Data Privacy Day 2021: 10 Things You Probably Didn’t Know About Data Protection in Nigeria
There has been a lot of buzz about data protection and privacy in Nigeria over the last two years, following the issuance of the Nigerian Data Protection Regulation (“NDPR”) on the 25th of January 2019, which heralded a new dispensation in the Nigerian corporate space; one in which data protection became central to compliance, business planning and strategy.
It has been an exciting journey so far, with a lot of lessons on the way and reshuffling across industries to catch up to the “new data normal.” In commemoration of this year’s Data Privacy Day, we have thought to share 10 quick nuggets on what you probably did not know, about data protection in Nigeria.
Number One: Data Protection is not a favour to the Data Subject; it is an advantage for your Organisation!
A lot of organisations believe that data protection is solely for the benefit of the data subject and consider it strictly a regulatory obligation. In actuality, data protection is an investment, and it provides as much a competitive advantage and a ROI to your organisation as any other investment. Proper data protection practices enable your organisation to; improve internal processes and ensure efficiency in dealing with large volumes of personal data, create more value from data due to proper management and cataloguing of data, improve customer loyalty by protecting their privacy, save your organisation from the risk of privacy enforcement lawsuits, and score sentimental points from the public by positioning as a conscientious corporate! Also, proper data protection practices keep the sheriff from your door!
Number Two: Privacy by Design & Default – It Starts at the Beginning.
Organisations are not only required to protect data after the fact i.e., after data has been collected from data subjects and is already within the organisation’s technical frameworks. Rather, organisations are expected to create technical systems which from the very start, where possible, accommodates data protection. Article 3.2 (v) of the NDPR Implementation Framework (2020) states that organisations are to design and maintain technical systems to be data protection compliant and show that their systems are built with data protection in mind. This is also provided in Article 2.6 of the NDPR. The idea is to ensure that technical systems are data protection sensitive. For example, an app designed to deal with data should factor data protection into its programming and should provide for user’s access to data, deletion of data, accuracy and transparency of data and safe storage of data, amongst other things.
Number Three: Lawful Purpose – You cannot process Data without a Lawful Purpose!
Many organisations are not aware that they cannot process personal data at will. Under Art. 2.2 of the NDPR, an organisation can only process personal data where such processing falls within the ambit of one of the lawful purposes contained in the regulation. If you must process personal data, it must be within the scope of one of the following:
- with the consent of the data subject, or
- necessary for the performance of a contract or in furtherance of a contract with the data subject, or
- necessary to protect the vital interest of the data subject or another natural person
- necessary to perform a legal/statutory obligation, or
- in the interest of public policy – public policy being objectively defined.
In Nigeria, the furtherance of an organisation’s business interest or legitimate needs do not constitute a basis for data processing and an organisation which seeks to process data must situate such processing within at least one of the provided scopes.
Number Four: Data Security vs Data Privacy- Data Security is not Data Privacy.
Many organisations equate data privacy with data security, but both concepts are distinct. While Data Security means protecting digital data from unauthorised third-party access and destructive forces, such as a cyberattack or a data breach and is mostly an IT function, Data Privacy describes the practices which ensure that the data shared by customers are used for its intended purpose, are used lawfully with due recourse to the privacy rights of data subjects, are stored properly and are secured. Data Privacy/Protection is mostly a legal and process function. Essentially, data security is a component of data privacy, but only where it relates to personal data processing. Where it relates to data generally, it is a technical or organisational measure employed by businesses to protect their digital information.
Number Five: Data Privacy Rights – Data Subjects have Rights, and You have to Respect Them.
Many organisations are not fully aware that Data Subject have rights over their personal data which organisations hold within their systems! While organisations have control over the data, the Data Subject would always have rights over such data and can exercise such rights to their discretion. Some of these rights include, amongst others:
- the right to be informed, which means that data subjects must be informed of the fact that their data is being processed;
- the right of access, which means that data subjects can demand access to their data contained within an organisation’s system for the purpose of exercising any of their rights,
- the right to rectification, which means that data subject can demand that incorrect data be corrected;
- the right to erasure, also known as the right to be forgotten, which means that data subjects can request complete deletion of their data; and
- the right to restrict processing which means that data subject can request that their data only be processed in a limited way.
Data Subjects can exercise theses rights how and when they choose and organisations are obligated to create systems to allow Data Subjects exercise these rights, both by informing them of these rights and by having internal systems which do not prevent the exercise of these rights.
Number Six: Every Organisation Should conduct an Audit!
Under art. 4.1 (7) of the NDPR, where an organisation processes the Personal Data of more than 2000 data subjects in a period of 12 months, such an organisation is to conduct an audit and submit a soft copy of the summary of the audit to NITDA. A lot of organisations assume that this means that only organisations which process data to the above volume or that have suffered data breach or adverse law-suits are to conduct audits. But this is not accurate! Every organisation should conduct a data protection audit. Firstly, an audit is one way of determining the volume of personal data processed and ascertaining whether an audit report needs to be filed. Secondly, a data audit helps the organisation identify loopholes in their data processing activities, remedy such loopholes, adopt global standards for internal processes and safeguard itself from the risk of third-party lawsuits for data misappropriation or breach. It is like a health check-up! You shouldn’t wait till you fall sick!
Number Seven: Golden Standard – Data Protection has Become Global Best Practice!
The world over, data protection regulations are being created or adopted and data protection regimes are springing up, in line with the global push to standardise data protection. This rush is compelled by the realities of today’s technologically driven world, in which data has immense value and can be wrongly used in the absence of functional protection frameworks. Data protection has become more than just a local regulatory obligation, it is now a global best practice standard and an indicator of good corporate management.
Number Eight: Scope of Data Protection? It Covers all Kinds of Personal Information, but not all Kinds of Information.
Data Privacy does not cover all kinds of data! It only applies to a specific category of data known as personal data. Personal data is any information that relates to an identified or identifiable living individual. It can include data such as bio data, address, email, social media links, health data, financial data or any other information which in themselves or when collected together can lead to the identification of a particular person. The yardstick for measuring which data is covered by data privacy is whether such data can be used to identify a person, alone or in conjunction with other data. If it can, it is most likely personal data.
Number Nine: Give Notice! Notice is fifty percent of compliance!
Much of data privacy compliance rests on informing data subjects that their data is being processed, and how their data is being processed. Two key consumer facing obligations of organisations under the NDPR and under data protection generally, is the obligation to provide general privacy policies informing subjects of how the organisation uses their data and how they can exercise rights over their data and the obligation to inform data subjects of the fact that their data is being collected at the point of collection.
Number Ten: You need a DPO! Especially where…
Under art. 3.4 of the NDPR Implementation Framework (2020), some organisations are required to have data protection officers (“DPOs”), who are essentially data protection experts, whether forming part of the organisation’s internal staff or an external consultant, who will guide organisations in implementing day to day compliance with data protection obligations. Organisations who are mandated to have data protection officers include:
- government organs, Ministries, Departments, institutions or Agencies.
- organisations whose core activities involve the processing of the Personal Data of over 10,000 (ten thousand) Data Subjects per annum;
- organisations that process sensitive personal data in the regular course of business (e.g. hospitals); or
- organisations that possess critical national information infrastructure (as defined under the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 or any amendment thereto) consisting of Personal Data.
If your organisation falls within any of the categories, you need to appoint a DPO as quickly as possible!
For more enquiries, contact: