In the age of digital, one of the most important regulatory crossroads is that of data privacy for online users.
Getting data privacy regulation right creates trust in online digital infrastructure which relies heavily on the collection of data for key decision making.
It is why the Nigerian Information Technology Development Agency (NITDA) should be applauded for steps to regulate the data collection and processing activities of Nigerian companies through the Nigerian Data Protection Regulations 2019 (NDPR).
Yet, as the March 15 2020 deadline stipulated for the submission of data protection audits approaches, many companies affected by the regulation still have not heard of it.
After pushing forward this deadline twice in 2019, NITDA looks determined this time to impose the relevant sanctions for non-compliance which range from penalties of up to 2% of the annual gross revenue of a non-compliant company, in addition to other penalties provided under the NDPR.
If you are like many companies just hearing about this regulation, please read our earlier article on the topic.
As you rush to comply, these are other things you should know
What is the relationship your organisation has with personal data?
The NDPR covers operations performed on personal data like collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, and so on.
You must identify the type of personal data your organisation collects. This will provide clarity on the most effective means to comply with the regulation.
Find a licensed Data Protection Compliance Officer (DPCO) to conduct an audit
NITDA does not accept audit reports by non-licensed auditors. Every audit report required under the regulation must be accompanied by a verification statement by a licensed DPCO.
Your financial auditor is also not allowed to audit your data protection activities even if it is a licensed DPCO due to conflict of interests.
In assessing your organisation’s data processing activities for the purpose of compliance…
… these are some of the questions that must be answered:
- How is data collected?
- Which department receives such data?
- Why does the organisation process such data?
- What are the security measures taken by the organisation to prevent data breach?
Is your organisation considered high priority by NITDA?
Because of the nature of certain organisations and their access to sensitive consumer data, NITDA considers them high priority as it pushes to drive compliance.
These organisations include: banks, telecommunication companies, Pension Fund Custodians and Pension Fund Administrators, insurance companies, fintechs, notable hospitals, and stock brokers.
If your organisation falls within these categories, it is important to start compliance processes immediately.
Train your employees
Data Protection compliance requires the effort of all the parts within your organisation because data collected is often used by different departments.
It is important that emoloyees are aware of the risks that come with handling people’s data and how to prevent unnecessary regulatory sanctions.
As March 15 approaches, these steps will keep organisations protected from drastic regulatory sanctions from NITDA for their data processing activities.