An Overview of The Nigeria Data Protection Act
On June 12, 2023, the Nigerian government took a bold step towards achieving maximum data protection. The country enacted the Nigeria Data Protection Act to provide a comprehensive legal framework for data protection. While the European Union (EU) was miles ahead, this decision placed Nigeria on the same journey towards the protection of data. Prior to this, the Nigerian government made several attempts to protect personal data, one of which is the NDPR The NDPR, which stands for Nigerian Data Protection Regulation, was issued in February 2019 and established by the NITDA (Nigerian Information Technology Development Agency). But there wasn’t much regard for it. Why? A major shortcoming of the NDPR is that it’s subsidiary legislation and lacks vital provisions expected of a comprehensive law. For example, NITDA lacked the statutory authority to establish a commission with wide powers to deal with data privacy issues in Nigeria. This created a problem between foreign organisations and the Nigerian market, as the former could not trust the latter. So, the NDPA came into play as the principal data legislation in Nigeria. This article will provide an overview of the NDPA, its objectives, basic terminology, scope of application, principles, and penalties. Objectives of the Nigerian Data Protection Act (NDPA) There’s something about data that’s invaluable. A look at the estimated amount of data generated worldwide—2.5 quintillion bytes—proves how much the world uses data. While individuals can pretend to not need data, companies dare not say so. They need data to run promotions, for market expansions, product diversification and most importantly, digital marketing Now, companies are not the only users of data; cybercriminals obsess over it too. And they don’t care about who/what gets hurt. So, Organizations have to implement data protection systems against unauthorized access, loss, or compromise of data. So, how does the NDPA help out? The primary objective of the NDPA is to safeguard the fundamental rights and freedom of privacy as guaranteed under the constitution of the Federal Republic of Nigeria. The objectives of the NDPA in detail are: To protect the rights of data subjects by making sure personal data is processed in a lawful, fair, and transparent manner. This aligns with the basic principles of data protection. To provide a legal framework for the regulation and protection of personal data. Also a means of rectifying the rights of data subjects breached. To ensure data controllers and processors comply with their obligations to data subjects To promote data security and privacy in data processing activities in Nigeria. To ensure the inclusion of Nigeria in the regional and global economies through trusted use of personal data. Basic terminologies in NDPA. The Nigerian Data Protection Act has unique terminology. Here are some definitions to help you get started. Data controller Is an individual, private entity, public commission, agency, or any other body that, alone or jointly with others, determines the purpose and means of processing data. Data Processor The act describes a data processor as an individual, private entity, public authority, or any other body who processes data on behalf of a data controller or another data processor. Personal data Any information that relates directly or indirectly to an identified or identifiable individual by reference to an identifier, e.g., name, age, identity number, location ID, factors specific to the physical, psychological, cultural, social, or economic state of the individual. Sensitive personal data The act defined sensitive data as personal data relating to an individual’s Genetic and biometric data Ethnic origin Religious or similar beliefs, such as philosophy or conscience,. Sex life Health status Political opinion Trade union membership And other information deemed sensitive by the commission. Scope and Application of the Nigerian Data Protection Act The NDPA applies to the processing of personal data by data controllers and processors belonging to data subjects in Nigeria. The NDPA mandatorily applies in the following instances: Where the data processing takes place is Nigeria. The organisation processing data is not located in the country but processes data belonging to a Nigerian citizen. The data controller or processor is resident, domiciled, or operating in Nigeria. It’s important to note that the location of the controller or processor doesn’t matter as long as the data subject is in Nigeria; the NDPA applies. However, the Nigeria Data Protection Act has limitations. The Nigerian Data Protection Act does not apply to the processing of personal data carried out by one or more persons solely for personal or household purposes. Also, it’s important to know that this exemption applies when such processing doesn’t violate the fundamental rights of a data subject. Additionally, the NDPA will not apply if the processing of personal data is carried out by a competent authority for any of the following purposes: the prevention, investigation, detection, prosecution, or adjudication of a criminal offense or to execute a criminal penalty in accordance with any applicable law; to prevent or control a national public health emergency; for national security; in respect of publication in the public interest for journalism, educational, artistic and literary purposes to the extent that such obligations and rights are incompatible with such purposes; or necessary to establish, exercise, or defend legal claims, whether in court proceedings or in an administrative or out-of-court procedure Basic Principles of the Nigerian Data Protection Act (NDPA) Just like most data protection regulations around the world, the NDPA has principles guiding organisations to compliance. Consent Organisations must get the full consent of the data subjects before collecting, processing, and storing data. The subjects must give consent freely with no trace of foul play. The data subjects also have the right to withdraw their consent. Now, data processing is lawful without consent when carried out: To protect the interests of the data subject or another person, where the subject is physically or legally incapable of giving consent. To establish, defend a legal claim, get legal advice, or carry out a legal proceeding. To carry out a contract to which the data subject is a third party. To conduct a task of public interest.
