Data Protection Bill: Know It Guidelines, Objectives and Penalties
In recent times, Nigerian businesses have been fighting a battle against data threats of all kinds. And the odds are not in their favor. In 2021, 71% of Nigerian firms were hit by ransomware. Small and medium businesses have it even worse. Phishing attacks on SMEs grew by 87% in 2022 , compared to 37% in 2021. These attacks had terrible consequences. Scams, impersonations, and loss of privacy became the norm. All these discouraged foreign organizations from investing seriously in the country. The Director of Research and Development, Mr. John Dumesi, said, “Part of the findings and key threat trends we discovered are that data protection policies, enforcement, and disclosure practices are grossly lagging; there is a surge in corporate phishing attacks.” It was obvious that Nigeria needed a strong data protection policy. In 2023, a data protection bill was passed by the Nigerian government and in this article, you’ll learn what the Data Protection Bill means for Nigerians. The Objectives of Data Protection Bill 2023 The data protection bill for 2023 came on the heels of the NDPR (Nigerian Data Protection Regulation). Eventually, the NDPR was replaced by NDPA (Nigerian Data Protection Act), due to insufficient policies and weak enforcement. The primary objective of the data protection bill is to protect the fundamental rights and freedoms of data subjects by regulating the processing of personal data. The following objectives are as stated in the document: – “Protecting data subjects’ rights as well as providing means of recourse and remedies in the event of breaches; ensuring that data controllers and data processors fulfill their obligations to data subjects” – “Promoting data processing practices that safeguard the security of personal data and the privacy of data subjects; ensuring that personal data is processed in a fair, lawful, and accountable manner.” – “Strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial, trusted use of personal data.” – And finally , “Establishing an impartial, independent, and effective regulatory commission to superintend over data protection and privacy issues and supervise data controllers and data processors.” Major Highlights of the Data Protection Bill Establishment of the Nigerian Data Protection Commission (NDPC) A law is only as effective as its enforcement. This statement is a known fact all over the world. As a matter of fact, lack of proper enforcement led to the NDPR cancellation. The Data Protection Bill made the necessary provisions for its own enforcement. According to Section 7 of the bill, the NDPC is to: 1. Promote awareness of risks to personal data and data protection measures. Including the rights and obligations granted under the Act. 2. Ensure the use of technological and organizational data protection measures. 3. Foster the development of personal data protection technologies in accordance with recognized international good practices and applicable international law. 4. Promote awareness of data controllers and processors’ obligations under the Act. Data Processing Guidelines The guidelines are very straightforward. Data controllers and processors are not allowed to process sensitive personal data themselves or by a third party unless: – The processing is necessary for exercising or performing the rights or obligations of the data controller or the data subject to underemployment, social security laws, or any other similar laws. – The data subject has given and not revoked consent to the processing for the specific purpose or purposes for which it will be processed. – It is necessary to protect the vital interests of the data subject or of another individual where the data subject is physically or legally incapable of giving consent. In the situations above, the Data Protection Bill has the following principles: 1. Data can only be processed for lawful purposes, which must be stated clearly beforehand. 2. The data subject must have consent before to the use of his or her data. Data subjects also have the right to withhold or withdraw consent at any point. 3. The data collected must not be used for any other purpose other than the stated one. 4. For no reason should personal data be stored beyond the necessary timeframe. Also, data subjects can request deletion or destruction of their data by data controllers. 5. All data must be accurate, with inaccuracies corrected immediately. 6. Lastly, the integrity of personal data must be kept with the utmost priority. The NDPC is responsible for enforcing compliance with the rules. Child Consent The data protection bill also caters to the data of all Nigerian children. According to the Bill, a child is an individual under the age of 18. Section 33 of the bill states that “The data controller must obtain the child’s parent or legal guardian before processing personal data.” It also emphasizes the use of government-approved identification documents to prove the child’s age and consent. Although, this does not apply when: 1. Processing is necessary to protect the interests of the child, 2. The processing is for medical or social care purposes by a professional or similar service provider with a duty of confidentiality. Data Protection Impact Assessment Section 28(1) requires data controllers to conduct a DPIA on every project likely to cause high-risk to the rights of data subjects. This is to identify and reduce the risks to data. In the event of identified high risk, controllers are mandated to consult the NDPB. Data Breach Management Data breaches, as a constant threat, have gained the attention of the Nigerian government. So, the bill laid out a proper guide for Its management. The Data Protection Bill mandates data controllers and data processors to keep a record of all personal data breaches. In addition, data controllers are to report every data breach that occurs to the NDPC within 72 hours. However, this timeframe can be extended due to the legal needs of law enforcement. Data Protection Officer and Compliance Services Section 33 of the bill mandates data controllers and processors of “major importance” to have a data protection officer well-versed in the data protection laws and practices.
