Data breaches have been on the rise in recent times. Countries in Europe, the US and other parts of the world have put in place policies and frameworks to stem down this rise increase in data breaches and misuse of personal data by organizations. It is on this note and concern NITDA as a regulator of ICT in the country come up with the NDPR to address similar issues in Nigeria. Although these breaches are caused by a number of factors, they can be prevented and impact limited by complying with existing standards and frameworks that guide the process of data collection, processing and storage.

What is NDPR?

In Nigeria, the NDPR (Nigeria Data Protection Regulation) is the regulation responsible for ensuring safe conduct for transactions involving the exchange of Personal Data. This regulation applies to the personal data of all-natural persons residing in Nigeria or outside Nigeria that are citizens of Nigeria. Below are key points from the NDPR that every data controller must conform to in order to be certified as NDPR compliant.

Explicit Consent

Before personal data is collected by a data controller, the NDPR states that it must be in accordance with the legitimate and lawful purpose for which it was collected and the data subject must have consented to the collection of that data. The specific purpose for which the data is collected must be explicitly stated to the data subject and consent should be given willingly without fraud, coercion or undue influence. This can be achieved by using a non-disclaimer at the top or bottom of collection forms. By ticking the box, Data subjects have consented to the collection, processing and storage of their personal data.

Lawful Processing

Any person or entity processing data shall not transfer any personal data to any other person or entity (e.g., third party or suppliers) without the consent of the data subject. The data controller must be able to demonstrate that the data subject has consented to the processing of his/her personal data in an intelligible and easily accessible form using clear and plain language.

Data Integrity & Storage

All personal data being stored by a data controller must be secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements. Also, the data must only be stored for the period for which it is reasonably needed.

Right of Data Subjects

Although the consent of a data subject is required before any processing is done, the data subject still has the right to at any point to object to the processing of Personal Data relating to him/her which the Data Controller intend to process for the purpose of marketing and be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge.

Data Security

All data controllers shall develop security measures to ensure the safety of data in their organization. This includes protecting systems from hackers, setting up firewalls, storing data securely with access to specifics authorized individuals, employing data encryption technologies, developing organizational policy for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.

Non- Compliance

Every data processing organization in Nigeria is expected to make available to the general public their respective data protection policies in conformity with the NDPR. Any organization subject to this Regulation that is found to be in breach of the data privacy rights of any Data Subject shall be liable, in addition to any other criminal liability to payment of the fine of 1% (in the case of a Data Controller dealing with less than 10,000 Data Subjects) or 2% (in the case of a Data Controller dealing with more than 10,000 Data Subjects) of Annual Gross Revenue of the preceding year or payment of the sum of  2 million Naira (less than 10,000 data subjects) or 10 million Naira (more than 10,000 data subjects), whichever is greater.

Once an organization is verified by a DPCO (Data Protection and Compliance Organization) to be in compliance with the points stated above, the organization is issued a certificate of compliance by NITDA. Organizations complying with NDPR will go a long way in reducing the number and magnitude of data breaches in Nigeria.

Road to Compliance

Engage a DPCO

Organizations are directed to engage a DPCO, which will help them work through audits, file audit reports/findings with NITDA and guide with the implementation of all non-conformities identified within the context of the body of knowledge of NDPR.

Appoint a DPO

An organization must appoint a Data Protection Officer (DPO) that will internally drive the implementation of the NDPR while working closely with the management, all departments within the organization and the DPCO.

Publish Documentations

With the help of the DPO and DPCO, organizations are directed to have all policy documents developed to guide both internal and external data protection processes in line with the requirements of the Data Protection Regulation

Training & Awareness for Staff

Continuous capacity building and training for Data Protection Officer and other staff involved in processing personal data within the organization must be ensured.

With our Governance, Risk and Compliance Team at CyberPlural, We can help your organization stay ahead in the course of staying compliant and at the same time improving the overall security of your business processes.

Written by Raliyah Adamu Manu & Iyanuoluwa Olajengbesi