As part of the rush to meet the October 25, 2019 deadline set under the Nigerian Data Protection Regulation (NDPR) issued by the Nigerian Information Technology Protection Agency (NITDA) for companies to submit a data protection audit, I have in the past few weeks led and supported the data protection compliance audit processes for a couple of Nigerian companies.
Companies I have supported include at least a top tier bank, an electricity distribution company, a luxury hotel, an oil and gas company, a securities exchange and a regulator.
This piece is an attempt to provide practical considerations about the NDPR compliance process for companies looking to make a decision and other stakeholders involved. So here we go.
Data protection regulation is here to stay
Many Nigerian companies still eye the NDPR buzz with a level of suspicion secretly wishing it goes away because of the compliance costs in time and resources.
Fortunately, the presence of data protection regulation is becoming globally recognised as a signal for trust in a country’s online business space. As businesses become connected globally and data exchange becomes an increasingly crucial part of commercial transactions, data protection is becoming a risk issue discussed at the negotiation stage between companies in different jurisdictions.
For example, Kenya just passed its data protection law as it prepares to welcome Amazon into the country. Countries who intend to show serious intent to grow trust in their online business infrastructure must take data protection seriously.
Data protection as far as Nigeria is concerned is thus in its early stages and not going anywhere soon.
Data protection compliance is a legal, IT, security, human relations and enterprise risk issue
As a lawyer, it is easy to believe that the NDPR compliance is a legal issue easily handled by a team of lawyers. This could not be further from the truth. Data protection compliance involves understanding not only a company’s policies, contracts and legal engagements, it also requires an understanding of the company’s information technology, security, audit, an operational systems.
A complete data protection audit results in the synchronisation of all the company’s processes to align in a way that ensures that every data that comes through its system is treated without affecting data integrity and infringing on the privacy of the data owners.
Thankfully, I have had the full support of smart technology specialists, security and HR practitioners within our team.
Data protection compliance is not a one off process but an ongoing one
Apart from the requirement for all to submit an audit of their processes before October 25, 2019 or face sanctions, the NDPR also requires companies to submit a yearly audit to the NITDA by the 15th of March every year.
This makes it an ongoing compliance issue for Nigerian companies much in the same way as financial reports are. Companies should therefore flag this going forward as a key risk consideration especially considering the likely costs of non-compliance -- a fine of ₦2 million or 2% of the company’s turnover for the previous year, whichever is bigger.
Asides from this, some of the needed systems to ensure full compliance with global data protection practices my take some companies a period of 2 – 5 years especially where additional technology is needed to block existing gaps.
The NDPR may be short but it fundamentally adopts the GDPR approach
The NDPR has been criticised for being sketchy compared to its European equivalent; the General Data Protection Regulations (GDPR). A thorough comparison however reveals that the NDPR borrows a lot from the GDPR in its fundamental principles. It takes the issue of data privacy as a fundamental right of the data owner (or data subject) which should be protected through regulatory oversight even though the data has been submitted to a company for the provision of services.
Engagements with the NITDA also show that it intends to flesh out the NDPR organically as it engages with stakeholders in the Nigerian space instead of merely aping the extensive minutiae of the 88-page GDPR.
To cover for this gap, I would advise companies to audit their systems with the NDPR in view but with the GDPR in mind. This means that even though the company is looking to comply with the NDPR, it develops systems that are suited to the GDPR which is becoming accepted as the global standard for data protection compliance.
NITDA needs to step up
The NDPR purports to situate NITDA as the equivalent of an Information Commissioner. The Information Commissioner is meant to be the country's data protection watchdog enforcing laws that regulate communications, networking and data protection, and making sure that businesses within the country are compliant with strict data protection principles.
It should also be active in developing the space by regularly publishing reports on the state of data protection within the country and highlighting emerging threats to the landscape and updates to how it operates. This will send a signal of its seriousness, competence and interest in creating confidence in the Nigerian digital space.
It would also help establish NITDA as a trusted resource institution as countries all over the world look to cooperate through their information offices for the protection of personal data in the global digital environment.
In all, if you consider yourself a key stakeholder in the Nigerian digital space, you should keep an eye out for developments in the data protection space to contribute in developing a framework that makes data sharing online safe for everyone involved.