By Michael Irene, PhD
The National Information Technology Development Agency (NITDA) has come up with the Nigerian Data Protection Regulation. This, indeed, is a welcomed development as Nigerian companies over the years, use customers’ data in a willy-nilly fashion.
At the minimum, the regulation aims to “monitor the use of electronic data interchange and other forms of electronic communication transactions.” Without a doubt, the monitoring of how Nigerian banks, insurance companies, and telecommunication companies, just to mention those three industries use, store and transfer data in contemporary times has been largely unmonitored and, at worse, dangerous.
Therefore, NITDA has an onerous task on its hand especially with ensuring that companies: (1) understand what is expected of them with regards to protection of personal data; (2) companies understand the consequences of manipulating personal data; (3) and understand the need for the security and technical organization of personal data.
The regulation aims to achieve the following:
- Safeguard the rights of data subjects
- Foster safe conduct of transactions involving the exchange of personal data
- Prevent manipulation of personal data
- Ensure Nigerian businesses remain competitive in international trade
Another interesting aspect of regulation is the penalty. Companies that process more than 10,000 data subjects are required to pay a fine of 2% of annual gross revenue or pay the sum of N10 million (Approx. $28,000) whichever is greater. And, a company that processes less than 10,000 data subjects pays a fine of 1% of the annual gross revenue of the preceding year or pay the sum of N2 million (Approx. $5,680) whichever is greater. It would be interesting to see how many companies, moving forward, would be fined by NITDA as the governing body has been described as atoothless bulldog.
The foundation of any data protection regulation is the respect of human rights. Nigerian companies or companies in Nigeriatreat data protection with levity. For example, one of the biggest telecommunication companies in Nigeria and Africa, MTN, has never been open about how they use data they collect from Nigerian customers. In addition to that, most data breaches in Nigeria don’t get reported, invariably, highlighting the unserious approach to data protection by companies based in Nigeria. There are reasons for this.
First, the culture of transparency and corporate governance in Nigeria is below average. Second, the rule of law is characterised by insouciance.
The new regulation raises the importance of protecting data subjects. However, NITDA needs to create a massive awareness programme that will inform data subjects about their rights and how they can report companies that violate their privacy.
Companies keepungodly amounts of data these days.They rarely give reasons why they use this data, how it will be stored and who it will be shared with. Although NITDA clearly states that companies must publish their privacy policies online but many companies are yet to follow these instructions. This boils down to the paucity of awareness schemes or programmes by the regulatory body.
I think most companies in Nigeria see the regulation as this: a law on paper. The big question therefore is would companies put the regulation into perspective and begin to readjust their business processes? Another question would be whether they would carry out data mapping exercises to locate existing risks based in their systems and mitigate these existing risks.
Companies with international reputation, in my mind, would begin to take minor steps in the right direction. However, those steps to protect their international face must be turned inward too. A holistic approach towards the protection of data subjects within Nigeria and outside Nigeria should be treated with seriousness.
Again, the NITDA has a lot of work on its hands.Practical steps must be taken to ensure that Nigerian businessesare building risk management frameworks to protect data subjects and their data.
_______________________________________________________________
- Dr Irene, a writer, GDPR expert, contributed this piece from the United Kingdom
