By Michael Irene, PhD,
Twitter: @moshoke
The assessment of the Nigerian Data Protection Regulation compliance scheme seems like a chore to most Nigerian companies. This article gives a practical scenario for assessing NDPR compliance.
For this scenario, let’s call the business Broski Enterprises Ltd. The company is a Nigerian mid-sized enterprise that exports consumer goods. Its sales and marketing are processed in their Lagos and Accra, Ghana offices. It averages 50,000 online customers in Africa with 15,000 buying something every year. Broski Enterprises Ltd. plans to use facial recognition technology to validate who receives a package, but this new technology is still in the design phase.
Broski Enterprises Ltd. asks the buyers to supply their name, address, bank details, age, and digital photo when purchasing on their website. The data is stored on a cloud server hosted by a U.S firm called Data Secure. The address is used to ship the goods ordered, and the bank card details are used to process payment for the goods. The photo is used for the planned facial recognition feature.
The first step in assessing NDPR compliance in this instance would be to interview the top management, looking for their commitment to both data protection for the firm as a whole and to assess whether the process meets the NDPR principles.
These data protection principles should also be stated in their publicly available data protection statement. Considering the first processing operation would generate these inquiries:
• Was the detail collected and processed under specific, legitimate and lawful purpose consented to by the data subject? Broski Enterprises Ltd. would be expected that its collection of data was based either upon consent or the processing of a contract, but Broski Enterprises Ltd. should have documented which. If consent, what procedures did Broski Enterprises Ltd. have to know that the consent was unambiguous, specific, informed, freely given? Was there an online process that demonstrated the customer agreed to the collection of personal data? Was the consent explicit? Was a record kept of the consent received? How did Broski Enterprises Ltd. inform its customers sufficiently to gain consent? Was data obtained for specific purposes made known to the Data Subject? Is personal data accurate and up to date? What procedures does Broski have to keep data accurate? What controls does Broski have to keep data up to date (re-verifying information provided by the customer, process by which they can update the information stored about them)? How do data subject’s requests for rectification get handled?
• Is security appropriate to prevent unauthorised loss or disclosure of personal data? What are the security levels in place? Has an intrusion detection exercise been carried out? Has staff of Broski Enterprises Ltd. been trained to ensure that they secure data in their possession? Are laptops encrypted? What about the employees’ phones, do they carry customer information?
· Can Broski Enterprises Ltd. demonstrate compliance with the NDPR principles? Is there documented evidence for every type of personal data processed and every type of processing activity undertaken that Broski Enterprises Ltd. has complied with the NDPR principles? Do they maintain a robust recording of processing activities?
After these questions are answered, Broski Enterprises LTD must now focus on other technical assessments. First, there would be a data protection impact assessment. Since they are planning to introduce a facial recognition tool this assessment is vital. Because this is a new technology involving data processed in a new and potentially invasive manner, Broski’s Enterpises Ltd.’s Chief Privacy Officer should ensure that the privacy risks embedded in this new technology are treated. The focus here is on minimising the impact of invasive use of the photo taken by the new tool. The operator of the machine must be trained in data protection principles (access management principles must be considered). Consent has been taken from the data subject. Security measures have been tried and tested.
In designing the tool, Broski Enterprises Ltd. uses the opportunity to install privacy into the technology at an early phase. The designers of the technology must embed into the creation of the tool NDPR principles and ensure they have privacy by design at the heart of the project. To minimise the data, they analyse the programme used in this new technology to create a digital template from the live image of the data subject and determine that they can use fewer data points to extract the needed facial features to match the digital template they created from the uploaded photo of the data subject. Second, a decision is made never to store the image of a data subject taken by the new technology when delivery is made and to delete this new digital template after it is confirmed against the existing digital template. Third, all images and digital templates are encrypted within the new technology, and the keys are securely managed. Fourth, data subjects are notified of this use of facial recognition software when the product is being ordered and when the delivery is scheduled.
When personal data is transferred outside Nigeria to be stored on servers in the U.S, the company must ascertain the safeguards that are in place for these transfers. First, the controller-processor agreement between Broski Enterprises and the cloud storage company must be filled with clauses that conform to the new NDPR principles. The agreement should clearly articulate its commitment to data protection/privacy principles. Confidentiality, integrity, and availability—the triad of information security benchmark model should be used to evaluate that data in transit and at rest are safe from potential attacks.
With these activities, Broski Enterprises Ltd. has an initial high-level assessment of their company’s compliance with the NDPR, including Data Protection Impact Assessment and privacy-by-design for new technologies and can make a report that establishes a baseline level of compliance. The company should now set in motion remediations in every area where there is a compliance gap and set the stage for the future audits where evidence will need to be produced to demonstrate compliance with NDPR and all relevant policies. The company must stay involved in all data protection issues inside the organisation and watch for changes to relevant legislation, standards, and technologies.