Data Protection Impact Assessments: Why You Need One
With advancements in tech, the process of collecting, and storing data was expected to be smooth. Unfortunately, the use of the internet for data collection and transfers exposes it to more threats. The owners of the data collected are now vulnerable, as their data can suffer accidental loss or compromise. In the wrong hands, sensitive data can be destructive e.g. impersonation, targeted attacks, and the likes. What do organizations do then? They devise means of data protection, guided by data protection laws around the world. As a precautionary method, data controllers (entities that collect and determine the purpose of data processing) are required to carry out a data protection impact assessment. What is a Data Protection Impact Assessment (DPIA)? Data Protection Impact Assessment is the process of determining the level of risks involved with collecting personal data for a project. All projects come with risks, as long as data is involved. The main issue is how prepared data controllers are to contain the risks. Given that it is impossible to fight an unknown enemy, the purpose of a DPIA is made more obvious. A Data Protection Impact Assessment will identify the risks and also find ways to reduce the impact. The Importance of A Data Protection Impact Assessment Organizations stand to lose everything unless they perform DPIA. Think about it: no one would keep money in a bank prone to robberies. The same principle applies in this case. Clients trust organizations to keep their data safe. Regular data loss or compromise will do enough damage to shut down a company. A DPIA ensures data controllers are aware of risks to data and ready to curtail them. Threats to organizations’ reputations are thus averted. Besides that, organizations can avoid penalties of data protection laws around the world. The GDPR, for example, deems a DPIA necessary under certain circumstances. So, carrying out a Data Protection Impact Assessment is important to achieve GDPR- compliance. When is a DPIA Required? According to the Nigeria Data Protection Regulation (NDPR), it is necessary in situations where they process highly sensitive data. Sensitive data under the NDPR refers to personal data relating to an individual’s: And others, as determined by Section 30(2) of the NDPR. A DPIA is required when the data handled belongs to sensitive or differently-abled subjects. Systematic monitoring, large-scale profiling, automated decision-making with legal effects, and the application of new technological solutions are some of the situations that need a DPIA. On the flipside, data protection impact assessment is not required where data processing is not likely to result in high risk to rights and freedoms of persons. Honestly, organizations should carry out a DPIA when handling a new project. To be on the safe side. Who Should Be Included in DPIA? The controller is 100% responsible for carrying out a DPIA. Other groups are involved in the process, but the data controller is held most accountable Now, the data controller may choose to outsource the process to a third party. Especially when the organization lacks the expertise, experience, or personnel to conduct it. A project deemed risky may also warrant the use of a data protection service consultancy. Since the process is likely to affect several aspects of a project, it is necessary to involve engineers, developers, and designers. They will be able to shed more light on the DPIA process. The data protection impact assessment should be carried out with the utmost care. This requires a team of professionals well-versed in the DPIA process. Whether overseen internally by the organization or outsourced to a consultancy, the GDPR and the Data Protection Bill mandate the appointment of a Data Protection Officer (DPO). Who is a DPO? A Data Protection Officer is a person overseeing the process of a Data Protection Impact Assessment. A DPO can be outsourced by a data protection service consultancy, if an organization lacks the personnel for it. Lastly, data subjects must be involved when carrying out a DPIA. This will show transparency while taking the concerns of the subjects into consideration. How To Do a DPIA Conducting a data protection impact assessment is serious business. Doing it the wrong way can cost an organization valuable time and money. To make the process simpler, here is a DPIA template you can follow. Step 1: Identify The Need. It will be futile to carry out a Data Protection Impact Assessment where it is not important. Below are some questions to determine if it’s necessary. Step 2: Context If you answered yes to any of the above questions, then you can move on to this step. Here, you have to be clear and specific. Be as detailed as possible. Step 3: Describe the Flow of Information. For extra clarity, make use of a flow diagram. Step 4: Identify and Assess the Privacy Risks. Make a list of the identified risks, their impacts, and the likelihood of their occurrence. Step 5: Make a Risk-reduction Plan. Once the risks have been identified, the next is to create a counterplan. How do you intend to curtail the effect of each of the risks? Document your plans, leaving no stone unturned. The expected result of the counterplan should also be documented. Step 6: Delegation Assign a part of the process to several personnel for greatest effectiveness. Record who oversees what and the stipulated time frame for the activity. Step 7: Reassess the Entire System. Double-check all the identified risks, impacts, and likelihoods against the control methods. This will cut all loopholes. These 7 steps are enough to get an idea of how to conduct a Data Protection Impact Assessment. DPIA vs. PIA The Data Protection Impact Assessment and Privacy Impact Assessment (PIA) are tools that organization use to estimate privacy risks to personal data in projects. While the former is a specific and mandatory requirement of the GDPR, any organization can use PIA to assess the privacy impacts of their activities. DPIA is legally necessary in certain cases within the EU, while PIA is the best data protection practice and privacy compliance globally. Conclusion In compliance with data
