On a global level, data privacy has become one of the major concerns of governments and their regulatory agencies as far as the Internet is concerned. Early last year, there was a data breach saga involving Facebook and Cambridge Analytica over which the United State Congress summoned Mark Zuckerberg, Facebook founder and CEO for testimony.
Also, the United Kingdom and European parliaments invited Zuckerberg for questioning. The bottom line of all these is that governments around the world are privy to the importance of data privacy.
Shortly after the Facebook data breach saga, Europe’s General Data Protection Regulation, a regulation on data protection and privacy for all individuals within the European Union which was adopted in 2016, became effective.
Apparently, Nigeria is not left out in the drive for data privacy. One of the Nigerian government’s recent actions in that line is the Digital Rights and Freedom Bill which was recently transmitted to President Muhammadu Buhari by the country’s National Assembly for assent.
The bill, which the president is yet to sign, not only promotes freedom of expression, it also aims to guarantee data privacy.
Beyond the bill, another move is the Nigeria Data Protection Regulation 2019 (NDPR), released in January 2019 by the National Information Technology Development Agency (NITDA). This was prior to the transmission of the bill for assent
Why you should care about the NDPR as an individual
The NDPR provides a broad framework for safeguarding the rights of persons to data privacy.
The framework gives organisations (both public and private) in the country, that control personal data, three months after the release of the NDPR to publicise their respective data protection policies, which shall be in compliance with the regulation.
The regulation explicitly states that no data shall be obtained except the specific purpose of the collection is made known to the data subject. The person or organisation collecting the data must also ensure that consent of the data subject has been obtained without fraud, coercion or undue influence.
Furthermore, the objection of a person to the processing of his data is also safeguarded. A data subject can request for information relating to processing his/her data which the data controller is obliged to honour. A data controller according to the regulation is a person who either alone, jointly with other persons or in common with other persons or a statutory body, determines the purposes for and the manner in which personal data is processed.
This information requested by the data subject shall be provided for free except on the account that the data controller considers the request to be “manifestly unfounded or excessive.”
In the event that the request would not be honoured, the organisation shall inform the data subject of the reason for not taking action. And the communication has to be done within a month of making the request.
What’s in it for organisations (public and private)?
NITDA’s three-month timeline for organisations will soon lapse, which begs the question of what it means for organisations from both the public and private sectors.
Abisodun Adewale, Senior Associate at Olajide Oyewole LLP affirms that indiscriminate use of people’s data without consent or authorisation is a huge issue which necessitated the regulation that protects all Nigerians, whether resident in the country or not.
Aside the three months for organisations to make available their data protection policies to the public, there will also be an audit of data controllers’ privacy and data protection policies three months after the policies have been made available to the public. Adewale believes that the timeline is practical.
There are penalties attached for organisations that fail to abide by the data regulation. For data controllers dealing with more than 10,000 people, it is either 2% of annual gross revenue of the preceding year or the sum of ₦10 million, whichever is higher. For data controllers dealing with less than 10,000 people, the penalty will be the higher value between 1% of the annual gross revenue and the sum of ₦2 million.
NITDA hopes the penalty will be enough motivation for organisations to put in place data protection policies. The aim is to ensure they remain competitive in international trade as a result of the “just and equitable legal regulatory framework on data protection and which is in tune with best practice.”