WHAT A NOVICE SHOULD KNOW ABOUT DATA PROTECTION IN NIGERIA
By: Samuel Ngwu, CIPP/E
The enactment of the General Data Protection Regulation (GDPR) 2018 and Nigeria Data Protection Regulation (NDPR) 2019 drastically changed the Data Protection and Privacy landscape in Nigeria and all over the world. The regulator has been exerting efforts on institutions and bodies with penalties to ensure compliance when processing personal data. Unfortunately, several institutions and individuals do not understand what data protection is about and how to comply with the Regulation. This write up provides in a simple term some of the key concepts that will aid understanding what data protection is and steps to take to comply.
What is data protection?
A mechanism or process put in place to ensure the protection of personal data. It guarantees the integrity, availability, and confidentiality of personal data.
When does data protection law apply?
Data protection applies where information belonging to someone (data subject) is used in some manner by some other person or organization that is not purely for personal or household activities.
What is the main law that governs data protection in Nigeria?
Nigerian Data Protection Regulation 2019 (NDPR) and Data Protection Implementation Framework 2020(DPIF) govern data protection in Nigeria. The DPIF clarifies the NDPR and is read in conjunction with NDPR. Article 2 DPIF. There are sectoral laws impacting data protection in Nigeria too.
What does NDPR cover?
- Processing of personal data by automatic (computer) and non-automatic (manual filing system) means.
- Processing of personal data of any person living in Nigeria and Nigerian citizens living outside Nigeria.
What does NDPR not cover?
NDPR does not apply to the following:
- household or purely personal activities. These are processing not connected to commercial and professional activities e.g., keeping correspondence, keeping an address book or social networking for purely personal use.
- where personal data is processed for national security, public health, safety, and order by Federal, State, or Local Government Agencies or those they expressly appoint to carry out the duties on their behalf
- the investigation of criminal and tax offences.
- the collection and processing of anonymized data
- personal or household activities.
What is personal data?
Personal data is any information about an identified or identifiable living person. They include name, birth, date of birth, photograph, audio or video, internet protocol address, location etcetera.
When is a piece of information identified or identifiable?
A piece of information is identified when the information alone can identify an individual. Example a name. A piece of information is identifiable if the information requires additional information to be able to identify an individual. An example is a phone number or car plate number.
Are Pseudonymized and Anonymized data personal data?
Pseudonymization is the process of removing or hiding an aspect of personal data to make it difficult to identify an individual. Pseudonymization is identifiable personal data and thus personal data. This is because there is the possibility of re-identifying an individual. Where re-identification is impossible the information is said to be anonymized and does not amount to personal data.
What is a special category of personal data and why is it special from other personal data?
These are set of personal data which needs more protection because they are sensitive. They include religious or political views, sexual orientation, health, race, ethnicity, trade union membership, criminal records, or any other sensitive personal information. Processing these data require an additional lawful basis. In Nigeria, it can only be processed by express consent. Sensitive data are given special treatment because it can easily lead to discrimination which can greatly impact an individual.
When is personal data processed?
Personal data is processed when a controller holds, stores use, consults, retrieves, discloses, share with someone, erase or destroy personal data. Remember, if done for purely personal or household activity, data protection law will not apply.
Who is a data controller and what is their responsibility?
A data controller is a person, company, agency, or organization that determines the purpose and means (how and why) personal data should be processed. Where two or more persons or bodies take this decision, they will be regarded as joint controllers in which case they will both bear the responsibilities. The main responsibility of the data controller is to comply with the principles of data protection: the principle of lawfulness, fairness and transparency, purpose limitation, data minimization, data accuracy, storage limitation, integrity and confidentiality and accountability.
Who is a data processor and what is their responsibility?
A data processor is a person, company or other body that process personal data on behalf of a controller. Under NDPR they are called data administrators. They do not determine the purpose and means of processing personal data but act on the instruction of the data controller. Where a processor is outsourced, there must be a contract or law evidencing the role and responsibilities of the processor to the controller. Nevertheless, a processor should:
- aid the controller to comply with principles of data protection
- ensure adequate technical and organizational measures
- report a data breach to the controller.
- appoint a data protection officer
- to enter a contractual relationship with the controller before undertaking processing on behalf of the controller.
- comply with Regulatory authority
- ensure its employees are reliable
- Comply with conditions set out for international transfer of personal data etcetera.
Where a processor acts beyond the instruction given by the controller, the processor becomes the
controller for that purpose.
Who is a data protection officer (DPO)?
A qualified practitioner in the field of data protection appointed by a controller/processor to assist in advising and monitoring internal compliance with data protection obligations. Appointing DPO helps a controller demonstrates compliance with the Regulation. Article 3.4.1 DPIF 2020 identified organizations expected to appoint a DPO:
- Public institutions,
- an organization that processes over 10,000 personal data,
- an organization that processes sensitive personal data in the regular course of business and
- an organization that possesses critical national information infrastructure consisting of personal data.
