Johan consults limited logo

NDPR: An Overview of The Nigeria Data Protection Regulation

Organizations all over the world are facing a great challenge, “how to safeguard data”. The process of safeguarding data, known as data protection, is a delicate one. Companies, small, medium, and large, are exposed to data threats like cyberattacks, accidental loss, and compromise. Where the wrong persons access data, forgeries, targeted attacks, and impersonations are some of the consequences. This pushed countries—Nigeria included—to lay ground rules to guide organizations through protecting the data of their citizens. Examples are the NDPR, GDPR, UK GDPR, etc. In this article, you’ll learn all there is to know about the Nigerian Data Protection Regulation(NDPR) What is the NDPR? The full NDPR meaning is NIGERIAN DATA PROTECTION REGULATION. It is a set of rules guiding the protection of Nigerian data by organizations. The Nigerian Data Protection Regulation has four objectives, which are: Territorial scope of the NDPR Just like most data protection laws, its reach extends beyond Nigerian borders. The NDPR applies to any organization processing the personal data of Nigerian citizens (home or abroad), regardless of its geographical location. For instance, If an organization in the EU wants to process the personal data of a Nigerian citizen, it has to follow the NDPR.  When was the NDPR Established? The establishment of the Nigerian Data Protection Regulation occurred in January 2019 by the National Information Technology Development Agency (NITDA). Who Regulates NDPR? In the initial stages, the NITDA was the regulatory body. However, there was a need to create a separate body for the NDPR. The NITDA was stretched beyond what was necessary. The Nigeria Data Protection Bureau (NDPB) was established as the regulatory body. The purposes of NDPB are: Principles of the NDPR The Nigerian Data Protection Regulation has some principles guiding organizations (data controllers)  Consent Organizations must get the full consent of the data subjects before collecting, processing, and storing data. The subjects must give consent freely with no trace of foul play. The data subjects also have the right to withdraw their consent. Lawfulness Data can only be collected for lawful purposes. Organizations must clarify the reasons for data collection, processing, and storage. Such purposes should be clearly disclosed to the data subjects. Accuracy Another principle is Accuracy. All the data collected by organizations must be correct. Any inaccuracy should be rectified immediately. Data minimization Data collected can only be processed for the stated purposes. It is unlawful to process data for any reason contradicting the initial purposes. Security Organizations must take specific precautions to ensure data security. This includes measures against unauthorized access, disclosure, loss, and alterations of personal data. Rights of data subjects. Also, the NDPR has provisions for data subjects. Individuals have the clear right to halt the processing of their data. They can also request access, erasure, and correction. Differences between the NDPR and NDPA. NDPA stands for the Nigerian Data Protection Act. Its issuance was in February 2023. The NDPA is the current data protection law in Nigeria. Its issuance did not completely overrule the previous laws—NDPR and the Data Protection Bill. Rather, they were placed under its umbrella. While the NDPA covers most of the NDPR, it lacks the specificity of the latter. The major difference between the two lies in the definition of terms. In summary, the NDPA and NDPR are more similar than different. In times where there is a conflict between the two, the NDPA is supreme. NDPR and GDPR The Nigerian Data Protection Regulation (NDPR) and the General Data Protection Regulation (GDPR) are the regulations for data protection in Nigeria and the EU, respectively. When it comes to it, the penalties are different. Non-compliance with the GDPR comes with a fine of up to 4% of the annual global profit or €20 million, whichever is higher. The NDPR non-compliance penalty is less severe. A fine of up to 2% annual global profit or 10 million Naira, whichever is greater. Nigerian Data Protection Regulation is an adaptation of the GDPR. GDPR is more comprehensive, with a broader scope. In conclusion The Nigerian Data Protection Regulation is important for safeguarding data in Nigeria, and meeting international standards while addressing local needs. Compliance with the NDPR will help organizations avoid penalties and foster trust among the client community. Are you an organization looking to scale up your NDPR and GDPR compliance? You can reach out to us at Johan Consults and be sure to get the best.