GDPR Compliance: All You Need to Know To Get Started
The digital age has made the world into a village. Conducting business across borders is now possible, and data transfer is done at lightning speed. Sure, this came with its own consequences. Data is threatened now more than ever with unauthorised access, mishandling, loss, and cyberattacks. Pushing organisations to put in place data protection systems. This is where GDPR compliance steps in. We will be looking at what GDPR is, who it applies to, the principles guiding it, and how it compares to the Nigerian Data Protection Regulation. What is GDPR? GDPR stands for General Data Protection Regulation. It was established to govern the process of data protection in the European Union (EU) and European Economic Area (EEA) on May 25, 2018. It dictates how data is collected, processed, and used by organisations and individuals. The GDPR is regarded as the most comprehensive data protection regulation. Due to this, compliance is a top priority among data handlers. Who Does The GDPR Apply To? A common misconception is that GDPR holds power only in the EU. True, the GDPR protects the data of EU citizens. According to Article 3 of the GDPR, it applies to entities processing the data of EU citizens. Regardless of their geographical location. For instance, any business in Nigeria processing customers’ data has to be GDPR compliant once an EU citizen is in the mix. Basic Terminologies in The GDPR Decoding the GDPR and all it stands for can be difficult, especially to a beginner. Without understanding the terminologies used, it’ll be even more confusing. To assist, here is a breakdown of the common terminologies in the GDPR. Data Controller A data controller is an entity (organisation or individual) that collects data for its own use. This entity determines the purpose for which data is collected and how it is processed. A controller may work alone or with others to process data. Data Processor This is usually a third-party entity that processes the data provided by the controller. Although the processor has access to data, it doesn’t control the purpose. Personal Data Personal data is simply any information that can be used to identify a real person. For example, name, address, national identification number, IP address, etc. Personal data covers a broad range of data. It can be basic, like age, or extremely sensitive, e.g., a social security number. Data Subject A data subject is the person whose data is being processed. The data subjects of businesses are their clients. What Are The 7 GDPR Principles? The GDPR has seven principles guiding data controllers and processors on how to protect data. This is also called the principles of data protection, and they are listed below. Lawfulness, Fairness and transparency Data controllers must process data for lawful reasons. Such reasons must be made clear to the data subject beforehand. Purpose limitation Personal data can only be processed for the purposes clearly stated beforehand. It cannot be used for any other purpose, contradicting the initial one. Data Minimisation The personal data collected must be relevant and limited only to the stated purpose. This is to avoid causing harm to subjects. Accuracy This means that all personal data must be accurate and up-to-date. Also, inaccurate data must be corrected or destroyed immediately. Storage Limitation Personal data collected should not be stored for longer than necessary. Once the purpose of the processing is over, the data should be deleted. Integrity and Confidentiality Personal data must be processed with appropriate security against accidental loss, destruction, or damage. Accountability. This principle states that data controllers must follow the GDPR. And also be able to prove their compliance. Compliance can be proven through regular data audits, data processing records, and appointing a data protection officer. There is one more key GDPR requirement, which is: Right To Be Forgotten. Under article 17 of the UK GDPR, data subjects have a right to have their data deleted by data controllers after a period of time in the following events: When the personal data is no longer needed for the stated purposes. When the data subject revokes consent to the processing and there is no lawful reason to continue. Need to get consent? Learn how to write a GDPR consent statement. Where the owner objects to the processing and it cannot be overridden lawfully. Where data is used for direct marketing or a minor is involved. Learn about more GDPR requirements and Data Protection Impact Assessments, inclusive. What is GDPR compliance? GDPR compliance is when an organisation meets all the requirements for protecting data stated in the GDPR. GDPR compliance is required when data controllers and processors are handling data belonging to EU citizens. Why is GDPR compliance important? Compliance with GDPR is important to avoid hefty fines and penalties. Organisations that fail to meet the GDPR standards could be fined up to 4% of their annual global turnover or $20 million, whichever is higher. For non-compliant businesses, the fine is not all they have to worry about. Data loss is the greater penalty. Customer trust will be compromised, and the company’s image will be damaged. Now that you know the consequences of non-compliance, let’s look at how to be GDPR-compliant. How to Ensure GDPR Compliance To become GDPR compliant, organisations need to do the following: Understand the GDPR principles and the rights of data subjects. Document data processing activities. Ensure they have the consent of the data subject(s). A GDPR compliance checklist can help you track your progress, or better yet, seek expert advice with Johan Consults. GDPR Compliance Checklist You can use the checklist below to know how compliant your organisation is with the GDPR. Know what data you are processing and who has access to it. Have a lawful basis for processing data. Make your data processing activities transparent. Implement adequate data security measures like encryption and pseudonymization Develop a data breach management system. Assign a data protection officer for GDPR compliance. Ensure the privacy rights of data subjects by making it easy for them to: Request and get all their data. Correct or update inaccurate data Revoke their consent to data processing. Request the deletion of information. For an easier job, you should try out