What is the legal basis?
This is the lawful justification or reason for processing personal data. Personal data should not be processed unless there is one or more lawful basis for processing. A controller processing personal data will have to rely on one or more of these bases:
- Performance of contract
- Legal obligation
- Vital interest of data subject or third party
- Public interest or official authority
- Legitimate interest
Processing must be reasonable and proportionate and comply with the data minimization principle. Please note that NDPR did not provide legitimate interest as a legal basis, however, Article 16 of the DPIF provides that recourse can be to General Data Protection Regulation (GDPR) or some other international legislation on data protection where NDPR fails to provide a data protection principle or process.
What are the rights of data subjects?
The law gives data subjects certain rights which they can exercise at any time against the controller depending on the circumstances of the case. These rights are:
- Right to be informed how and why your data is being processed
- Right to access your personal data
- Right to correct inaccurate data and have incomplete data completed
- Right to request deletion or erasure of your personal data
- Right to restrict how your data are being processed
- Right to object to the processing of your personal data
- Right to receive or have your data transferred to another controller in a structured, commonly used and machine-readable format
- Right not to be subject to automated decisions including profiling (i.e., decision made without human intervention)
- Right to lay a complaint
How can these rights be exercised?
The rights can be exercised by an individual making a data subject request to the controller. Where the controller fails to honour the request, a complaint can be made to the Regulator or laid to court.
What is a data protection audit?
It is the process of identifying how data is being used across a company or an organization to ascertain if the company or organization is complying with data protection regulations. Data protection audit reveals where data is, how it is processed, how secured it is, where it is transferred, whether the company has a lawful basis for processing and what can be done to comply with NDPR and GDPR in extension. A controller who processes more than 2000 personal data on an annual basis is mandated to conduct a data protection audit not later than 15th March of the following year.
What is data protection impact assessment (DPIA)?
It is a comprehensive analysis of processing to identify and minimize data protection risks. DPIA should consider the risk processing will have on compliance, rights and freedoms of individuals including the potential for significant social or economic disadvantage. Companies will be required to conduct DPIA if they engage in the following processing:
- evaluation or scoring (profiling)
- automated decision-making with legal or similarly significant effect.
- systematic monitoring.
- when sensitive or highly Personal Data is involved.
- when Personal Data Processing relates to vulnerable or differently-abled data subjects.
- when considering the deployment of innovative processes or application of new technological or organizational solutions.
What is a privacy notice?
A privacy notice is an external privacy statement informing individuals and other stakeholders how an organization processes their personal information. Privacy notice helps data controllers comply with the principle of transparency and the right of data subjects to be informed how and why their personal data are being processed. It is mostly hosted on a website but can also be posted in a conspicuous place in the company’s office if it does not have a website.
Does General Data Protection Regulation (GDPR) apply in Nigeria?
Yes. Where a controller in Nigeria has an establishment in European countries or offers goods and services to data subjects in the European Union or monitors behaviours of data subjects in the European Union. GDPR is the data protection Regulation that governs processing of the personal data in the European Union. The Regulation has extraterritorial applications.
What is a data breach?
It means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. For instance, sending an email containing the personal data of a person to the wrong person amounts to a data breach.
What is the obligation of the controller and processor when a data breach occurs?
The data controller is obligated to notify the Regulator (NITDA) about a data breach within 72hours of knowledge of such breach. The controller should also notify the data subject where it will result in high risks to the freedoms and rights of the data subject. He should document the notification. At the same time, data processor is obligated to notify the data controller about data breach once the processor becomes aware
How to comply with NDPR and GDPR
- Conduct data protection auditing /data flow mapping. This will give you an understanding of where data is, how it is processed, how secured it is, where is it transferred, whether the company has a lawful basis for processing and what can be done to comply with NDPR and GDPR in extension.
- Provide privacy notice to data subject to comply with transparency principle and right to inform.
- Document record of your processing, the purposes, uses, lifespan and security measures put in place to protect personal data.
- Conduct data protection impact assessment where processing will present high risk or new technology is to be deployed.
- Appoint a DPO to demonstrate compliance with the data protection Regulation.
- Identify, rely on, and document a lawful basis for processing personal data.
- Ensure a third-party contract whenever you intend to share personal data with a third party. The contract will explain the obligation of the parties.
- Provide additional safeguards where you intend to transfer personal data to countries without adequate data protection Regulation.
- Provide internal policies and procedures for processing personal data.
Why do you need to comply?
- To avoid penalty-According to NDPR, anyone who fails to comply will be liable to a sum of 2million to 10million or 1% to 2% of annual gross revenue.
- To avoid Litigation
- To avoid reputational damage.