Data Protection And Its Relevance To Business Sustenance

Before the advent of the Nigeria Data Protection Regulation, the only legislation with provisions touching on Data Protection was the 1999 Nigerian Constitution, which provided that “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”.[1] This provision was obviously not enough to cover the concept of data protection. In 2007, the National Information Technology Development Agency (NITDA) was established and was saddled with the responsibility of among others, monitoring and regulating data protection practices in Nigeria. It was in light of this responsibility that the Agency released the Nigeria Data Protection Regulation (NDPR) in January 2019 to extensively regulate the implementation of data protection principles by businesses in Nigeria.

In recent times, data protection has come to be of immense importance to the functionality of businesses. Personal Data (such as names, email addresses, phone number etc.) is handled by businesses in their daily activities and as such compliance with data protection laws and regulations is necessary. The importance of data protection to the life and expansion of a business is discussed in the following points:

1.     Expansion

A common reason for establishing a business is to make profit and also expand. The goal of expanding to other countries may be seriously impeded by non-compliance with data protection practices. For instance, the European Union has the EU GDPR (European Union General Data Protection Regulation) which regulates data protection practices in Europe. Businesses in other countries who do not have adequate data protection practices are not allowed to process or use the Personal Data of persons resident in and covered by the EU GDPR. This ultimately means that businesses in Nigeria who are non-compliant with the NDPR would be unable to extend their services to Europe and other regions which require them to have data protection practices in place and as such, through non-compliance, their expansion is hindered. In an attempt to address this issue, the NDPR was introduced with objectives among which is to ensure that Nigerian businesses remain competitive in international trade through the safeguards afforded by a just and equitable legal regulatory framework on data protection. NITDA has done its part in this regard, it is now up to the Nigerian businesses themselves to comply with the provisions of the NDPR. 

2.     Penalties for non-compliance:

This goes without saying. Recently, a fintech company, Electronic Settlement Limited was fined the sum of N5,000,000 (Five Million Naira) for Personal Data breaches that occurred in its systems. The fine was issued after an investigative process that involved an analysis of the company’s applications and websites, a visit to the company’s office in Lagos, a review of its technical documents as well as an interrogation of its officials.[2]  The NDPR provides sanctions when there has been a breach of its provisions which includes either the greater of 1% of a company’s preceding year’s annual gross revenue or 2 million Naira for businesses with less than 10,000 (ten thousand) Data Subjects and the greater of 2% of its preceding year’s annual gross revenue or 5 million Naira for businesses with more than 10,000 (ten thousand) Data Subjects. For businesses who are continually non-compliant with the Regulation’s requirements – for instance non-filing of the Annual Data Protection Audit Report for each year, continuous sanctions by the regulatory authority based on the statutory sanctions above will have severe consequences on the finances of the business. The regulatory body is also empowered to issue other administrative orders such as suspension of service, ordering representatives of companies to appear before the administrative panel, issuing a public notice to warn the public to desist from patronizing or doing business with the affected party and also refer the matter to appropriate professional bodies for possible sanction of its members involved in the breach. Overtime, the result of these continued sanctions would negatively impact the finances of a business as well as its ability to effectively and efficiently offer its services.

3.     Criminal Prosecution

NITDA also has the power to institute proceedings and prosecute parties that are in breach of the NDPR. The NDPR Implementation Framework provides that where NITDA has determined that a party is in breach of the NDPR, especially where such breach affects national security, sovereignty and cohesion, it may seek to prosecute officers of the organization. The Agency is allowed to obtain a fiat from the Honourable Attorney General of the Federation which would allow it to institute the criminal proceedings or may file a petition with any authority in Nigeria including the Economic and Financial Crimes Commission (EFCC), Nigerian Police Force, Independent Corrupt Practices (and other related offences) Commission (ICPC), et.al.

4.     Reputational Damage

It is almost always the case that a Personal Data breach in a company’s system would result in a reduction of users or customers on that platform or system. A data breach on a company’s systems consequently puts the customers and the general public on high alert and generally makes them wary of the use of such company’s systems. Worse still, is the case where the business does not have appropriate security infrastructure in place to address or mitigate the effects of such breach. This would affect the inclination of customers to use a particular application, system or do business with a particular company who is known for not having adequate security measures in place. This reputational damage will consequently affect the company’s finances as the number of customers or users may begin to decline.

5.     Suspension of services

NITDA is empowered to suspend the services of a business pending further investigations. This means that for the duration of the investigation, the business under investigation will be stopped from conducting any form of business activity. The negative impact this would have on the finances of the business goes without saying. The investigation by NITDA may be done either through the conduct of a special audit check or a “spot check”. Investigation may include a review of the policies, procedures or practices of the concerned entity and of the circumstances regarding any alleged violation.

From the above, it is possible that the investigation may span weeks or even months before it is concluded. It would be detrimental for a business to be out of service for such period because of non-compliance with Personal Data protection practices and in worse cases, a company may not recover from such suspension.

          It is therefore advisable that instead of waiting to be sanctioned by the regulatory authority, companies should be more proactive in their compliance with Personal Data protection practices by ensuring that the following measures are put in place:

a.         Top Management to appreciate the current changes in the Nigerian and International Landscape

In order for a business to properly ensure its compliance with Data Protection laws in Nigeria, it is essential that members of its top management and leadership are well versed in the principles and application of data protection practice in Nigeria as well as other jurisdictions. This will assist in proactiveness for compliance by the business and eliminate, to a large extent the possibility of inaction by management on compliance.

b.        Appointment of a Data Protection Compliance Organisation (DPCO)

The NDPR requires companies to file their data protection audit reports on or before the 15^th of March every year. To do this, the company first needs to appoint a licenced DPCO to conduct a data protection audit on the company, prepare and file an audit report with NITDA on or before the timeline of March 15 every year. DPCOs are organisations licensed by NITDA to assess, audit and train companies while assisting them in ensuring their compliance with data protection laws in Nigeria including the NDPR. The appointment of a DPCO essentially covers about 90% of compliance requirements as the DPCO will work to ensure that the company is compliant with Personal Data protection laws by providing appropriate recommendations, documentation, and policies to guide the company.

c.         Appointment of a Data Protection Officer (DPO)

A Data Protection Officer is an internal officer who works with a company’s management to ensure that it is compliant with the provisions of extant data protection laws. A Data Protection Officer is required where the entity in question is either:

·         A government organ, ministry, Department, institution, or Agency; or

·         Where the core activities of the organisation involve the processing of over 10,000 (Ten Thousand) data subjects per annum; or

·         Where the organisation processes sensitive personal Data in the regular course of its business; or

·         The organisation possesses critical national information infrastructure consisting of Personal Data.

Flowing from the above, it is obvious that the importance of proper Personal Data protection practices within an organisation cannot be overemphasised. Businesses are therefore advised to take adequate steps towards compliance with extant Personal Data protection laws – first of which is the appointment of a Data Protection Compliance Organisation as that will not only ensure compliance with Personal Data protection laws but will also contribute to its expansion and longevity.