Author: Margaret Ogbonnah
Introduction:
Data protection is the process of safeguarding important information from corruption, compromise or loss. Data Protection is necessary for every individual, business firm, or organization because it improves the trust between businesses and their customers. It also prevents the company from incurring expensive costs in forms of fines, litigation expenses, public embarrassment, and a bad reputation. Data protection entails understanding not only a company’s policies, contracts, and legal engagements, it also requires an understanding of the information technology, security, audit, and operational system of the company.
The Nigeria Data Protection Regulation (NDPR), although a subsidiary legislation, is currently Nigeria’s most comprehensive law on data protection. It contains various provisions regulating the collection and processing of data in Nigeria. The sole purpose of NDPR is to regulate those who have access to and control people’s data. It is important to state that the introduction of the NDPR by the National Information Technology Development Agency (NITDA) was a well-needed opium in data protection in Nigeria.
Nevertheless, having laws is one thing, ensuring compliance is another. The essence of this article is to explain the responsibilities of data controllers and processors to enable them lawfully obtain and process data to aid compliance with NDPR and NITDA directives.
Conceptual Clarifications of Personal Data & Sensitive Personal Data
Personal Data
Personal data is defined to mean data relating to a living individual ‘data subject’ who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.
Sensitive Personal Data
Sensitive Personal data on the other hand relates to information concerning a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.
Data Controllers
The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed.
Data Processor
A data processor is anyone who processes personal data on behalf of the data controller. This could include anything as seemingly trivial as, for example, storage of the data on a third party’s servers, or appointing a data analytics provider.
Compliance under the Nigeria Data Protection Regulations
Data protection is the process of protecting sensitive information from damage, loss, or corruption. The NDPR imposes several responsibilities on data controllers and processors to enable them lawfully obtain and process data. For a data controller or processor to successfully comply with the provisions of the NDPR, they must take into cognizance the following:
a) Consent¹
A data subject’s consent is arguably the most integral requirement to obtain and process data. To lawfully do this, data controllers and processors must first seek the consent of the data subject without undue influence, fraud, and/or coercion. Usually, consent is obtained through clear, unambiguous data privacy policies to which the data subject has consented. Consent should be clearly given as implied consent is no consent. Furthermore, this data is obtained subject to certain rights granted to the data subject.
b) Data Protection Audit²
The NDPR mandates all organizations that process the personal data of more than 1000 data subjects in a period of 6 months and 2000 Data Subjects in a period of 12 months to submit a Data Protection Audit report to NITDA not later than 15th March every year³. This involves the organization’s audit of its data privacy and protection practices. Audits are meant to show that the data controller or processor complies with the law. The audit should state:
➢ The data the organization collects on its employees and members of the public
➢ The purpose for which such data is collected
➢ Notice given to individuals regarding the collection and use of their personal information
➢ The access given to individuals to review, amend, correct, supplement, or delete such data
➢ Whether or not the consent of these individuals was obtained before collecting, using, transferring, or disclosing these data; and the methods employed to obtain consent.
➢ The policies and practices of the organization for the proper use and security of these data.
➢ Organization policies and procedures for privacy and data protection.
➢ The policies and procedures of the organization for assessing the impact of technologies on the stated privacy and security policies.
➢ Data Controllers should also audit third party processor contracts which require the transfer of personal data to such third parties.
Flowing from the above, it is obvious that compliance is not a one-off obligation but a continuing activity for data controllers and processors in Nigeria. Failure to file these returns to NITDA is deemed a breach of the NDPR. A complete data protection audit results in the synchronization of all the company’s processes to align in such a way that ensures that every data coming through its system is treated without affecting data integrity and infringing on the privacy of data owners.
Please note that every Data Audit Report (DAR) must be accompanied by a Verification Statement by the Data Protection Compliance Organizations.
c) Data Protection Compliance Organizations (DPCOs)⁴
DPCOs are a new crop of data protection professionals established by the NDPR. They are very integral in ensuring compliance to the NDPR amongst organizations. They are licensed professionals responsible for providing auditing and compliance services for data controllers. Apart from law firms, Professional Service Consultancy Firms, IT Service Providers, and Audit Firms may apply to NITDA to be licensed as DPCOs once they can show that they have Data Protection Certification or experience in Data Science, Data Protection and privacy, Information Privacy, Information Audit, Data Management, Information Security, Data protection legal services, Information Technology Due Diligence, EU GDPR implementation and compliance, Cyber Security/Cyber Security law, Data Analytics, and Data Governance.
DPCOs also provide data protection and privacy trainings, advisory services; draft regulation contracts, Data Protection Impact Assessment, etc. The list of licensed DPCOs can be accessed on NITDA website.
d) Data Protection Officers (DPOs) ⁵
The regulation also mandates every data controller to employ a Data Protection Officer within its organization to outsource this role to a verifiably competent firm or person. DPOs ensure adherence to the NDPR, relevant data privacy instruments and data protection directives of the data controller.
e) Privacy Policies (Notices)
Every data controller or processor must ensure that it has clear and unambiguous privacy policies that are accessible and comprehensible by the data subject. These policies are to be cautiously drafted to meet the requirements in NDPR. DPCOs may be employed to draft a standard privacy policy which is to be published to the public.
f) Database Security and Cyber-Defense
It is not enough for data controllers and processors to lawfully obtain data; they must also ensure that they develop standard security systems to protect the data in their possession. They should employ cyber-security experts to protect their database from hackers, firewall breaches, etc. They should also put structures in place to prevent their employees from malhandling client data.
g) Conduct Internal Data Protection Training
To ensure data protection compliance amongst their members of staff, organizations should ensure their members of staff are professionally trained in the
field of data privacy and protection. They may organize data protection trainings for them, inviting DPCOs in the process. This way, their employees, especially those specifically responsible for processing data e.g. the H.R personnel would be enlightened on how to prevent data breaches.
h) Inventory Processing of Activities
This is aimed at achieving accountability and compliance. It is recommended that data controllers and processors keep an inventory of all personal data and state the processing it goes through or they may keep inventory of processing activities and the data involved in the processing.
CONCLUSION
The importance of an organization’s compliance with the NDPR and other data protection laws transcends the statutory requirements for compliance. The value and reputation of the organization is equally at stake in the event of a data breach. Therefore, it is pertinent that organizations take data protection compliance seriously.
REFERENCES
1. Understanding Nigerian Data Protection Compliance Requirements And Managing Breach – Data Protection – Nigeria (mondaq.com)
2. Understanding Nigerian Data Protection Compliance Requirements and Managing Breach – Francis Ololuo – S.P.A. Ajibade & Co (spaajibade.com)
3. Article.2.2 and 2.3 NDPR 2019.
4. Article. 4.1 (4) NDPR
5. Article. 2.6 NDPR 2019.
6. Article 2.10 of the NDPR 2019.
7. Article. 4.2 NDPR 2019.
Superscript
1 Article.2.2 and 2.3 NDPR 2019.
2 Article 4.4 NDPR 2019.
3 Article 4.7 NDPR 2019.
ARTICLE 4.2 NDPR 2019
DISCLAIMER: This article is for information purposes, it may, or may not reflect the current position of the law and is therefore not intended to provide legal advice or guidance on litigation or provide commentary on any pending case or legislation.