Data is king but with conditions under Nigeria’s Data Protection Law
Corporations possessing large data of Nigerians must develop data management processes to protect the data.
Affected firms should conduct audits of their data management processes by 25th July 2019.
A Nigerian entity transferring data to a foreign entity must seek appropriate regulatory approvals or consent from the data subjects.
In January 2019, Nigeria joined a growing number of nations fighting to protect the privacy of personal data used in online transactions. Persons obtaining personal data of Nigerians both home and abroad have a duty of care to ensure the data is not compromised either by acts of omission or commission. In a digital economy where cybersecurity is core to a firm's survival, the duty of care isn't an easy one to observe. However, abiding by the rules will save corporations a ton of money in damages arising from misuse of data or penalties from failure to comply. The question is, what are these rules? This article discusses the core aspects of the Nigerian Data Protection Regulation ('The Regulation'), which any person using or controlling personal data of others must observe.
Any firm in possession of data which is identifiable to a person falls within the scope of the Regulation. Identifiable information includes names, identification numbers, the location of persons, or other methods of identifying a person, whether by physical, physiological, or cultural features. Examples of firms that could be affected include banks, fintech companies, government departments, HR firms; news, entertainment or blogging platforms with subscription forms that collect data from users on their websites; large corporations with a database of their employees, payment platforms that store information of customers, banks, and so on. Affected firms must obtain such data lawfully.
The Regulation only applies when personal data collected relates to Nigerian residents or persons of Nigerian descent who are resident abroad ('Nigerian person').
Affected firms in public and private sectors were required to publish their data protection policies in compliance with the Regulation by 25th April 2019. They are also expected to appoint a data protection officer in charge of ensuring compliance with the Regulation. In recent times Nigeria experienced growth of tech startups primarily in the fintech industry. These firms will be affected by the Regulation because of their access to private information of many Nigerians. Thus it is necessary they develop a unit solely focused on managing the data, and reporting their data protection policies to the National Information Technology Development Agency (the "Agency").
When data processing is lawful
A person in possession of personal data can lawfully process it if granted consent, or if acting according to a legal obligation or a contract with the Nigerian subject, or for the protection of the Nigerian person or the public.
In the course of using our Service, we may ask that you provide personally identifiable information so we can contact or identify you ("Personal Data"). Such information includes, but is not limited to:
First name and last name Phone number
Cookies and Usage Data
We use your Personal Data for legitimate business purposes to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You have the right to decline future receipt of any, or all such communications from us by clicking the unsubscribe link or instructions provided in any email we send.
A firm must restrict the use of such data to the purposes listed in their privacy policies which must be available on their online platforms.
Additionally, the forms should contain opt-in options where users confirm their legal age is above 18 to ensure they have the legal capacity to give such consent.
Safeguards required by the Act
The data held by some firms in Nigeria have enormous value. An example, for instance, is Firm A who has information on software developers and their skill sets. At the moment, they are in high demand in Nigeria because various companies are migrating to the cloud and need persons that can manage their database and information systems. Rather than company B's HR department to engage in a wild goose chase searching for software developers, they can pay Firm A to provide direct information on developers with specific skill sets.
Individuals whose information Firm A controls also need protection. Thus the Regulation imposes a duty of care on Firm A in regards to the data they possess. It must create a system that protects their database from cyber-attacks, thefts, breaches, and any form of manipulation or damage by natural elements such as rain or fire. It is advisable Firm A develops an internal policy for accessing such data. For instance, restricting access to certain persons within the IT department and engaging in continuous training on management of the database. Any policy developed must extend to third parties who process the data.
Over time, it is advisable firms conduct audits of their pri