GDPR Compliance: All You Need to Know To Get Started
The digital age has made the world into a village. Conducting business across borders is now possible, and data transfer is done at lightning speed. Sure, this came with its own consequences. Data is threatened now more than ever with unauthorised access, mishandling, loss, and cyberattacks. Pushing organisations to put in place data protection systems. This is where GDPR compliance steps in. We will be looking at what GDPR is, who it applies to, the principles guiding it, and how it compares to the Nigerian Data Protection Regulation. What is GDPR? GDPR stands for General Data Protection Regulation. It was established to govern the process of data protection in the European Union (EU) and European Economic Area (EEA) on May 25, 2018. It dictates how data is collected, processed, and used by organisations and individuals. The GDPR is regarded as the most comprehensive data protection regulation. Due to this, compliance is a top priority among data handlers. Who Does The GDPR Apply To? A common misconception is that GDPR holds power only in the EU. True, the GDPR protects the data of EU citizens. According to Article 3 of the GDPR, it applies to entities processing the data of EU citizens. Regardless of their geographical location. For instance, any business in Nigeria processing customers’ data has to be GDPR compliant once an EU citizen is in the mix. Basic Terminologies in The GDPR Decoding the GDPR and all it stands for can be difficult, especially to a beginner. Without understanding the terminologies used, it’ll be even more confusing. To assist, here is a breakdown of the common terminologies in the GDPR. Data Controller A data controller is an entity (organisation or individual) that collects data for its own use. This entity determines the purpose for which data is collected and how it is processed. A controller may work alone or with others to process data. Data Processor This is usually a third-party entity that processes the data provided by the controller. Although the processor has access to data, it doesn’t control the purpose. Personal Data Personal data is simply any information that can be used to identify a real person. For example, name, address, national identification number, IP address, etc. Personal data covers a broad range of data. It can be basic, like age, or extremely sensitive, e.g., a social security number. Data Subject A data subject is the person whose data is being processed. The data subjects of businesses are their clients. What Are The 7 GDPR Principles? The GDPR has seven principles guiding data controllers and processors on how to protect data. This is also called the principles of data protection, and they are listed below. Lawfulness, Fairness and transparency Data controllers must process data for lawful reasons. Such reasons must be made clear to the data subject beforehand. Purpose limitation Personal data can only be processed for the purposes clearly stated beforehand. It cannot be used for any other purpose, contradicting the initial one. Data Minimisation The personal data collected must be relevant and limited only to the stated purpose. This is to avoid causing harm to subjects. Accuracy This means that all personal data must be accurate and up-to-date. Also, inaccurate data must be corrected or destroyed immediately. Storage Limitation Personal data collected should not be stored for longer than necessary. Once the purpose of the processing is over, the data should be deleted. Integrity and Confidentiality Personal data must be processed with appropriate security against accidental loss, destruction, or damage. Accountability. This principle states that data controllers must follow the GDPR. And also be able to prove their compliance. Compliance can be proven through regular data audits, data processing records, and appointing a data protection officer. There is one more key GDPR requirement, which is: Right To Be Forgotten. Under article 17 of the UK GDPR, data subjects have a right to have their data deleted by data controllers after a period of time in the following events: When the personal data is no longer needed for the stated purposes. When the data subject revokes consent to the processing and there is no lawful reason to continue. Need to get consent? Learn how to write a GDPR consent statement. Where the owner objects to the processing and it cannot be overridden lawfully. Where data is used for direct marketing or a minor is involved. Learn about more GDPR requirements and Data Protection Impact Assessments, inclusive. What is GDPR compliance? GDPR compliance is when an organisation meets all the requirements for protecting data stated in the GDPR. GDPR compliance is