NITDA: What the New Nigerian Data Protection Regulation Could Mean for Business
On October 4th, 2019 the attention of the National Information Technology Agency (NITDA) was drawn to the potential breach of privacy rights of Nigerians by the Truecaller Service. The Agency, in accordance with Section 6(f) of the NITDA Act 2007, which empowers the it to render advisory services in all information technology matters to the public and private sectors, informed the public that it commenced investigation of the potential breach.
In this light, what does the National Information Technology Agency (NITDA) done to stop such acts from happening? Is the new process invoke and operational? If so, what do you or your organization know about the new data laws that’s equivalent to the GDPR?
The Rise of the Nigerian Data Protection Regulation (NDPR)
The spate at which Nigerian’s data is being breached by service provider has assumed an epidemic rate. On a daily basis, personally identifiable information of Nigerians is being used by unauthorized persons to further their own interest without the consent of the Data Subject.
The NDPR was issued on 25th January, 2019 pursuant to Section 6 (a,c) of the NITDA Act, 2007. The NDPR was made in recognition of the fact that many public and private bodies have migrated their respective businesses and other information systems online. These information systems have thus become critical information infrastructure which must be safeguarded, regulated and protected against atrocious breaches. Government further takes cognizance of emerging data protection regulations within the international community geared towards security of lives and property and fostering the integrity of commerce and industry in the data economy.
What the New NDPR Represents
To be honest the scope of the regulation is strictly critical as this Regulation applies to all transactions intended for the processing of Personal
Data, to the processing of Personal Data notwithstanding the means by which
the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria. The NITDA — NDPR regulation applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.
This Regulation does not operate to deny any Nigerian or any natural person the privacy rights he is entitled to under any law, regulation, policy, contract for the time being in force in Nigeria or in any foreign jurisdiction.
Why There’s a Need to Act — For Organizations
To be frank, the NITDA and the stated NDPR are not meant to be taken lightly. In simpler terms, organizations are not to joke with the new policy. Take for example the terms on page 18 of the regulation act, it states the following:
“All public and private organizations in Nigeria that control data of natural persons shall, within three (3) months after the date of the issuance of this Regulation, make available to the general public their respective data protection Policies; these Policies shall be in conformity with this Regulation.”
How do large and even small scale public and private organization keep up to speed with this? It’s another critical act to consider as not following up will imply fine and some other sanctions.
Within six (6) months after the date of issuance of this Regulations, each
organization shall conduct a detailed audit of its privacy and data protection
practices with at least each audit stating:
a. personally identifiable information the organization collects on employees
of the organization and members of the public;
b. any purpose for which the personally identifiable information is collected;
c. any notice given to individuals regarding the collection and use of personal
information relating to that individual;
d. any access given to individuals to review, amend, correct, supplement, or
delete personal information relating to that individual;
e. whether or not consent is obtained from an individual before personally
identifiable information is collected, used, transferred, or disclosed and
any method used to obtain consent;
f. the policies and practices of the organization for the security of personally
identifiable information; and more.
Nigerians needed an equivalent of the GPDPR and yes they’ve gotten it but it’s high time to pay the ultimate price on the part of the corporate and even small scale business bodies. How prepared are they to follow up on this? That’s another article for another time.