AS the financial sector grapples with electronic fraud in the country, there seems to be light at the end of the tunnel.
According to Abimbola Aseyoju,
the Managing Director of DataPro Limited, Mr. Abimbola Adeseyoju, a frontline compliance solutions company and licensed Data Protection Compliance Organisation (DPCO), the Nigeria Data Protection Regulation (NDPR) can be used to fight cybercrime in the country.
According to him, “One sure way of combating crime is by apportioning effective, proportionate, dissuasive and commensurate punishment for offenders and those who go against the provisions of the regulation.”
In this interview with journalists in Lagos, he sheds more light.
National Privacy Day
The day was first celebrated in Europe in 2007. By 2009, the United States Government started recognizing the day as National Day Privacy Day. And since then it has assumed global recognition and celebration.
The day is set aside to raise awareness and promote privacy and data protection best practices. We are now in a digitised, globalised and technologically driven world. The commemoration of the day is to remind all operators and players within the digitalised world about their obligations on data privacy and protection and the need to avoid data breaches, abuse and mis-use.
The day is particularly quite significant in Nigeria. We are happy that Nigeria has now joined the rest of the developed world in recognising data privacy and protection as part of the fundamental rights of all Nigerians.
The importance of having the Nigeria Data Protection Regulation (NDPR) issued by the National Information Technology Development Agency (NITDA) on the January 25, 2019 is that every citizen of Nigeria irrespective of wherever they reside all over the world is now guaranteed, data privacy as part of their fundamental human rights and can demand for justice any time this right is breached, abused or mis-used.
So it is quite significant that Nigeria is joining the rest of the civilised world to celebrate the occasion and awaken the sensibilities of all Nigerian on what the Federal Government has done to protect their rights. This is indeed a plus on the part of the government, and it again, calls for a pat on the back. They have done well in this regard.
The National Information Technology Development Agency (NITDA) in 2019 licensed Data Protection Compliance Organisations (DPCOs) of which DataPro Limited is one, to among other deliverables, evaluate the level of compliance with the NDPR by accountable institutions such as data controllers, data processors and some government agencies.
The DPCOs are also expected to render services such as training and awareness programs, Data Protection Impact Assessment (DPIA), audit exercise, contents drafting and advisory services.
The Nigeria Data Protection Regulation (NDPR) can be used to fight cybercrime in Nigeria. The NDPR (2019) is complimentary to the Nigeria Cybercrime Act of 2015. One sure way of combating crime is by apportioning effective, proportionate, dissuasive and commensurate punishment for offenders and those who go against the provisions of the regulation. The NDPR imposes both civil and administrative sanctions on violators and offenders.
According to the NDPR provisions, any person subject to the regulation found to be in breach of the data privacy rights of Nigerians shall be liable in addition to any other criminal liability to: (a) In the case of data controllers/data processors dealing with more than 10,000 data subjects (such as IT companies, payment companies, FinTechs, banks, insurance companies, etc) payment of the fine of two per cent of annual gross revenue of the preceding year or payment of the sum of N10 million whichever is greater (b) In the case of a data controller/data processor dealing with less than 10,000 data, subject payments of the fine of 1one per cent of the Annual Gross Revenue of the preceding year or payment of the sum of N2million, whichever is greater.
According to the NDPR, a data controller/processor means a legal entity (companies, organisations, government agencies excluding law enforcement agencies) who either alone, jointly with others or in common with others or as a statutory body determines the purpose to which data is processed or is to be processed.
What also constitutes infringement under the regulation includes accidental or unlawful destruction of personal data, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted or stored either manually in paper form or electronically/digitally.
NITDA, as the enforcer of the regulation, also has right to set up administrative– panel to investigate allegation of breaches and can issue administrative orders to protect the privacy rights of all Nigerians.
So every Nigerian is free to report any infringement of theirpersonal data protection and privacy rights to NITDA for necessary remediation and action.
We need to go down memory lane to really capture the impact technology companies have had on the issue of personal data privacy and protection.
Despite the long agitation for the right to respect of individual personal data, it took the coming of age of the computer revolution and the accompanying digitisation and globalisation of businesses and personal data to drive the awareness and put everything on the front burner.
The tipping point seems to be the global Facebook-Cambridge Analytical data scandal of 2018 when it was revealed that Cambridge Analytical, a UK company, had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political advertising purposes in many countries.
This has been described by many as the watershed moment in the public understanding of personal data, especially with the clarion call for tighter regulations of technology companies’ use of personal data.
So the tech companies are at the centre of the data protection and privacy regulation. What the NDPR (2019) has done is to provide clarity and consistency in the roles of data processors such as Tech companies.
They now have to provide transparent and easily accessible polices regarding notice of collection of personal data, notice of processing of personal data and the level of processing that will be entailed, and respect the rights of the data subject regarding to data retention and deletion.
Under the NDPR, data subjects have rights to have access to the data you have on them. They have the right to have inaccuracies corrected, the right to have the information or data you have on them as an IT processing company completely erased from your system.
They have the right to prevent you from using their personal data for direct marketing purposes without first seeking their consent, they have the right to prevent you from automated decision making and profiling them without their consent and they have the right to data portability/transferability.
The NDPR also protects children and other vulnerable members( i.e the elderly and disabled) of the society. So if you collect information about children under this age of 13, you will need parent/guardian consent to process this data lawfully.
So IT companies managing personal data and information must focus on meeting the provisions of the regulation and ensure adequate and efficient data storage infrastructure, identify where personal data is located and try and build a consistent architecture to be able to track and monitor what becomes of the data.
It becomes expedient that as soon as IT Companies process personal data, they will be held accountable for the use they make out of it . So they are expected to have data breach notification templates.
From what I have explained earlier you will also be right to say that those in digital advertising and marketing should also listen up to their obligations under the NDPR.
So these are new responsibilities on the part of digital marketing companies in Nigeria and they have to obey the rules and regulations of the land. They now have to communicate very clearly that they want to collect people’s data and explain explicitly how the data is going to be used.
They also have to inform Nigerian’s about their right to refuse or withdraw their consent for you to send them text messages or e-mail even if they initially gave you such consent.