Data protection and the implication of data breach

Everyday, personal data or information are shared, these data reveal sensitive personal information that can be exploited. It is therefore important to protect these data and regulate the way data is used. Authorities through laws and regulations are taking bold steps to protect data of citizens and impose sanctions for data breach.

 

UK Government on the 2nd of December 2021 was fined £500,000 for mistakenly sharing the postal addresses of more than 1,000 New Year Honours recipients online.

The Information Commissioner’s Office (ICO) in UK found that the Cabinet Office had failed to put adequate measures in place to avoid such data breaches. The error, which occurred in 2019, resulted from “complacency”, it added.

The government apologized for the data breach and said it had put measures in place to avoid a repeat of it. After officials became aware of the data breach, the weblink to the file was removed, but it was still cached and available online to people typing in the exact web address. The data was online for 2 hours and 21 minutes and was accessed 3,872 times.

Singer Sir Elton John, sports presenter Gabby Logan, TV cook Nadiya Hussain, Cricketer Ben Stokes, chef Ainsley Harriott and former Ofcom boss Sharon White were among those affected.

The director of investigations at the ICO, Steve Eckersley after receiving complaints from people affected, said: “At a time when [the recipients] should have been celebrating and enjoying the announcement of their honour, they were faced with the distress of their personal details being exposed. “The Cabinet Office’s complacency and failure to mitigate the risk of a data breach meant that hundreds of people were potentially exposed to the risk of identity fraud and threats to their personal safety. The fine issued today sends a message to other organisations that looking after people’s information safely, as well as regularly checking that appropriate measures are in place, must be at the top of their agenda.”

The Nigeria Information Technology Development Agency (the “NITDA”), on the 25th of January 2019, issued the Nigeria Data Protection Regulation, 2019 (the “Data Protection Regulation”) and became operational from the 25th of January 2019.

The Data Protection Regulation applies to all transactions in which the personal data of natural persons resident in Nigeria, or natural persons outside Nigeria of Nigerian descent, is being processed.

In March 2021, The National Information Technology Development Agency (NITDA) after concluding its investigation process on the personal data breach by Electronic Settlement Limited, fined the firm N5 million for data protection breach. The investigative process involved an analysis of the company’s applications and websites; visit to the company’s office in Lagos, review of its technical documents as submitted to the Agency and an interrogation of its officials by the NITDA investigation team in Abuja.

In August 2021 NITDA fined a micro-money lender, Sokoloan, N10million for an alleged data breach.

How to avoid data breach

Determine the data processing activities of your organisation by identifying the type of personal data that are collected and the nature of processing.

Ascertain whether your organisation is a data controller or a data processor by identifying the circumstances where your organisation is a data controller or processor, as most obligations are imposed on the data controller. 

Appoint a Data Protection Officer (DPO).

Assess your organisation’s processing activities- Questions such as the following, would help in this assessment. 

How is data collected?

Which department receives such data?

Why does the organisation process such data?

What will be the legal basis for processing such data?

What are the security measures taken by the organisation to prevent data breach?

Begin Implementation of the NDPR

How to implement NDPR

• . Make available the data protection policies (such as the privacy policy) to the general public. This should have been carried out since 25th April 2019.
• . Conduct an audit of the organisation’s privacy and data protection practices 
• Where an organisation is a data controller and it processes personal data of more than 1000 people in 6 months, it should submit a summary audit to NITDA. 
• Where an organisation is a data controller and it processes personal data of more than 2000 people in a year, it must submit an audit to NITDA on or before the 15th March of every subsequent year.

#personaldata #personaldataprotection #datacompliance #databreach