required when data controllers and processors are handling data belonging to EU citizens. Why is GDPR compliance important? Compliance with GDPR is important to avoid hefty fines and penalties. Organisations that fail to meet the GDPR standards could be fined up to 4% of their annual global turnover or $20 million, whichever is higher. For non-compliant businesses, the fine is not all they have to worry about. Data loss is the greater penalty. Customer trust will be compromised, and the company’s image will be damaged. Now that you know the consequences of non-compliance, let’s look at how to be GDPR-compliant. How to Ensure GDPR Compliance To become GDPR compliant, organisations need to do the following: Understand the GDPR principles and the rights of data subjects. Document data processing activities. Ensure they have the consent of the data subject(s). A GDPR compliance checklist can help you track your progress, or better yet, seek expert advice with Johan Consults. GDPR Compliance Checklist You can use the checklist below to know how compliant your organisation is with the GDPR. Know what data you are processing and who has access to it. Have a lawful basis for processing data. Make your data processing activities transparent. Implement adequate data security measures like encryption and pseudonymization Develop a data breach management system. Assign a data protection officer for GDPR compliance. Ensure the privacy rights of data subjects by making it easy for them to: Request and get all their data. Correct or update inaccurate data Revoke their consent to data processing. Request the deletion of information. For an easier job, you should try out
How to Choose the Right Data Protection Service Consultancy In Nigeria
is a necessity for every functioning organization. While it is important, most organisations need assistance in the form of data protection service consultancy. In this article, you will learn what a data protection service consultancy is, its needs, the services, and how to choose the right consultancy. What is a Data Protection Service Consultancy? It’s a service that provides organisations with expert advice on how to protect sensitive data from loss, compromise, or unauthorised access. Data protection service consultancy includes a general assessment of the existing system. It is compliance with data protection regulations and the identification of potential data breaches. Also, data protection practices are implemented. This service may also include employee training on safeguarding data. What is the Need for Data Protection Service Consultancy? Data collection, processing, and use form the core of every organisation, small or large. In recent times, there has been a rise in ransomware and phishing attacks on companies’ databases. Hence, the need to protect data from such threats, mishandling, and loss. Due to the importance of data protection, several laws and regulations have been established. These guide businesses on how to protect the sensitive information of their clients, making the process more complex. On one hand, organisations need data protection; on the other, they do not know how. This is where data protection service consultancy comes in. At a cost, organisations can have their entire data security system appraised and updated by agencies well-versed in the area. Services Covered by Data Protection Consultancy 1. Data Protection Audits This is the process that takes a critical look at the data protection practices of an organisation to determine its effectiveness. Data Protection Audits are important for businesses to identify inadequacies in their protection systems. Are data protection audits compulsory? Yes, they are. As a matter of fact, the ICO (Information Commissioner Office) has the power to carry out compulsory audits of organisations according to S146 of the Data Protection Act, 2018. So, if you know anything about protecting data, you might want to have an audit as soon as possible. 2. Data Protection Impact Assessment (DPIA) Data protection impact assessment is a process that helps identify and reduce the data protection risks associated with a project. DPIA is carried out when a project is large, deals with personal data, or processes the data of sensitive individuals. Resource: Why You Need A DPIA A data protection service consultant will determine the risk and provide a solid plan on how to reduce it to the smallest. Not sure if you need a DPIA? Check the ISO checklist. 3. Data Protection Training Data protection training is an important part of data protection service consultancy, where staff and stakeholders of organisations are educated on the laws and best practices in data protection. The scope of data protection training largely depends on what the business needs.For example, a company unable to follow GDPR will undergo GDPR compliance training. It is also important that data protection training be conducted at reasonable intervals. 4. GDPR Compliance The General Data Protection Regulation (GDPR) is a set of rules made to protect the data of European Union (EU) citizens. The consequences of non-compliance with these rules can be dire—up to 4% of annual global turnover, or €20 million. As part of the activities covered, a consultancy will check your organisation’s data protection system for inadequacies and offer help to ensure it becomes GDPR compliant. 