Accountability approach to the Nigerian data protection regulation
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
The notion of accountability in the Nigerian Data Protection Regulation places unencumbered pressures on data protection experts, various data privacy stakeholders, and even data protection authorities.
On one level, it encompasses the Nigerian Data Protection Regulation’s principles and helps organisations display how their processes and business procedures align with the data protection regulation locally and internationally.
At another level, however, accountability represents how policies and procedures are merged in various business units of an institution. In the recent past, most Nigerian companies flout policies that rarely match their business procedures.
Accountability as defined in the new Nigerian Data Protection Regulation, therefore, suggests that companies must show that their respective data protection policies conform to the regulation.
For companies to show their accountability measures, the Nigerian Data Protection Regulation further stipulates that every Nigerian organisation should designate a data protection officer for them to adhere to the regulation. This is quite confusing and requires further explanation.
The accountability approach stipulated in the Nigerian Data Protection Regulation raises technical issues and many questions. One major question that comes to my mind is how would the National Information Technology Development Agency (NITDA) ensures that procedures match policies? How would technical and organisational measures be monitored?
NITDA, the Nigerian data protection authority, has placed this trust in the hands of the Data Protection Compliance Organisation(DPCO). According to NITDA, DPCOs shall monitor, audit, and conduct training and data protection compliance consulting to data controllers under this regulation. As such, the onus has been passed onto to data protection compliance organisations to ensure that companies can demonstrate accountability and ensure that their approach match the regulation.
This is a welcomed approach as it presents some uniqueness to what is seen in other business jurisdictions. However, there is little direction in terms of DPCO regulations and detailed guidance on how accountability must be achieved on behalf of companies.
The involvement of an external body in accountability is indispensable. NITDA, therefore, needs to be clear as to how accountability and transparency must be approached.
NITDA has the rights of authority over DPCOs and companies, and as such, should be at the forefront of publishing detailed steps on the accountability procedures especially in the management of the data protection—including the rights to demand answers and impose sanctions of the organization’s account is not accurate.
Without NITDA’s compulsion to change practices as seen is some companies, accountability will become a facade, which invariably, will water down the power of the regulation.
Furthermore, there needs to be more information about the role of accountability and how it relates to responsibilities from DPCOs and companies alike. A company can always act ‘responsibly’ in its own eyes without knowing that their procedures flout data privacy laws.
NITDA must explain, in a robust manner, the best accountability approach and how companies can display this when they work with various DPCOs. Accountability is more than responsiveness. Accountability is much more complex and needs to be simplified by the data protection authority.
At the moment, the accountability approach is skewed because of the compliance structure defined by NITDA. To make it a seamless and simplified structure, NITDA should simplify the accountability approach. This will further enhance data privacy compliance in Nigeria.