This Slide is based on a presentation on Nigeria Data Protection Regulation to management of Cavidel Limited presented during management meeting held in the company office in Nigeria. It gives a summary and details of the key essentials of the data protection regulation released by NITDA for Nigeria.
The presentation aims to educate management on the Nigerian Data Protection Regulation, its direct and indirect impacts on businesses, legal and financial implications, punishment for failure to comply, steps to compliance and data security.
1. Make it Real
December 23rd, 2019
Ife Akinseinde
(Research)
CAVIDEL Limited
Block B12, Flat 402
1004 Housing Estate
Victoria Island
Lagos
Tel: 09067354599
Email: ife.akinseinde@cavidel.com
Website: www.cavidel.com
Data Protection Regulation in Nigeria
2. Make it Real
Personal Data
"Personal Data" means any information relating
to an identified or identifiable natural person,
which could include one or more factors specific
to the stated identity
Physical
Cultural
Economic
Mental
Genetic
Psychological
Social
3. Make it Real
Personal Data
o Employee information as managed by HR
o Customer and subscribers data
o Vendors, suppliers and services providers
information
o Business contracts
o Clients (corporate or personal)
o Post on social media websites
o Marketing activities
o Others who get in touch with us,
o Recruitment applicants
o Visitors to our office
o Name
o Contact information – phone number, email
address
o Location information - address
o Financial information – bank details, BVN
o Transaction history
o Gender
o Ethnicity
o Health records
o Photograph
6. Make it Real
o National InformationTechnology
DevelopmentAgency
o Implement & monitor Nigeria’s IT policy
o ElectronicGovernance
o Regulate electronic data, usage and
exchange of information
NITDA
o Data Protection Bill has been passed for
us to have a law on data protection
o NationalAssembly has not signed it –
awaiting approver
Not A LawYet
o Privacy and protection of Personal Data
o Grave consequences of leaving Personal Data
processing unregulated
o NITDA issued the Nigeria Data Protection
Regulation (NDPR) – January 25th 2019
o NDPR to protect data collection, processing and
administration
NITDA Data Protection
Regulation
o NDPR was modelled after the European
Union Data Protection Law.
o To safeguard the rights of natural persons to
data privacy
o To foster safe conduct for transactions
involving the exchange of Personal Data
o To prevent manipulation of Personal Data
o To ensure that Nigerian businesses remain
competitive in international trade through the
safe-guards afforded by a sound data
protection regulation.
Objectives
NITDA Data Protection
Regulation
Governing Body
8. Make it Real
Data
Processing
Principles
Consent has been given by the data
subject
If the processing is necessary for
performance of a contract
Compliance with a legal obligation
To protect the vital interests of the
data subject
Performance of task is carried out in
public interest
9. Make it Real
Clarity of
Privacy Organisations must display a
simple, clear and easily
understandable privacy policy that
data subject being targeted can
understand
10. Make it Real
Privacy
Cont’d
Transparency
Within three months of the issuance of the
Regulation, all public and private organizations in
Nigeria that process personal data must make
available to the general public their data
protection policies, which must comply with the
Regulation
11. Make it Real
Explicit
Consent
Consent is of the lawful basis for obtaining and processing personal data
Consent must be informed, freely given and unambiguous
Consent must not be obtained by fraud, misrepresentation, coercion or under influence
Any Data consent given must also be freely and easily withdrawn at any time by the Data User or Subject
without any explanation for the withdrawal proffered.
12. Make it Real
DataSecurity
Setup firewalls Implement access controls
Encrypt personal data
• Data encryption technologies
Developing internal policies
• Protecting theft, cyber attack,
manipulations, environmental
hazards etc..
13. Make it Real
Rights of a
DataSubject
Have their personal data corrected
Restrict the processing of their personal data
where certain criteria are met
Withdraw consent to the processing of their
personal data
Lodge a complaint with the NITDA or another
relevant regulator
Object to the processing of their personal data
for marketing purposes
Access their personal data and have the data
transferred to another data controller where
feasible
Obtain information about the processing of
their personal data
Have their personal data deleted where
certain criteria are met
14. Make it Real
International
DataTransfers
Transfers of personal data out of Nigeria
may take place only if certain specified criteria are met
NIDTA has decided that the affected country ensures
adequate data protection.
Transfer activities are subject to supervision of the
HonourableAttorney General of the Federation.
15. Make it Real
Motives
Improper Motives
Prohibited
No consent shall be sought, given or
accepted in any circumstances that may
engender propagation of atrocities, hate,
child rights violation, criminal and anti-
social acts
16. Make it Real
Contract
Third Party Contract
Data processing by a third party must be
governed by a written contract between the
third party and the data controller
17. Make it Real
Compliance
Requirement
o Ensure continuous capacity building and training for Data Protection
Officer and other personnel involved in processing personal data
Data Controllers and Data Processors
o Engage a licensed Data Protection Compliance Organization (DPCO) to
perform a Data Protection Audit and file a report with NITDA within the
stipulated timeline – within six months of the issuance + 3 months
o Designate a Data Protection Officer (DPO) who will be responsible for
driving NDPR compliance initiatives within the organization
o Document and publish a data protection policy in line with the
requirements of the Data Protection Regulation – within six months
of the issuance
18. Make it Real
Compliance
Requirement
Data Controllers and Data Processors
o If a Data Controller processes the personal data of more than 1000 data
subjects in a period of 6 months, it shall submit a soft copy of the
summary of the audit to the Agency
o If a Data Controller processes the personal data of more than 2000
Data Subjects in a period of 12 months, it shall submit a summary of
its data protection audit to the Agency
If an organisation is a data controller and it processes personal data of more
than 2000 people in a year, it must submit an audit to NITDA on the 15th of
March 2020 and the 15th March of every subsequent year.
19. Make it Real
Consequences
For
Non-Compliance
For data controllers “dealing with more than 10,000 data subjects,” a
fine of 2% of annual gross revenue of the preceding year or payment
of 10 million Naira, whichever is greater
For data controllers “dealing with less than 10,000 data subjects,” a
fine of 1% of annual gross revenue of the preceding year or
payment of 2 million Naira, whichever is greater
Negative publicity and damage to brand and reputation
Prosecution of principal officers in the event of a severe data breach
20. Make it Real
WhatWill
Change For
Your
Organisation
Put individuals back in control of their personal data
Organisations will be subject to higher standards of
accountability
Fines are getting bigger, and the timelines are getting shorter
Data subjects’ rights have been strengthened and expanded
upon
21. Make it Real
Guide to
Compliance
withGDPR
o What type of data is collected?
o How is data collected?
o Which department receives such data?
o Why does the organisation collects/process such data?
o What will be the legal basis for processing such data?
o What are the security measures taken to prevent data breach?
Assess your organisation’s processing activities
o A data controller (determines the purpose and means how the
data is to be processed)
o A data administrator/processor (processes data on behalf of the
controller).
Ascertain what the organisation is
o Begin implementation of the NDPR
Appoint a Data ProtectionOfficer (DPO)