WHAT YOU NEED TO KNOW ABOUT THE NIGERIAN DATA PROTECTION REGULATION 2019
Introduction
The Nigerian Data Protection Regulation?is more popularly known by its acronym – NDPR. It is the principal data protection legislation in Nigeria, and it is the first?real attempt at formulating a data privacy and protection law. It came into effect on January 25, 2019, by the Nigerian Information Development Agency (NITDA) pursuant to Section 32 of the NITDA Act 2007 as subsidiary legislation.
The NDPR is highly influenced by the EU General Data Protection Regulation?2018 which is arguably the most comprehensive and extensive data protection law in the world today.
Purpose of the NDPR
The NDPR became necessary to safeguard personal information and individual’s privacy from hackers who tend to sell data they steal to professional scammers. The purpose of NDPR is to grant individuals control and rights?over their personal data, and to probe how their data is being handled, what data is collected, by whom, and why. Also to force organizations to take full?responsibility and accountability?on how they use, handle, process, and govern the use of individual’s personal data.
Due to the importance of technology, people around the world are?increasingly gaining access to the internet. According to Domo, “on average, every human created at least 1.7 MB of data per second in 2020”.?That data is at the centre of business and profits for a lot of organizations?and criminals as well and it is harvested and used in ways that weren’t even imaginable just a few years ago.
These data do not belong to organizations. They belong to individuals and therefore needs to be protected from manipulation and theft. However, in certain instances, the rights of individuals are limited under NDPR. That is because NDPR is not here to prevent companies from doing business, rather forbid the unlawful processing of personal data.
NDPR Content
NDPR is divided into a preamble and four (4) parts –
Part 1 – States the scope, objective of the regulation and defines special terminologies and abbreviations.
Part 2 – Deals with the governing principles of lawful data processing, procuring consent. In addition, it covers data privacy policies, security, 3rd party data processing contracts, objection by data subjection, penalties for default and foreign transfer of personal data.
Part 3 – Principally addresses the rights of data subjects.
Part 4 – details the mechanisms for NDPR implementation, Administrative Redress Panel (ARP), and the local and international cooperation required for its implementation.
NDPR- Definitions of Key Terms
Some key definitions used in the NDPR are –
“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifiers such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others;
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Data Controller” means any entity, organization, company, person or institution that determines the purposes for and the manner in which Personal Data is processed or is to be processed;
“Data Administrator” AKA Processor means a person or an organization that processes data;
“Data Subject” means any person, who can be identified, directly or indirectly, by…. an identification number or to…… factors specific to his physical, physiological, mental, economic, cultural or social identity;
“Sensitive Personal Data” means data relating to religious or other beliefs, sexual orientation, health, race, ethnicity, political views, trades union membership, criminal records etc.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed;
“Data Subject Access Request” means the mechanism for an individual to request a copy of their data under a formal process which may include payment of a fee;
“Data Portability” means the ability for data to be transferred easily from one IT system or computer to another through a safe and secured means in a standard format;
“Third Party” means any natural or legal person, public authority, establishment or any other body other than the Data Subject, the Data Controller, the Data Administrator and the persons who are engaged by the Data Controller or the Data Administrator to process Personal Data.
“Data Protection Compliance Organization (DPCO)” means any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection Law or Regulation having an effect in Nigeria;
Scope of NDPR
NDPR has a limited scope as it seeks to only protect the personal data of data subjects from unlawful processing by controllers and administrators whether within or outside Nigeria provided they process personal data of persons residing in Nigeria, or outside of Nigeria but of Nigerian descent.
Data Subject rights
Since one of the main purposes of the NDPR is to give individuals control over their data, the regulation has prescribed?eight data subject rights to include –
1.?????? Right to Receive information related to processing free of charge
2.??????Right of Access to data/copies of data
3. Right of Rectification
4. Right to deletion/be forgotten
5. Right to restrict processing
6.??????Right to Data Portability
7.??????Right to Object to Processing
8.??????Right to Object to Marketing
9.??????Right to receive data in a machine-readable format.
Data Breaches and Penalties under NDPR
NDPR prescribes?two categories of penalties –
1.??????For data controllers dealing with more than 10,000 data subjects, the violation?can result in penalties up to?2% of the organization’s annual gross profit of the preceding year or payment of the sum of 10 million Naira, whichever is greater.
2.??????For data controllers dealing with less than 10,000 data subjects, a violation?can result in penalties up to?1% of the organization’s annual gross profit of the preceding year or payment of the sum of 2 million Naira, whichever is greater.
Since January 2019, NDPR has issued the following fines for breach of data protection regulations –
·????????Lagos State Inland Revenue Service - 1 million Naira fine.
·????????Electronic Settlement Limited – 5 million Naira fine.
However, we expect that things will change quite a bit, as more companies become aware of the regulation and with the supervisory authorities stepping up, issuing heavier fines, adding more pressure on organizations to invest in their NDPR compliance.
领英推荐
General Principles of NDPR
NDPR principles are a backbone of compliance, therefore, they must be applied to the processing of personal data. They include –
Purpose limitation?–?See Section 2.1. This means personal data is to be collected and processed for specified, lawful and legitimate purposes and not in a manner that is incompatible with those purposes. further processing may be done only for archiving, scientific research, historical research or statistical purposes for public interest.
