Free flow of data is an integral part of the digital economy. As more businesses continue to go online, the concern around the safety of personal data becomes crucial. Businesses in the digital place have obligations to ensure the protection of personal information of employees, customers and other stakeholders.
What Is Data Protection?
It is the legal framework designed to protect personal data. It requires that measures should be put in place to prevent abuse, misuse, corruption, unauthorised access, disclosure, compromise or loss of personal data. “A strong data protection framework can empower individuals, restrain harmful data practices, and limit data exploitation.”
What Is The Legal Framework For Data Protection In Nigeria?
Prior to the introduction of the Nigeria Data Protection Regulation (NDPR), Nigeria had pockets of laws addressing data protection, privacy and confidentiality of data. In addition to that, there were sector-specific laws that created obligations to ensure both security and data protection.
The NDPR seeks to safeguard data protection rights in Nigeria. The Regulation is currently the only general data protection framework available in the country. The Regulation applies to all forms of data processing in respect of natural persons by individuals, public and private institutions in Nigeria, residing in Nigeria, or a Nigerian in any other part of the world. The NDPR creates rights for data subjects, obligations on entities processing data and enforcement powers that can be invoked when there is a violation of the law.
Why Is It So Important?
The increased use of technology and the internet creates digital footprints for users. These personal data could be subject to various types of digital risks – commodification, data breach, identity theft, loss of control over data, loss of value on data etc. The risks are numerous.
Aside from being a statutory requirement to comply with the provisions of the data protection law, implementing a privacy program enhances the reputation of a brand, safeguard data, reduces the risk of lawsuits and sanctions, increases revenue, increases value of data, builds consumers trust and projects an organisation as a responsible corporate citizen.
How Do I Improve Data Protection Within My Organisation?
The data protection law has created a number of obligations on organisations, but beyond compliance, there is a big role for ethics and a valid case for global best practices for organisations seeking competitive advantage.
Below are some recommendations:
- Have a privacy notice visibly displayed on your website. The notice should genuinely reflect your processing activities, be comprehensible and easy to access.
- Understand the principles of data protection and how they impact on your business. For example, do not keep data for longer than it is necessary.
- Have effective procedures in place to manage data subject rights.
- Ensure you determine the appropriate lawful basis of processing before commencing.
- Ensure adequate security measures. Security should be technical, organisational and physical to prevent unauthorised access, disclosure, compromise or loss of data.
- Document your processing activities. A good record of processing activities supports the principle of accountability.
- Have measures in place to manage international transfer of data.
- Conduct a data mapping and inventory exercise to understand processing activities.
- Appoint a Data Protection Officer (DPO) to oversee compliance with the law. You may consult with a privacy professional if this is required, not all organisations are mandated to appoint a DPO.
- Conduct an audit and assessment of the organisation, and where statutorily required, appoint a data protection compliance organisation to file the annual audit report on your behalf. You may consult with a privacy professional if this is required, not all organisations are mandated to file an audit report.
- Train your team. Reinforce learning through awareness sessions.
- Use a data processing agreement or a data-sharing agreement, when dealing with third parties, vendors, processors or controllers. You may consult with a privacy professional to determine which of the contracts is appropriate.
- Understand your risk landscape, sector-specific requirements, regulators and your other stakeholders.
- Operationalise context-specific policies, procedures and process.
The concept of data protection is still a nascent development in Nigeria. But technology is a leveler, and digital risks are decentralised regardless of the state of the regulatory framework and maturity stage of the organisation. While the Regulation might not represent the best legislative piece, it is a good spot to ignite the conversation around data protection in Nigeria. Fortunately, there is an ongoing effort to enact a more comprehensive data protection law.