Before the
advent of the Nigeria Data Protection Regulation, the only legislation with
provisions touching on Data Protection was the 1999 Nigerian Constitution,
which provided that “the privacy of citizens, their homes, correspondence,
telephone conversations and telegraphic communications is hereby guaranteed and
protected”.[1] This provision was
obviously not enough to cover the concept of data protection. In 2007, the
National Information Technology Development Agency (NITDA) was established and
was saddled with the responsibility of among others, monitoring and regulating
data protection practices in Nigeria. It was in light of this responsibility
that the Agency released the Nigeria Data Protection Regulation (NDPR) in
January 2019 to extensively regulate the implementation of data protection
principles by businesses in Nigeria.
In recent times,
data protection has come to be of immense importance to the functionality of businesses.
Personal Data (such as names, email addresses, phone number etc.) is handled by
businesses in their daily activities and as such compliance with data
protection laws and regulations is necessary. The importance of data protection
to the life and expansion of a business is discussed in the following points:
1.
Expansion
A common reason
for establishing a business is to make profit and also expand. The goal of
expanding to other countries may be seriously impeded by non-compliance with
data protection practices. For instance, the European Union has the EU GDPR
(European Union General Data Protection Regulation) which regulates data
protection practices in Europe. Businesses in other countries who do not have
adequate data protection practices are not allowed to process or use the
Personal Data of persons resident in and covered by the EU GDPR. This
ultimately means that businesses in Nigeria who are non-compliant with the NDPR
would be unable to extend their services to Europe and other regions which
require them to have data protection practices in place and as such, through
non-compliance, their expansion is hindered. In an attempt to address this
issue, the NDPR was introduced with objectives among which is to ensure that
Nigerian businesses remain competitive in international trade through the
safeguards afforded by a just and equitable legal regulatory framework on data
protection. NITDA has done its part in this regard, it is now up to the Nigerian
businesses themselves to comply with the provisions of the NDPR.
2.
Penalties for
non-compliance:
This goes
without saying. Recently, a fintech company, Electronic Settlement Limited was
fined the sum of N5,000,000 (Five Million Naira) for Personal Data breaches
that occurred in its systems. The fine was issued after an investigative
process that involved an analysis of the company’s applications and websites, a
visit to the company’s office in Lagos, a review of its technical documents as
well as an interrogation of its officials.[2]
The NDPR provides sanctions when there
has been a breach of its provisions which includes either the greater of 1% of
a company’s preceding year’s annual gross revenue or 2 million Naira for businesses
with less than 10,000 (ten thousand) Data Subjects and the greater of 2% of its
preceding year’s annual gross revenue or 5 million Naira for businesses with
more than 10,000 (ten thousand) Data Subjects. For businesses who are
continually non-compliant with the Regulation’s requirements – for instance
non-filing of the Annual Data Protection Audit Report for each year, continuous
sanctions by the regulatory authority based on the statutory sanctions above
will have severe consequences on the finances of the business. The regulatory
body is also empowered to issue other administrative orders such as suspension
of service, ordering representatives of companies to appear before the
administrative panel, issuing a public notice to warn the public to desist from
patronizing or doing business with the affected party and also refer the matter
to appropriate professional bodies for possible sanction of its members
involved in the breach. Overtime, the result of these continued sanctions would
negatively impact the finances of a business as well as its ability to
effectively and efficiently offer its services.
3.
Criminal
Prosecution
NITDA also has the
power to institute proceedings and prosecute parties that are in breach of the
NDPR. The NDPR Implementation Framework provides that where NITDA has
determined that a party is in breach of the NDPR, especially where such breach
affects national security, sovereignty and cohesion, it may seek to prosecute
officers of the organization. The Agency is allowed to obtain a fiat from the Honourable
Attorney General of the Federation which would allow it to institute the
criminal proceedings or may file a petition with any authority in Nigeria
including the Economic and Financial Crimes Commission (EFCC), Nigerian Police
Force, Independent Corrupt Practices (and other related offences) Commission
(ICPC), et.al.
4.
Reputational
Damage
It is almost
always the case that a Personal Data breach in a company’s system would result
in a reduction of users or customers on that platform or system. A data breach
on a company’s systems consequently puts the customers and the general public
on high alert and generally makes them wary of the use of such company’s
systems. Worse still, is the case where the business does not have appropriate
security infrastructure in place to address or mitigate the effects of such
breach. This would affect the inclination of customers to use a particular
application, system or do business with a particular company who is known for
not having adequate security measures in place. This reputational damage will consequently
affect the company’s finances as the number of customers or users may begin to
decline.
5.
Suspension of
services
NITDA is
empowered to suspend the services of a business pending further investigations.
This means that for the duration of the investigation, the business under
investigation will be stopped from conducting any form of business activity.
The negative impact this would have on the finances of the business goes without
saying. The investigation by NITDA may be done either through the conduct of a
special audit check or a “spot check”. Investigation may include a review of
the policies, procedures or practices of the concerned entity and of the
circumstances regarding any alleged violation.
From the above,
it is possible that the investigation may span weeks or even months before it
is concluded. It would be detrimental for a business to be out of service for
such period because of non-compliance with Personal Data protection practices
and in worse cases, a company may not recover from such suspension.
It is therefore advisable that instead
of waiting to be sanctioned by the regulatory authority, companies should be
more proactive in their compliance with Personal Data protection practices by
ensuring that the following measures are put in place:
a.
Top Management
to appreciate the current changes in the Nigerian and International Landscape
In order for a
business to properly ensure its compliance with Data Protection laws in
Nigeria, it is essential that members of its top management and leadership are
well versed in the principles and application of data protection practice in
Nigeria as well as other jurisdictions. This will assist in proactiveness for
compliance by the business and eliminate, to a large extent the possibility of
inaction by management on compliance.
b.
Appointment of
a Data Protection Compliance Organisation (DPCO)
The NDPR
requires companies to file their data protection audit reports on or before the
15th of March every year. To do this, the company first needs to
appoint a licenced DPCO to conduct a data protection audit on the company,
prepare and file an audit report with NITDA on or before the timeline of March
15 every year. DPCOs are organisations licensed by NITDA to assess, audit and
train companies while assisting them in ensuring their compliance with data
protection laws in Nigeria including the NDPR. The appointment of a DPCO
essentially covers about 90% of compliance requirements as the DPCO will work
to ensure that the company is compliant with Personal Data protection laws by
providing appropriate recommendations, documentation, and policies to guide the
company.
c.
Appointment of
a Data Protection Officer (DPO)
A Data
Protection Officer is an internal officer who works with a company’s management
to ensure that it is compliant with the provisions of extant data protection
laws. A Data Protection Officer is required where the entity in question is
either:
·
A government
organ, ministry, Department, institution, or Agency; or
·
Where the core
activities of the organisation involve the processing of over 10,000 (Ten
Thousand) data subjects per annum; or
·
Where the
organisation processes sensitive personal Data in the regular course of its
business; or
·
The
organisation possesses critical national information infrastructure consisting
of Personal Data.
Flowing from
the above, it is obvious that the importance of proper Personal Data protection
practices within an organisation cannot be overemphasised. Businesses are
therefore advised to take adequate steps towards compliance with extant Personal
Data protection laws – first of which is the appointment of a Data Protection
Compliance Organisation as that will not only ensure compliance with Personal
Data protection laws but will also contribute to its expansion and longevity.