What to Know About Data Protection and Data Protection Principles
Understand data protection and its importance, know the best practices and regulations including top trends in the world of data protection
NDPR: An Overview of The Nigeria Data Protection Regulation
Organizations all over the world are facing a great challenge, “how to safeguard data”. The process of safeguarding data, known as data protection, is a delicate one. Companies, small, medium, and large, are exposed to data threats like cyberattacks, accidental loss, and compromise. Where the wrong persons access data, forgeries, targeted attacks, and impersonations are some of the consequences. This pushed countries—Nigeria included—to lay ground rules to guide organizations through protecting the data of their citizens. Examples are the NDPR, GDPR, UK GDPR, etc. In this article, you’ll learn all there is to know about the Nigerian Data Protection Regulation(NDPR) What is the NDPR? The full NDPR meaning is NIGERIAN DATA PROTECTION REGULATION. It is a set of rules guiding the protection of Nigerian data by organizations. The Nigerian Data Protection Regulation has four objectives, which are: Territorial scope of the NDPR Just like most data protection laws, its reach extends beyond Nigerian borders. The NDPR applies to any organization processing the personal data of Nigerian citizens (home or abroad), regardless of its geographical location. For instance, If an organization in the EU wants to process the personal data of a Nigerian citizen, it has to follow the NDPR. When was the NDPR Established? The establishment of the Nigerian Data Protection Regulation occurred in January 2019 by the National Information Technology Development Agency (NITDA). Who Regulates NDPR? In the initial stages, the NITDA was the regulatory body. However, there was a need to create a separate body for the NDPR. The NITDA was stretched beyond what was necessary. The Nigeria Data Protection Bureau (NDPB) was established as the regulatory body. The purposes of NDPB are: Principles of the NDPR The Nigerian Data Protection Regulation has some principles guiding organizations (data controllers) Consent Organizations must get the full consent of the data subjects before collecting, processing, and storing data. The subjects must give consent freely with no trace of foul play. The data subjects also have the right to withdraw their consent. Lawfulness Data can only be collected for lawful purposes. Organizations must clarify the reasons for data collection, processing, and storage. Such purposes should be clearly disclosed to the data subjects. Accuracy Another principle is Accuracy. All the data collected by organizations must be correct. Any inaccuracy should be rectified immediately. Data minimization Data collected can only be processed for the stated purposes. It is unlawful to process data for any reason contradicting the initial purposes. Security Organizations must take specific precautions to ensure data security. This includes measures against unauthorized access, disclosure, loss, and alterations of personal data. Rights of data subjects. Also, the NDPR has provisions for data subjects. Individuals have the clear right to halt the processing of their data. They can also request access, erasure, and correction. Differences between the NDPR and NDPA. NDPA stands for the Nigerian Data Protection Act. Its issuance was in February 2023. The NDPA is the current data protection law in Nigeria. Its issuance did not completely overrule the previous laws—NDPR and the Data Protection Bill. Rather, they were placed under its umbrella. While the NDPA covers most of the NDPR, it lacks the specificity of the latter. The major difference between the two lies in the definition of terms. In summary, the NDPA and NDPR are more similar than different. In times where there is a conflict between the two, the NDPA is supreme. NDPR and GDPR The Nigerian Data Protection Regulation (NDPR) and the General Data Protection Regulation (GDPR) are the regulations for data protection in Nigeria and the EU, respectively. When it comes to it, the penalties are different. Non-compliance with the GDPR comes with a fine of up to 4% of the annual global profit or €20 million, whichever is higher. The NDPR non-compliance penalty is less severe. A fine of up to 2% annual global profit or 10 million Naira, whichever is greater. Nigerian Data Protection Regulation is an adaptation of the GDPR. GDPR is more comprehensive, with a broader scope. In conclusion The Nigerian Data Protection Regulation is important for safeguarding data in Nigeria, and meeting international standards while addressing local needs. Compliance with the NDPR will help organizations avoid penalties and foster trust among the client community. Are you an organization looking to scale up your NDPR and GDPR compliance? You can reach out to us at Johan Consults and be sure to get the best.