Data Minimization – Under S. 2.1(1) (b)?means that only adequate, necessary data required to provide the service should be collected, and stored for the period within which it is needed.
Storage limitation – Under S. 2.1(1) (c)?means you shouldn’t store personal data for longer than it is necessary. Section 38 of the Cybercrime Act requires service providers to keep traffic data and subscriber information for a minimum of two years. Also, Section 5 of the Credit Reporting Act 2017 requires a credit bureau to maintain credit information for not less than six years from the date of obtaining such information, after which, archive the information for another 10 years and maybe destroyed thereafter.
Data Security – Section 2.1(d) ensures the integrity and confidentiality of personal data. It states that personal data must be secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damaged by rain, fire or exposure to other natural elements.
Lawfulness Basis Principle – This means that personal data should be processed in a fair and transparent manner and within the lines of the law. Under Section 2.2, processing shall be lawful if –
i.???????????Data subject gives consent to the processing
ii.???????????Processing is necessary for the performance of a contract;
iii.???????????To comply with a legal obligation;
iv.???????????To protect vital interests of the data subject or of another natural person;
v.???????????In the interest of the public or in the exercise of an official mandate vested in the controller.
Transparency – Section 2.3(1) and it?means the specific purpose of the data collection to be made known to the data subject before obtaining personal data. Also, that the data collected is correct and accurate.
Accountability principle?– Under Section 45(1) of the 1999 Constitution that data controllers or organizations are responsible for compliance with all of the above-mentioned principles, and not to restrict or limit the constitutional right to privacy of any data subject.
Compliance period under NDPR
Section 4.1(6) and (7) of NDPR provides that data controllers that process personal data of more than 2,000 subjects in a period of 12 months are to submit a summary of their data protection audit to NITDA not later than 15 March of the following year.
Appointment of a Data Protection Officer (DPO)
Data Protection Officer is a new organizational role created by the NDPR with the main goal of overseeing data protection strategy, policies, and compliance.
The appointment of a DPO is only mandatory for organizations that act as data controllers under NDPR. Par. 3.2 of Nigerian Data Protection Regulation?Implementation Framework (NDPRIF) specifies high priority organizations where the appointment of a DPO is necessary. They are –
·????????If the entity is a Government organ, Ministry, Department, Institution or Agency;
·????????If the core activities of the organization relate to usual processing of large sets of personal data;
·????????The organization processes sensitive data in the regular course of its business; and
·????????The organization processes critical national databases consisting of personal data.
From the above list, organizations required to appoint a DPO may include: CBN and banks, Nigerian Communications Commission and telecommunication companies, Pension Fund Custodians and Pension Fund Administrators, insurance companies, fintech, hospitals, Nigeria Stock Exchange and stockbrokers, etc. Therefore, it is important that these organizations appoint a DPO to start compliance processes immediately.
Establishment of Data Protection Compliance Organizations (DPCO)
NDPR mandates NITDA to register and license qualified organizations as Data Protection Compliance Organizations (DPCOs). Under Section 4.1(4), DPCOs are organizations who on behalf of NITDA, are responsible for monitoring, auditing, conducting training and data compliance consulting to all data controllers under NDPR. Only entities designated as DPCOs are required to get registered and licensed by NITDA and they are not the same as DPOs.
Transfer of Personal Data to a Foreign Country and Exceptions
NDPR spells out the manner in which the transfer of Personal Data to a foreign country can be made which must be under the supervision of the Honorable Attorney General of the Federation (HAGF), the following considerations shall be taken into account:
In the absence of a decision by the HAGF as to the adequacy of the above considerations, such transfers shall only take place where consent of the Data Subject has been secured; transfer is necessary for the performance of a contract or is required for the performance of a public interest purpose; or in the establishment, exercise or defence of legal claims or in defence of the vital interests of the Data Subject.
How to Effectively achieve NDPR compliance
The implementation of the principles and obligations imposed on organizations in everyday business can be daunting. This is because many organizations lack the insight into the kind of personal data they are processing, and therefore, face difficulty tracking, monitoring, managing and responding to the data subject requests.
In order to navigate through NDPR compliance easily and faster, follow these steps –
·????????Understand the meaning of personal data and the kind of personal data you are processing
·?????????Discover personal data across multiple systems (both soft copy and physical files).
·????????Manag privacy risks by ensuring that only authorized persons have access to the data.
·????????Consolidate your data and prioritize your relationship with customers
·????????Align your marketing communication with data privacy regulations by collecting consent and informing data subjects of the purpose for collecting their data.
·????????Quickly resolve data subject requests?successfully.
·????????Manage third parties and guide them through your data management process workflow.
·????????Build and encourage cooperation between DPO, Legal services, IT, and Marketing,?clearly define their responsibilities and enable your team to work together.
·????????Track compliance efforts, monitor regulatory deadlines, cooperate with other departments, and have insights into data.
Authored by Obinna O. Agwu, Esq.
Lagos, Nigeria.
To understand more on the Nigeria Data Protection Regulation 2019, please contact the author via email at [email protected]
Product Manager | Health-Tech | Social Impact
1 年Malin Ek