With the advancement in technology and the accompanying digitisation and globalisation of businesses and personal data, cyber-crime is on the rise. To ensure the protection of personal data of individuals and of privacy rights, the National Information Technology Development Agency (NITDA) on 25th of January 2019, in the bid to protect the personal data of individuals, issued the Nigeria Data Protection Regulations (NDPR) pursuant to its powers under the NITDA Act. The objectives of the Regulations include, inter alia, safeguarding the rights of natural persons to data privacy, preventing manipulation of personal data and fostering the safe conduct of transactions involving exchange of personal data.
NDPR’s Requirements for Compliance
The Regulation states that all public and private organizations in Nigeria that control data of natural persons must:
- Ensure they have data protection policies in place, and they are made available to the public
- Ensure that where they process personal data of not more than 1000 in a period of six months, a soft copy of the summary of the audit report containing information on its data protection policies should be sent to the NITDA
- Ensure that where they process more than 2000 personal data of data subjects within 12 months, they not later that 15th March annually, submit a summary of their data protection audit to the NITDA
NDPR’s Requirements for compliance for Public Institutions
Public Institutions for the purposes of NDPR includes Ministries, Departments, Agencies, Institutions, Public Corporations, Publicly funded ventures and Incorporated entities with government shareholding either at the Federal, State or Local levels.
The guidelines for the implementation of the NDPR, relating to public Institutions as released by the NITDA provides as follows:
Every Public Institution shall put measures in place to ensure the confidentiality, integrity, availability and resilience of data. Public Institutions that seek to process the personal data of Nigerians from another Public Institution, a private entity or an international organisation shall demonstrate the following:
a. Compliance with international information security standards such as ISO 27001:2013 or any similar standard;
b. Compliance with the provisions of the NDPR;
c. Conduct of a Data Protection Impact Assessment and submission of same to NITDA; and
d. Retention of a Data Protection Compliance Organisation (DPCO) to guide it in the use of the personal data and for compliance purposes.
Required Data Protection Policies
According to the NDPR, every organisation and Public Institutions must put in place the policies as follows:
- Data Protection Policy- This is a set of principles, rules and guidelines that inform how an organization/Public Institution can ensure ongoing compliance with data protection laws.
- An Information Security Policy – It involves the systemic and risk-based application of controls to ensure that data is only accessed and used by authorized individuals.
- Personal Data Breach and Incident Handling Procedure – This procedure covers reporting of actual or suspected data security incidents that may be data breaches.
- Customer Service and Support Policy – This policy lays out the organisation’s/Public Institution’s standards regarding processing of customers’ data and mandates all third parties handling data on its behalf to comply.
- Remote Working and Removable Media Policy – This Policy aims to ensure that the use of removable media devices while working from the office or working remotely is controlled.
Implementation of the Policies
- Circulation of these policies to all departments
- Regulation 4.1(2) states that every Data Controller shall designate a Data Protection Officer (DPO) for the purpose of ensuring adherence to this Regulation, relevant data privacy instruments and data protection directives of the Data Controller.
For Pulic Institutions, they must retain the service of a DPCO, who shall provide data protection audit, training and compliance services to the Institution
- Continuous capacity building for the DPOs and the generality of her personnel involved in any form of data processing.
- Checks and Balances, which could take the form of either a Monthly review of departmental compliance or a Quarterly review of same and.
- A register of all trainings, quarterly or monthly reviews and activities done as regards compliance should be kept by the designated DPO
Penalties for Non-Compliance
Regulation 2.10 of the NDPR provides that any person subject to this Regulation, be it an Orgaization or a Public Institution, who is found to be in breach of the data privacy rights of any Data Subject shall be liable, in addition to any other criminal liability, to the following:
a) in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater.
b) in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.
c) Principal officers of Public Institutions processing personal data or Public Institution that may have requested for processed data shall be personally liable for breach of this Guideline or misuse of information shared from personal data, either while in office or after the expiration of term in office.
For more on this, kindly send an email to email@example.com