Laura recently moved back into the country and was looking at setting up her business here in the motherland. She reached out to Siji her childhood friend who was already running a premium beauty parlour and spa.
At their meetup to catch-up, Laura explained to her friend the scope of her business and her plans. She mentioned how her website will be used to collect data for both marketing and other uses. Siji then asked her if she had heard of the Nigeria Data Protection Regulation. Laura said no and Siji then filled her in on all she needed to know.
Here’s a summary of all she said.
What is Nigeria Data Protection Regulation?
The Nigeria Data Protection Regulation NDPR is a set of regulations set by the National Information Technology Development Agency NITDA on the 25th of January, 2019 to set guidelines for the collection and processing of personal data. It is more like the Nigerian version of the General Data Protection Regulation (GDPR) enforced in the European Union. According to NITDA, its objectives are:
- To safeguard the rights of natural persons to data privacy;
- To foster safe-conduct for transactions involving the exchange of personal data;
- To prevent manipulation of personal data; and
- To ensure that Nigerian businesses remain competitive in international trade through the safeguards afforded by a sound data protection regulation.
How does it apply to you and your business?
The NDPR applies to all transactions intended for the processing of personal data of natural persons (individuals) residing in Nigeria or Nigerian citizens residing in foreign jurisdictions. This, therefore, means that if your company deals with information or data of the above-mentioned persons, you must pay attention to the regulation.
Data processing according to the NDPR includes the collection, recording, storage, retrieval, use, disclosure, transmission, erasure and destruction of personal data. This means that even if all your company does is merely store personal data of persons without performing further analysis or even involving a third party in the use of data, the regulation covers you too.
Another point to note is that a major highlight of this regulation is the strengthening of the right of individuals to provide and decide what is done with the information they share with your business. They have certain rights such as the right to information about their personal data, right to access their personal data, right of rectification of their information, right to withdraw consent, right to object to the processing of personal data, right to demand for automated processing, right for data portability and the right to be forgotten, right to lodge a complaint with the NITDA or another relevant regulator.
This implies that personal data may only be processed if at least one of five legal bases are met:
- The data subject provides consent, or if the processing is necessary;
- For the performance of a contract;
- To meet a legal obligation;
- To protect the vital interests of the data subject; or
- For the performance of a task carried out in the public interest.
Complying with the NDPR
As a business, whether big or small, you never want to be caught on the wrong side of the law. Therefore, for your business to comply with the NDPR, ensure that the following are done:
- Develop adequate security systems to protect data within your care. Such security systems include setting up firewalls, employing data encryption technologies, amongst others. In line with this requirement, you must also maintain and publish a data protection policy that is in conformity with the NDPR.
- When you engage the service(s) of a third party to process personal data, you must ensure that such third party complies with the provisions of the Regulation. Draw up a contract to ensure this.
- Train your staff members on data protection and privacy procedures. The NDPR also mandates you as a business to appoint Data Protection Officers, which may be internal or outsourced to a competent firm, for the purpose of ensuring compliance with the regulation.
- Conduct an audit on the data privacy policies of your company to ensure that it is in conformity with the NDPR. Companies that process personal data of more than 1000 individuals within a period of six months are mandated to file a soft copy of the summary of their audit to the NITDA. Also, companies that process personal data of more than 2000 individuals within a period of 12 months are mandated to file a summary of their audit to NITDA, not later than 15 March in the following year.