeria Data Protection Regulation (2019) is currently the extant law on data protection and privacy issues in Nigeria.
- Implementation Framework for the Nigeria Data Protection Regulation (2020). This is read side by side with the regulation.
- The Guidelines for Management of Personal Data by Public Institutions (2020).
- Section 37 of the Constitution of the Federal Republic of Nigeria which reinforces the NDPR.
- The Credit Reporting Act 2017 which provides a framework for credit reporting by Credit Bureaus.
- Sections 14 and 16 of the Freedom of Information Act (2011)
- Section 26 of National Identity Management Commission (NIMC) Act (2007)
- Sections 9 and 10 of Nigerian Communications Commission Regulation (2011)
- General Data Protection Regulation is inarguably a global legislation on data protection. The regulation requires that all companies protect European union citizen’s personal data. This regulation applies to each member state of the European Union and stretches to all companies that market goods or services to European Union residents regardless of their location.
- The Cybercrimes (Prohibition, Prevention etc.) Act which provides a legal and regulatory framework that prohibits, prevents, detects, prosecutes and punishes cybercrimes in Nigeria. The act requires financial institutions to retain and protect data and criminalize the interception of electronic communications.
The General Data Protection Regulation was enacted by the European parliament and council of the European union and came into effect on 25th May 2018 while the NDPR was released on 25th January 2019 with similarities in their provisions. The GDPR is by implication applicable to Nigeria and its applicability in Nigeria span from the inclusion of all countries whether or not a member state of EU who market its goods or services to EU citizens to be subject to the law. This means that businesses over the world are affected by the GDPR not just those in the EU.
WHO DOES THE NIGERIA DATA PROTECTION REGULATION (NDPR) APPLY TO?
The NDPR applies to natural persons residing in Nigeria or to Nigerian citizens residing outside Nigeria’s territory.
The law regulates both public and private sector business entities. The NDPR mandates that all organizations that process the personal data of more than 1000 data subjects in a period of 6 months and 2000 Data Subjects in a period of 12 months are to submit themselves to a Data Protection assessment to assess the impact of technology on privacy and security of stored data. An audited report is thereafter to be submitted to NITDA not later than 15th March every year.
WHY IS DATA PROTECTION COMPLIANCE IMPORTANT?
- Following proper data protection procedure is important to prevent cybercrimes. Hence, sensitive personal information such as identification number, banking/credit detail, emails etc. should be protected to prevent fraud.
- To prevent data from being misused by third parties for phishing and/identity theft.
- Data protection is important to an organization for preserving its reputation. Mismanagement of people’s data can lead to damage of reputation built over the years.
- To meet compliance requirement. The laws on data protection have legal consequences for breach. So compliance with the regulation prevents an organization from incurring expensive cost in form of fines or litigation expenses. For instance, in the event of a breach, the NDPR provides; Any person subject to the regulation who is found to be in breach of the data privacy rights of any data subject shall be liable, in addition to any other criminal liability to the following:
- In the case of a data controller dealing with more than 10,000 data subjects, payment of the fine of 2% of the annual gross revenue of the preceding year or payment of the sum of N10,000,000 (ten million naira), whichever is greater.
- In the case of a data controller dealing with less than 10,000 data subjects, the payment of the fine of 1% of the annual gross revenue of the preceding year or payment of the sum of N2,000,000 (two million naira) whichever is greater.
- Also, data protection compliance helps to maintain public, investor and customer trust. As earlier said, organizations that do not implement data and privacy protections, and eventually experience breaches, will lose trust which may in turn result in lower profits and fewer customers.
KEY PROVISIONS UNDER THE REGULATION
The Nigerian Data Protection Regulation clearly stipulates the responsibilities of data controllers and processors with respect to how they may lawfully obtain and process data. For a data controller or processor to successfully comply with the provisions of the NDPR, they must take into consideration the following:
Article 2.2 (a) and 2.3 of the Regulation requires that an organization must ensure that consent is obtained before the personal data of any data subject is stored or processed. The consent must not be obtained by coercion or fraud, and the data subject must not be in doubt as to the reason why such information is being requested and for what purpose it will be utilized.
2. Appointment of Data Protection Officers (DPOs)
By Article. 4.1 (2) the regulation also mandates every data controller to employ a Data Protection Officer within its organization or outsource this role to a verifiably competent firm or person. DPOs ensure adherence to the regulation, relevant data privacy instruments and data protection directives of the data controller. The draft framework goes on to stipulate situations where a DPO is required.
3.Data Protection Audit
Art. 4.1 (6) & (7) of the NDPR mandates all organizations that process the personal data of more than 1000 data subjects in a period of 6 months and 2000 Data Subjects in a period of 12 months to submit a Data Protection Audit report to NITDA not later than 15th March every year. This involves the organization’s audit of its data privacy and protection practices. Audits are meant to show that the data controller or processor complies with the law. The audit should state:
- The data the organization collects on its employees and members of the public
- The purpose for which such data is collected
- Notice given to individuals regarding the collection and use of their personal information
- The access given to individuals to review, amend, correct, supplement, or delete such data
- Whether or not the consent of these individuals was obtained before collecting, using, transferring, or disclosing these data; and the methods employed to obtain consent.
- The policies and practices of the organization for the proper use and security of these data.
- Organization policies and procedures for privacy and data protection.
- The policies and procedures of the organization for the proper use of the personal data collected
- The policies and procedures of the organization for monitoring and reporting violation of privacy and data protection policies; and
- The policies and procedure of the organization for assessing the impact of technology on the stated privacy and security policies.
Data Controllers should also audit third party processor contracts which require the transfer of personal data to such third parties.
4. Data Protection Compliance Officers (DPCOs)
Art.4.1 (4) of the NDPR mandates the establishment of data protection compliance officers who are responsible for ensuring that organizations comply with the provisions of the NDPR. The regulation states that an organization seeking to comply with the regulatory requirement must engage the services of a DPCO. Under the NDPR, DPCOs are licensed professionals who have been certified by NITDA to provide auditing and compliance services for data controllers. DPCOs carry out data protection audits and privacy trainings, provide legal and technical advisory services.
5.Privacy Policies (Notices)
Every data controller or processor must ensure it has clear and unambiguous privacy policies that are accessible and comprehensible by the data subject. These policies are to be cautiously drafted to meet the requirements in Article 2.5 of the NDPR.
It is not enough for data controllers and processors to lawfully obtain data; they must also ensure that they develop standard security systems to protect the data in their possession. They can do this by employing cyber-security experts to protect their database from hackers, firewall breaches, etc. They should also put structures in place to prevent their employees from mishandling client data, See Article 2.6
7.Conduct Internal Data Protection Training
The NDPR also encourages organizations to take responsibility in training members of their staff in data privacy and protection to keep them compliant with the regulation. They may organize data protection trainings for them by inviting DPCOs in the process. This way, their employees, especially those specifically responsible for processing data would be enlightened on how to prevent data breaches.
An organization is said to be data protection compliant when the way it manages, stores, and transmits data, is in line with the laid down laws and regulations. However, data protection compliance not only involves the regulatory aspect such as; creation of policies, contract and regulatory compliance, but it also entails the technical aspects such as the security, information technology and audit processes within such organization.
When organizations take the adequate steps to be data compliant, they are not only better off protecting sensitive information, but they create a perception of credibility and build trust amongst clients and investors. Imagine the actions your clients are likely to make should they find out that sensitive information which was left in your organizations’ care, has fallen into the wrong hands? I’m sure you do not wish that to happen.
Should you need guidance with respect to setting up a data protection compliant system for your startup or organization, you could reach out to us HERE and our experts would be delighted to assist you.