In line with the provisions of Nigeria's National Information Technology Development Agency (NITDA), Techpoint Africa has fulfilled compliance requirements for the Nigeria Data Protection Regulation (NDPR).
The NDPR, which was released on January 25, 2019, provides a broad framework for safeguarding the rights of individuals to data privacy.
Individuals and businesses alike are gradually moving online. But surfing the web without regards to data privacy is like going onto a battlefield without any armour.
Though most people do not seem to care who has access to their data, in this article, we peeked into the mind of a hacker to understand why data privacy should be taken seriously.
In January 2019, NITDA set a three-month deadline for NDPR compliance. However, one month after the deadline, several startups had still not met the requirements.
The ICT development agency has since made other deadlines for companies to comply, with June 30, 2020, being the most recent.
Techpoint Africa has gone through the regulatory compliance check and we discovered that the NDPR compliance is a continuous process.
Why is being NDPR compliant important for Techpoint Africa?
Based on this earlier article, any company that processes personal data is recognised as a data controller. When NITDA released the NDPR, some organisations might have wondered if it applied to them.
"Even before the NDPR was instituted, Techpoint Africa has always taken data privacy seriously," says Muyiwa Matuluko, co-founder and editor-in-chief of Techpoint Africa.
This is linked to the fact that Techpoint Africa handles the data of past event attendees, those who have purchased our reports, data of team members, and subscribers, etc.
Who was involved in the check?
It involved a licensed Data Protection Compliance Organisation (DPCO) sanctioned by NITDA to submit the final audits. In our case, it was TechHive Advisory. Lawrathon partnered with the DPCO to make this happen.
How much did it cost?
Submitting to NITDA costs ₦50,000 ($129.79). In addition to that, the DPCO charges a fee, that you both agree on, to interface with NITDA on your behalf.
What were the steps involved?
The compliance check involved a thorough audit of Techpoint Africa's data flow processes. Madubuike reveals that the NDPR compliance check involved quite a number of processes.
"Lawrathon started with an audit of the Company's data flow processes. This means that we sought to understand how the Company collects, uses, shares, transfers, and exchanges data both within and outside the Organisation. This involved interviewing every department to get a view of their data practices," he explains.
"The preliminary audit revealed gaps within the Company's data handling processes which led to the development of new policies, creation of new processes, and knowledge development schedules to keep key employees informed of best practices."
What kind of data was analysed?
The compliance check involved analysing different types of personal data, which warranted different kinds of safeguards and policies.
"We analysed personal identifiable information collected and used by the Organisation," says Madubuike.
Personally identifiable information (PII) is any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records.
Also falling under PII is any other information that is linked or linkable to an individual, such as medical, educational, financial, or employment records.
Examples of PII include, but are not limited to:
- Name: full name, maiden name, mother’s maiden name, or an alias.
- Personal address information: street address or email address.
- Personal telephone numbers
- Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting.
- Biometric data: retina scans, voice signatures, or facial geometry.
- Information identifying personally owned property: VIN number or title number.
- Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person.
How long did the NDPR compliance check take?
The compliance check process took about two weeks.
"We started in the middle of June and submitted the final audit to NITDA by the 26th," Madubuike reveals.
Did it bring any change in privacy policies?
Lawrathon updated Techpoint Africa's privacy policies, data protection, and retention policies.
“We are also looking to incorporate best practice in data handling within the organisation through constant training and internal self-reporting procedures,” Madubuike says.
What safeguards were put in place?
Proper data breach detection process and the appointment of a data protection officer (DPO).
As a consequence of the audit, Techpoint Africa is looking to set up better systems for personal data collection, use, and transfer. Also, the appointment of a data protection officer within the Organisation will ensure proper processes for data breach detection and notification are in place.
According to Madubuike, the DPO will also lias with the DPCO on behalf of the company.
“We are definitely more conscious of how we particularly handle offline data now. Thankfully, we have a safe but there are still a few processes and systems we need to put in place,” Matuluko explains.
Is the compliance process over?
No, it is an ongoing process.
While Techpoint Africa has met the requirements to audit its handling of personal data in line with NITDA regulations, compliance is an ongoing process. Yearly data privacy audits have become a requirement for Nigerian companies and Techpoint Africa, like many other similar companies, must continue to tune its systems to attain best data privacy practices.