ALL YOU NEED TO KNOW ABOUT CYBER SECURITY AND GDPR IN NIGERIA

johanconsults

Most people simply don’t care enough to take proactive measures to protect themselves, their identity and their data when online or using their devices, perhaps they think it will not happen to them. Well, the truth is Cyber attacks are real and can be damaging on the long run, hence one needs to curb it completely.   New laws are taking effect across the globe to regulate the collection, use, retention, disclosure and disposal of a person, information. At the same time, the rate of cyber attacks, data breaches and, unauthorized use of personal data is growing exponentially. It is more important than ever particularly for those organizations handling financial data, health information and other personally identifiable information to understand the rights and obligations of individuals and organizations with respect to personal information. The Emerging data privacy regulatory space GDPR The European Union enforcement of the Global Data Protection Regulatory Space (GDPR) commenced on 25 May 2018, and it came with sweeping changes in the privacy and data security policies for the vast majority of companies operating, not only in the EU, but across the globe. The GDPR applies to all companies processing the personal data of subjects not only residing in the EU, but inclusive Africa. This generally governs how companies manage and share such data. Furthermore, there are provisions of the GDPR that will be important for all companies to take note of and that includes; The requirement for explicit and informed consent for collecting personal and mechanisms to withdraw such consent. Breach notifications, the right to access all data that a company has collected and the right to be forgotten through the erasure and cessation of dissemination of data. So What are the penalties for breaching the GDPR Penalties for breach of the GDPR are steep up to 4 per cent of annual global turnover or €20M, which is greater. In recent reports, French data privacy regulator, The National Data Protection Commission, slapped Google with a $57 Million fine, the offence has to do with the company’s failure to comply with the GDPR, in other words, you can call it a fine for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization. Cyber crimes and Data Breachment in Africa – What can be done?  Arguably, Nigeria is seen as the giant of Africa and such bold statement should be reflected in the country’s cyber security network, the process of adopting innovations can be lengthy and require full commitment and effort from all security network. In Nigeria and Africa as a whole, the tech industry has grown and more technological innovations are expected to come, as young and smart minds are delving into the tech industry, the future is bright but it can be brighter.   In view of this, companies, startups, corporate business organizations are further encouraged to establish internal policies and procedures to ensure compliance. Business policies may include top-level information security and privacy from the top-level officers of a company, monitoring, breach reporting, risk management program and acceptable use policy. Technical policies may include encryption of password, authentication protocols, disaster recover intention detection, physical security, patching, etc. Artificial Intelligence(AI) and specifically Machine Language(ML) techniques are now widely employed to enable computers to learn and adapt to new input. Such AI technology can be used in cyber security systems to provide an automated process for the identification of new threats and implementation of technology controls and protection.   Furthermore, Bigger companies should shoulder the responsibility of protecting their smaller counterparts in the tech field, this can be successfully implemented when companies support data privacy as a “human right” where there are rights to protect the legitimacy and ownership to private data. I believe everyone should own the right to his/her private information and exercise the right to make it available to the public or not. Microsoft CEO, Satya Nadella speaks out about data privacy and he voiced his support for data privacy as part of a human right. This focused on three major elements; Privacy, Cybersecurity and Observing the AI ethics. He also cited EU’s General Data Protection Regulation as a model of legislation. Nigeria as a country should urge companies to see common citizens and small businesses as the most vulnerable to cyber threats and task the Big companies to use their power in protecting them.   In conclusion, Recognition of the new and evolving international privacy and security regulations is a requirement, especially in view of the threat of increasing liability and risk with statutory penalties and class action lawsuits. Implementing a compliance program with a set of best practices for privacy and data security will surely help mitigate these risks, but it is a continuing process, especially as technologies in Africa face new hurdles when rolling out new systems and technologies.   Photo source – Unsplash

© Johan Consults Limited Nigeria 2024. All rights reserved. Johan Consults Limited Nigeria.

Designed by Tech Della Solutions LTD.