If you are an organization- public or private and operate in Nigeria, the Nigeria Data Protection Regulation (NDPR) and the enforcement of the digitalization and processing of the organization’s database of personal data almost certainly affects you, ESET Nigeria has reminded businesses.
These requirements, the global cyber security company said, are already in force, and its implications are complex and the potential penalties for non-compliance are severe.
The MD, ESET Nigeria and Ghana, Mr Olufemi Ake who dropped these hints at a zoom conference recently organized to discuss ‘how organizations can comply with the data protection regulations’, stated that encrypting data and creating an additional authentication for data accessibility in organizations are a few ways to help in meeting the new data security and compliance rules.
What is NDPR?
The National Information Technology Development Agency (NITDA, hereinafter referred to as the Agency) is statutorily mandated by the NITDA Act of 2007 to, inter alia: develop Regulations for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour and other fields, where the use of electronic communication may improve the exchange of data and information.
NITDA introduced The Nigerian Data Protection Regulation {NDPR} and enforced its compliance from January 2019 as the new requirement on collection and processing of personal data and requires such activities to be in accordance with a lawful purpose consent by the Data Subject.
“Due to this,” Mr. Ake said, “Organisations are mandated to put compliance measures in place within the first year of the regulation”
“Compliance with this regulation will impact Data Protection Governance, Information Systems & Security Configuration, as well as Documented Policies & Processes”, Mr. Ake added.
He also enumerated objectives of the regulation as “To safeguard the rights of natural persons to data privacy; foster safe conduct for transactions involving the exchange of Personal Data; to prevent manipulation of Personal Data; and to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a sound data protection regulation.”
“NDPR applies to all storage and processing of Personal Data conducted in respect of Nigerian citizens and residents and it covers transactions intended for the processing of personal data and to the actual processing of personal data and person(s) residing in Nigeria or residing outside Nigeria but of Nigeria nationality.”
“Unlike the EU’s General Data Protection Regulation (the GDPR), NDPR is not enforced on persons and organizations outside Nigeria that collect, store, or process data of Nigerians”
Potential Consequences for Non-Compliance with NDPR
The Maximum penalty for breaches of data privacy rights on international transfers can be up to N10M or 2% of annual gross revenue of the preceding year, whichever is higher and based on the number of Data Subjects dealt with.
“Other massive losses that non-compliance could cause are reputational damage and Prosecution of principal officers in the event of a severe data breach”, he said.
On compliance requirements, he said that the NDPR regulation requires that Data Controllers and Data Processors:
- Engage a Data Protection Compliance Organization (DPCO) to perform a Data Protection Audit and file a report with NITDA within the stipulated timeline
- Designate a Data Protection Officer (DPO) who will be responsible for driving NDPR compliance initiatives within the organization
- Document and publish a data protection policy in line with the requirements of the Data Protection Regulation
- Ensure continuous capacity building and training for Data Protection Officer and other personnel involved in processing personal data
Mr. Ake also Described ESET as NDPR Compliance Enablers
“To ensure 100% compliance, organisations should ensure the following solutions are deployed and proactively used”.
1. Organizations are keenly advised to get a Data loss prevention (DLP) solution to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. Most importantly the likes of ‘Safetica’ that classify regulated, confidential and business-critical data and identifies violations of policies defined by organizations or within a predefined policy pack, typically driven by regulatory compliance such as HIPAA, PCI-DSS, or NDPR.
2. Multi-factor Authentication will serve as an additional layer of protection of data from unauthorized users. This tool will help Data Controllers in securing all logins to database and networks (on-premise and cloud) by generating a one-time password that is not known to anyone but unique to a particular user and per login. An excellent example of such a solution is ESET Secure Authentication.
3. Finally, organisations should also deploy data encryption technologies, develop organizational policy for handling personal data (and other sensitive or confidential data), protect emailing systems and ensure continuous capacity building for staff. Report has shown that most organizations in Nigeria seek the above solutions to meet up with the compliance requirements of NDPR on Data Security.