MAY DAY: GDPR AND BUSINESSES IN NIGERIA
By AJUWON A.R
On the 25th of May, 2018, the European Union will bring to effect the General Data Protection Regulation. Organizations around the world have already started working on their privacy policies to fit the standards of the GDPR. This is why different internet based organizations like Twitter, Facebook, ASOS, Yahoo, Google etc. have been sending messages to their users on the change in data protection policy and asking that the users read the new terms and agree to them. Any internet organizations which has not effected the change by now must do it before the 25th of May this year.
The GDPR will be the most comprehensive body of laws on data protection and privacy in the world. This is perhaps why it has taken the European Union 4-5 years to get it right. The old law on data protection was created in 1995 at a time when the internet wasn’t very popular and was not as widely used as it is today. The law was leaked in 2011 and later modified in 2012 when a draft was released. The GDPR is considered as the heaviest lobbied law in the history of Europe with over 3,000 amendments. If its implementation is successful, it will replace the Directive which had been in existence since 1995 when the internet was still in its infancy. The European Union had given its member countries two years to implement the Regulation. The two year deadline ends on the 25th of May, 2018.
The GDPR, unlike a lot of data regulations or frameworks that have come before it, is the result of four years of work in the area of building upon The 1995 Directive. This work is necessary in order to help the EU modernize data protection legislation for new technological innovations and the evolving digital economy. The GDPR aims to give consumers more control over their data and also to simplify regulation for businesses. This will ensure that both businesses and consumers benefit from the digital economy. Unlike The Directive before it, the GDPR is considered as EU law and there’s no longer any flexibility in its implementation or compromise on its standards.
The GDPR will not only apply to organizations located within the EU, it will also apply to organizations located outside of the EU if such organizations offer goods or services to, or monitor the behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Why is the GDPR so important anyway? If you have asked yourself this question at any point, then you need to realize that it is important to talk about PRIVACY. The right to Privacy is a fundamental human right. Article 12 of the Universal Declaration of Human Rights provides that: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
The European Court of Human Rights also has similar Articles on Privacy, for example, Article 8 (of the ECHR) which states that: “Everyone has right to respect for private and family life, home and correspondence” is similar to the provision of Article 12 of the UNCHR. The OECD in 1980 developed its own guidelines on the Protection of Privacy and Trans border Flows of Personal Data. The Nigerian Constitution which is the highest law in the country provides in Section 37 that: “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”.
At this point it is worthy of note that although the Nigerian Constitution provides for a Right to Privacy, the absence of a Data Protection and Privacy Law makes it almost impossible to protect and enforce the rights of Nigerians to privacy.
Since, as we have already noted, the GDPR is coming into full effect on the 25th of May, 2018. It is pertinent that we consider its implications for Nigerian businesses.
First and foremost, as had already been discussed, the GDPR applies to you if you process the personal information/data of European Union citizens. This means that any company that works with the information relating to EU citizens will have to comply with the requirements of the GDPR.
The GDPR has now widened the definition of “Personal Data”. In Article 4 (1) it provides: “means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. This means that companies now have to follow the definition of personhood as provided in the GDPR.
The Regulation requires that your company notify the data protection regulator within 72 hours of a data breach and, in certain high risk circumstances, the individuals to whom the personal data belongs without undue delay. Also under the regulation, organizations are required to maintain a personal data breach register. Companies must have the technology and processes that enable them to know and handle a data breach. This is provided in Article 33.
THE GDPR requires Privacy to be a part of systems and processes by design. This means that the systems (used by organizations) must ensure privacy and protection of personal data collected for business.
The GDPR also includes new limitations on the use of consent as a ground for processing personal data. This includes requirements that consent language is separate from other information and is unbundled. It also requires that it must be as easy to withdraw consent as to give it. This means an individual can give consent and can withdraw it whenever he feels like it and at any point he requests this withdrawal of consent, his request must be granted.
The fines under the GDPR are significantly higher than those which can be imposed under current law (up to £550,000 under current UK law). Under the GDPR, fines for breaches of certain important provisions can amount to up to €20 million or 4% of (the offending organization’s) global annual turnover, whichever is greater. Fines for breaches of other provisions can amount to up to €10m or 2% of global annual turnover, whichever is greater. Article 83 makes provision for all of these. The means that a Nigerian company that processes the data of Europeans who breaches an important provision like the one on notification of breach will be fined for up to £20 million or 4% of global turnover, depending on the amount that is greater.
The absence of a Data Protection law in the Nigerian constitution makes it very complex and difficult to enforce any data privacy laws in the country. That and the fact that Nigeria has a bad data management culture, a case in point being the transfer of voters’ data by INEC to a third party www.voters.ng. Also compounding the problem is the fact that the government is reluctant to make the necessary changes and ensure their implementation for self-serving purposes. With the GDPR coming in place in a matter of days, there is a need to develop a data protection and privacy law that is tailored specifically to fit Nigerians.
Some business heads might be of the opinion that their businesses don’t deal with personal information of Europeans, hence they are exempted. However it is advisable to fix up and be on the safe side rather than hope it doesn’t affect your business.
As from May 25, 2018, a new era on privacy and data protection will come into place and this will define the manner in which data is used, protected and stored. This will define data protection usage for all countries in the world including Nigeria. However I don’t think we have to wait for a scapegoat before organizations take the GDPR seriously.