5. Outsourced Data Protection Officer (DPO) Data protection consultancies also help organisations with compliance and data protection regulations like the GDPR by assigning a professional well-versed in the laws and practices of data safety. Outsourced DPO services are beneficial to small businesses, especially. Since they don’t have the internal resources to fulfil the role. Resource: Why You Need a DPO Another benefit of this service is that businesses can avoid the extra cost of hiring a full-time employee. Also, they gain full access to expert guidance at the same time. The roles of a DPO include: Monitoring Compliance: Ensures the organization adheres to data protection laws and policies. Advising on Legal Obligations: Provides guidance on compliance with data protection regulations. Risk Assessment: Identifies and mitigates data protection risks in organizational processes. Conducting Audits: Evaluates internal practices to ensure alignment with data protection standards. Liaison with Authorities: Acts as the point of contact for supervisory authorities like data protection regulators. Employee Training: Educates staff about their responsibilities regarding data protection. Data Protection Impact Assessments (DPIAs): Oversees and advises on DPIAs to evaluate the impact of processing activities on data protection. Handling Data Breaches: Manages and reports data breaches as required by law. Fostering Data Privacy Culture: Promotes awareness of data protection principles across the organization. 6. Data Localization Data localisation is the act of keeping data in the region it originated from. For example, if an organisation gets data from Nigeria, they store the data in Nigeria. In times when data can be transferred over the internet at lightning speed, the movement of data and its use have the interest of all data protection stakeholders. Consultancies help businesses localise data by offering data centres or cloud services that have data centres in the required locations. This data protection service reduces the cost of setting up several data centres from scratch for businesses operating in many countries and offers premium data protection. 7. Data Breach Management Many enterprises fall victim to data breaches once in a while. What is more important is how it is managed. Data protection consultancies offer this service to help organisations overcome such occurrences by creating and initiating an incident response plan, assembling an incident response team, and sending public notifications. 8. Data Digitization Data digitisation is the process of converting analogue information to digital format. Organisations handling significant amounts of sensitive data must use this service. These include financial institutions, legal practices, and medical facilities. The digitisation of data makes it easier for them to protect the personal data of their clients. How to Choose the Right Data Protection Service Consultancy When it comes to data protection, one size does not fit all. For that, selecting the right consultancy is
A Fresh Look for Johan Consults Ltd.: Introducing Our New Logo!
Over the years, Johan Consult Nigeria Limited has been a trusted resource for Nigerians seeking the best data protection and compliance. This commitment to excellence has helped put many top organisations in a safe and secure position, ensuring the highest standards of data privacy. As we continue to evolve and lead the way in data protection, we’re excited to unveil a brand new look that reflects our ongoing dedication to this vital field. This new logo reflects our commitment to remaining at the forefront of data security and compliance. Why the Change? Our previous logo served us well, but we felt it was time for another look that better represents our brand. However, our new logo is designed to be: Modern: Data protection and compliance practices are constantly changing and our new logo reflects that spirit. Its clean lines and modern look convey our sense of expertise. Memorable and Impactful: Our new logo is visually appealing and easy to remember. This is good for making a strong lasting impression. and help us solidify our position as a trusted leader in the data protection space. Professional and Trustworthy: At the heart of everything we do at Johan Consult is a commitment to data security and our client’s privacy. This new logo is meant to inspire and help reassure our clients that they are dealing with a company that is serious in what they do. Enhanced Brand Recognition: The new logo better represents our name, Johan Consult. This will help strengthen our brand identity and make us easier to identify. Improved User Experience: The logo is clear and concise, improving the user experience on our website and other platforms. Aligning with Our Values: Lastly, our new logo reflects our core values, innovation, reliability, and precision. Continuing Our Commitment With a Seamless Transition As you must have been already, our new logo is gracing our website, media, and social media posts and platforms. Regardless, this will not in any way affect our operations and services to you. We are always available to help with your data protection and compliance needs. We remain passionate about helping businesses navigate the ever-changing data landscape and ensure the highest level of security for their sensitive information. You can contact us or book a free 3-minute consultation. We hope the new logo resonates with you as much as resonates with us. As we continue to innovate and expand our services, we’ll keep you informed.
