Following a global wake up call around data privacy, regulatory agencies around the world have started implementing various data protective measures.
The National Information Technology Development Agency (NITDA), Nigeria's own ICT policy implementing arm of the Federal Ministry of Communication, has unsurprisingly joined in the data privacy fight.
In January 2019, it released the Nigeria Data Protection Regulation (NDPR) draft to provide a framework for safeguarding the rights of persons to data privacy.
NDPR refers to data in this context as personal information of users collected by a controller (company) over electronic communication transactions.
Suggested Read: NITDA is on a mission to safeguard the data privacy rights of Nigerians
Provided users register on the website or app to use the services of a company, the controller is able to have access to this information. NDPR stipulations are however against indiscriminate use of people’s data without consent or authorisation.
As a matter of fact, NITDA’s position is that personal data privacy is a sacrosanct right that must be respected by data controllers. The agency wants to eliminate the abuse of privacy rights in the Nigerian digital space.
Keeping up with compliance
After the NDPR release on 25th of January, 2019, the agency set a three-month timeline for organisations to make available their data protection policies to the public. That deadline was due on April 25th, 2019.
In our quest to find out from businesses whether they are compliant with the NITDA policy, a lot passed on the opportunity to offer comment on the matter. But it is unlikely the bill hasn't caught a few's notice.
Join over 3,000 founders and investors
Give it a try, you can unsubscribe anytime. Privacy Policy.
A chat with Dr. Obinna*, founder of a health startup, on the 23rd of April, two days before the due deadline date of NDPR, showed that startups might not yet have been fully compliant with the NITDA's regulation.
"I just forwarded it to my CTO to put steps in place to ensure we are compliant," responded the CEO when asked about his awareness of the NITDA privacy right.
Like him, Hassan*, CTO of one of the many online loan financing platforms said, "We are fully aware of the regulations and have been in talks with our lawyer to see that we are compliant."
He did however note that there are certain requirements of NDPR that are in dissonance with their business, hence the reason they are yet to be fully compliant with the regulation.
Apparently, due to the nature of their services, they are required to work with a number of third parties (including credit reference agencies and mobile network providers). As such, they sometimes reserve the right to share information with them.
Kemi*, founder of another local internet startup that deals with huge customer data, admits that they haven't updated their data and privacy policy in over 2 years. She told Techpoint that their legal team is currently reviewing the existing policy to ensure compliance with the new regulation.
Considering these responses, a burning question is whether NDPR was drafted with respect to the needs of individual businesses or if it's a one-size fits all policy.
The intentions of NITDA
In its defence, NITDA claims that through a series of media engagements, it exposed drafts of NDPR a year prior to its official release.
"The intent was to make the law organic, for easier compliance," an official statement to Techpoint from NITDA reads.
The agency in its statement further claims that NDPR, among all NITDA regulations, received the most contributions and comments by stakeholders, whom it has enlightened at various levels about its intent.
Although it's hard to verify this, it is apparent notwithstanding that the agency understands the inherent risks with abuse of user data.
Especially in this age and time where technology is spreading the illegal use and monetisation of user data, data privacy rights cannot be overemphasised.
Even Dr Obinna* agrees, as he thinks that NDPR is surely in line with keeping the trend worldwide.
"It is fine especially as we also have clients in Europe who have made sure we are compliant with the Global Data Protection Regulation (GDPR)."
But now that the NITDA deadline is passed, will it start imposing sanctions or simply extend the deadline?
The agency is saying that it is more keen on enforcing compliance, as opposed to sanction. However, it has already identified some perennial defaulters whom its proverbial axe might soon fall on should they continue to disregard warnings to improve on their privacy policy.
*Real names have been changed at request of interviewees.