NDPR and Data Security
18 February 2020 * 6 min read
Written by Demilade Onajobi
Data in more recent times than ever has become the engine to which businesses are driven on. The amount of data corporations has to collect, store and process is growing faster than ever, and not only that, the risks associated with such an amount of data exposure is becoming overwhelming for both users and companies by the day. Organizations are not only trying to keep up and protect customer’s personal information but also the most sensitive ones.
There is now an increasing need to protect user data. First, the EU came up with the General Data Protection Regulation (GDPR) for all individual citizens of the European Union and the European Economic Area. This regulation was released in 2016 but became effective from 2018. This major transnational regulation will go on to impact the way data is been treated, and other follow-on regulations.
Following the GDPR, the National Information Technology Development Agency (NITDA) of Nigeria issued the Nigeria Data Protection Regulation (NDPR) in January 2019. The NDPR introduces some major compliance obligations for Nigerian companies. This will create the need for audits, publication of data protection policies, sensitizing employees amongst others.
This Nigeria Data Protection Regulation (NDPR) adequately deals with the cardinal issues of consent of Data Subject; lawful processing; prohibition of atrocious motives; clarity of privacy policy; third party data processing; penalty for default; definition of Personally Identifiable Data and Data Privacy Breach remediation mechanism among many others.
We have seen that data breach is usually as a result of various reasons, but mostly human errors and rarely intentional. From third party exposures (both phishing or contractual) to Ill-informed and unaware employees who can use weak passwords, mistakenly delete data, fall for phishing scams or browse websites not under acceptable use. Consequently, it could bring about sanctions and in some cases fines.
To minimize liability under the NDPR, organizations most especially in Nigeria need to make changes to be in compliance with the NDPR.
High-level highlight of the NDPR policy include:
a) Lawfulness and Legitimacy: Article 2.1(1a) provides that Personal Data shall be collected and processed in accordance with specific, legitimate and lawful purposes consented to by the Data Subject.
b) Specific Purpose: In addition to Article 2.1(1a) cited above, Article 3.1(7c) mandates the Data Controller to expressly inform the Data Subject of the purpose(s) of the processing for which the Personal Data is intended as well as the legal basis for the processing. This has hitherto been observed in the breach. This, we believe would change as the government is poised to stem the tide of brazen breach of people’s right to privacy.
c) Data Minimization: Data Controllers are expected to collect the minimum required data and avoid unnecessary surplus usage. Data that is not useful for the Controller ought not to be collected. No data shall be obtained except for the specific purpose of collection is made known to the Data Subject. This principle relates also to the purpose of collection. By insisting that the purpose of collecting or further processing of a data set must be communicated to the Data Subject, the regulation has closed the door to a multitude of potential abuses.
d) Accuracy: The NDPR provides that collected and processed Personal Data shall be adequate, accurate and without prejudice to the dignity of a human person (Art. 2.1(b)). The NDPR prohibits the abuse or inaccurate representation of personally identifiable data, even if such data were given with due consent. Data Controllers and processors are required to ensure regular update of personal data in their custody to achieve this.
e) Storage and Security: Data Controllers are required to store data only for the period they are reasonably required to so do. The Regulation does not explicitly provide for a time period because that detail, we believe should be left to contract agreement. However, where such is not specified, the dispute redress mechanisms can specify what would constitute a sufficient storage period. The Regulation also places the onus of security on the Data Controller and Processor. Art. 2.1(d) provides- personal data shall be secured against all foreseeable hazards and breaches such as theft, cyber attack, viral attack, dissemination, manipulations of any kind, damaged by rain, fire or exposure to other natural elements.
f) Confidentiality, Integrity, and Availability: Article 3 generally enumerates the rights of the data subject. One of the underpinning principles of the NDPR is that data controllers must comply with basic minimum standards of information security management. The Regulation specifies the role of the Controller and the Data subject in such a case.
g) Compliance and Enforcement: One of the novelties of the NDPR is its compliance structure. The Regulation creates a new class of professionals- Data Protection Compliance Organisations (DPCO). A DPCO is an entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). These professional firms would provide requisite training, services, and other support to Data Controllers to aid their compliance with the NDPR. I hope to come back to the immense potentials of this arrangement shortly.
f) The NDPR recognizes the need for cross-border transfer of data in an era of globalized and high-speed business transactions. Article 2.11 of the Regulation, which relates to Transfer to a Foreign Country, addresses this concern. To comply with the provision and other aspects of the Regulation, the Data Controller would provide the following:
i. The List of Countries where personally identifiable information of Nigerian citizens are transferred in the regular course of business.
ii. The Data Protection laws and contact of the National Data Protection Office/Administration of such countries listed in i) above.
iii. The privacy policy of the Data Controller, compliant with the provisions of the NDPR.
iv. Overview of encryption method and data security standard
v. Any other detail that assures the privacy of personal data is adequately protected in the target country.
g) Enforcement
On enforcement, the NDPR classified Controllers into large and small categories. Those who process data of more than 10,000 data subjects are liable to forfeit 2% of their Annual Gross Revenue (AGR) or the sum of N10,000,000 (Ten Million Naira); whichever of the latter two that is greater. while those handling less than 10,000, would lose up to 1% of their AGR or the payment of 2 Million naira as the fine for any Data Breach.
As businesses and non-governmental organizations, you would need to file a Data Audit Report on or before 15th March of every year to ensure compliance. Each of these reports must bear a Verification Statement, sign and seal of a Licensed DPCO.
Defaulting with regulations and incidents of data breach usually will cost financial and trust damages as suppose to the cost of preventing the data breach. There is a lucrative black market for data, and hackers often sell information in bulk to professional scammers, who will use the information in an attempt to scam people out of more information and financial gain. So it is always a discussion about money.
Proposed solution/changes
There are tons of solutions, one of which is data insurance which uniquely allows you the business owner to insure the digital assets at a pre-approved indemnity value against any incidents including breach that can result in losing valuable data.
While the breach can be prevented and guided against by implementing the requirements of the NDPR, which includes the consistent auditing of the company’s data.
One of the requirements of the NDPR is the collections of minimal customer data which eliminates collecting useless data. A way to reduce data risk is to first reduce exposure. Once the minimum data required to do your business efficiently have been covered. It is needless to collect additional data.
Sharing company data with third party companies should not be about trust alone, there should be a mutual contractual agreement on the way data is transferred and processed, which should be in the interest of the customers and should have their consent too.
Recommendation
The lack of regulation will bring about companies taking data security not as serious as they should. Implementing a regulation like the NDPR will save Companies sanctions-related issues, guaranteeing data security and will give customers the needed trust in your business.
Demilade Onajobi is a Business Analyst and Business Developer with multiple consulting stints at boutique consulting firms as an Independent Associate. He has worked as a team member and lead for advisory and execution projects, including growth plan, product development, strategy document, etc.