NDPR: An Overview of The Nigeria Data Protection Regulation
Organizations all over the world are facing a great challenge, “how to safeguard data”. The process of safeguarding data, known as data protection, is a delicate one. Companies, small, medium, and large, are exposed to data threats like cyberattacks, accidental loss, and compromise. Where the wrong persons access data, forgeries, targeted attacks, and impersonations are some of the consequences. This pushed countries—Nigeria included—to lay ground rules to guide organizations through protecting the data of their citizens. Examples are the NDPR, GDPR, UK GDPR, etc. In this article, you’ll learn all there is to know about the Nigerian Data Protection Regulation(NDPR) What is the NDPR? The full NDPR meaning is NIGERIAN DATA PROTECTION REGULATION. It is a set of rules guiding the protection of Nigerian data by organizations. The Nigerian Data Protection Regulation has four objectives, which are: Territorial scope of the NDPR Just like most data protection laws, its reach extends beyond Nigerian borders. The NDPR applies to any organization processing the personal data of Nigerian citizens (home or abroad), regardless of its geographical location. For instance, If an organization in the EU wants to process the personal data of a Nigerian citizen, it has to follow the NDPR. When was the NDPR Established? The establishment of the Nigerian Data Protection Regulation occurred in January 2019 by the National Information Technology Development Agency (NITDA). Who Regulates NDPR? In the initial stages, the NITDA was the regulatory body. However, there was a need to create a separate body for the NDPR. The NITDA was stretched beyond what was necessary. The Nigeria Data Protection Bureau (NDPB) was established as the regulatory body. The purposes of NDPB are: Principles of the NDPR The Nigerian Data Protection Regulation has some principles guiding organizations (data controllers) Consent Organizations must get the full consent of the data subjects before collecting, processing, and storing data. The subjects must give consent freely with no trace of foul play. The data subjects also have the right to withdraw their consent. Lawfulness Data can only be collected for lawful purposes. Organizations must clarify the reasons for data collection, processing, and storage. Such purposes should be clearly disclosed to the data subjects. Accuracy Another principle is Accuracy. All the data collected by organizations must be correct. Any inaccuracy should be rectified immediately. Data minimization Data collected can only be processed for the stated purposes. It is unlawful to process data for any reason contradicting the initial purposes. Security Organizations must take specific precautions to ensure data security. This includes measures against unauthorized access, disclosure, loss, and alterations of personal data. Rights of data subjects. Also, the NDPR has provisions for data subjects. Individuals have the clear right to halt the processing of their data. They can also request access, erasure, and correction. Differences between the NDPR and NDPA. NDPA stands for the Nigerian Data Protection Act. Its issuance was in February 2023. The NDPA is the current data protection law in Nigeria. Its issuance did not completely overrule the previous laws—NDPR and the Data Protection Bill. Rather, they were placed under its umbrella. While the NDPA covers most of the NDPR, it lacks the specificity of the latter. The major difference between the two lies in the definition of terms. In summary, the NDPA and NDPR are more similar than different. In times where there is a conflict between the two, the NDPA is supreme. NDPR and GDPR The Nigerian Data Protection Regulation (NDPR) and the General Data Protection Regulation (GDPR) are the regulations for data protection in Nigeria and the EU, respectively. When it comes to it, the penalties are different. Non-compliance with the GDPR comes with a fine of up to 4% of the annual global profit or €20 million, whichever is higher. The NDPR non-compliance penalty is less severe. A fine of up to 2% annual global profit or 10 million Naira, whichever is greater. Nigerian Data Protection Regulation is an adaptation of the GDPR. GDPR is more comprehensive, with a broader scope. In conclusion The Nigerian Data Protection Regulation is important for safeguarding data in Nigeria, and meeting international standards while addressing local needs. Compliance with the NDPR will help organizations avoid penalties and foster trust among the client community. Are you an organization looking to scale up your NDPR and GDPR compliance? You can reach out to us at Johan Consults and be sure to get the best.
