The Nigeria Data Protection Regulation (NDPR), enacted in 2019, contains a number of clauses that companies must follow in order to ensure the best possible protection of individuals’ personally identifiable information (PII). These clauses are intended to secure user data from unwanted access and avoid data breaches.
These requirements address data privacy at their core, including encryption, anonymisation, data storage and retention, data minimization, data breach notification, and risk assessments.
To guarantee compliance, the NDPR includes provisions for appointing a Data Protection Officer (DPO) to oversee all aspects of an organization’s compliance with this legislation.
For further elaboration on the clauses:
- Encryption: The NDPR requires organizations to develop security measures to protect data; such actions include but are not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specifically authorized individuals, employing data encryption technologies, developing organizational policy for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff. (NDPR, Article 2.6). Personal data must always be encrypted, both in transit and at rest, to prevent unauthorized access.
- Data Storage and Retention: Data controllers are required to store data only for the period they are reasonably required to so do. Every data controller must state and implement data retention schedules and communicate such to the data subjects or their potential clients. (Implementation Doc, 2(d)). Organizations must keep data only for as long as is necessary and must delete it when it is no longer needed.
- Data Minimization: Data Controllers are required to collect the minimum required data and avoid collecting data that is not required for the purpose of processing. Data that is not directly related to the stated purpose of collection consented to by the data subject should not be collected. No data shall be obtained except the specific purpose of collection is made known to the Data Subject. This principle also to the principle on the purpose of collection. (Implementation Doc, 2(b))
- Reporting: Data Controllers and Administrators also have a duty of Self-Reporting Data Breaches. The NDPR requires Data Controllers and Processors to have policies and procedures for monitoring and reporting violations of privacy and data protection policies (Article 4.1(5)). Data Controllers and Processors have a duty to report to NITDA within 72 hours of their knowledge of the breach and to notify the data subject within 7 working days except otherwise directed by NITDA. (Implementation Doc, 10)
- Risk Assessments: Organizations must conduct regular assessments of the risks associated with data processing to identify and mitigate any potential threats to data privacy. Where the organization intends on embarking on a project that is likely to result in organization intends on embarking on a project that is likely to result in significant risks to the rights and freedoms of a Data Subject, a Data Protection Impact Assessment (DPIA) should be conducted to identify possible areas where breaches may occur and device means of addressing such risks. Organisations are also required to conduct DPIAs on their processes, services and technology periodically to ensure continuous compliance. (Implementation Doc, 4.9)
If these clauses are not acted upon by an organization, data breaches could occur. The occurrence of these usually packs a punch, having adverse effects on both data subjects (users) and data controllers/processors (organizations).
Possible Impact of Data Breaches on Users
- They can lead to the loss of sensitive information, such as personal identifying information (PII) and financial data, which can be used for identity theft and financial fraud.
- Breaches can also lead to the loss of privacy; as personal information is exposed to unauthorized parties.
- Additionally, users may also be at risk of targeted phishing scams, extortion and other cybercrime activities.
Overall, data breaches can lead to significant financial, personal and reputational harm to users.
Possible Impact of Data Breaches on Organizations
As stated earlier, data breaches can have serious consequences for both organizations and users alike. Some of the most common impacts on organizations include:
- Financial losses: A data breach can result in the loss of sensitive financial information, leading to fraud and financial losses.
- Reputational damage: Data breaches can severely damage an organization’s reputation, leading to loss of trust and customers.
- Loss of privacy: Data breaches can result in the exposure of sensitive personal information, leading to loss of privacy and potential identity theft. This will, in turn, reflect badly on the organization, and might even result in reputational and financial loss, from litigations.
- Legal consequences: Organizations that fail to comply with the NDPR may face significant fines and legal consequences.
In conclusion, organizations must take the technical requirements set forth by the NDPR seriously in order to ensure the privacy and security of user data. By adhering to these requirements, enterprises may limit the risk of data breaches and avoid the associated consequences/penalties entirely.