Uche Usim, Abuja
Abimbola Adeseyoju, the Managing Director, DataPro Limited, a frontline compliance solutions company and licensed Data Protection Compliance Organisation (DPCO), has described data protection regulation as a vital tool needed in fighting cybercrime in Nigeria.
She speaks with select journalists on the unique essence of the data protection and privacy day, its role in
helping Nigerians entrench their rights, the unified fight against cybercrime.
What is the significance of National Day Piracy day to Nigeria?
The day was first celebrated in Europe in 2007. By 2009, the United
States Government started recognizing the day as National Day Privacy Day. And since then it has assumed global recognition and celebration.
The day is set aside to raise awareness and promote privacy and data protection best practices. We are now in a digitalised, globalised and technologically driven world. The commemoration of the day is to remind all operators and players within the digitalized world about their obligations on data privacy and protection and the need to avoid data breaches, abuse and misuse.
The day is particularly quite significant in Nigeria. We are happy that Nigeria has now joined the rest of the developed world in recognising data privacy and protection as part of the fundamental rights of all Nigerians.
The importance of having the Nigeria Data Protection Regulation (NDPR)
issued by the National Information Technology Development Agency
(NITDA) on the 25th of January, 2019 is that every citizen of Nigeria
irrespective of wherever they reside all over the world is now guaranteed, data privacy as part of their fundamental human rights and can demand justice any time this right is breached, abused or misused.
So, it’s quite significant that Nigeria is joining the rest of the civilized world to celebrate the occasion and awaken the sensibilities of all Nigerian on what the Federal Government has done to protect their rights. This is indeed a plus on the part of the government, and it again, calls for a pat on the back. They have done well in this
What are the roles of DataPro Limited as a DPCO?
The National Information Technology Development Agency (NITDA) in 2019 licensed Data Protection Compliance Organisations (DPCOs) of which DataPro Limited is one. It was to, among other deliverables; evaluate the level of compliance to the NDPR by accountable institutions such as Data Controllers, Data Processors and some Government agencies.
The Data Protection Compliance Organisations are also expected to
render services such as training and awareness programs, Data Protection Impact Assessment (DPIA), Audit exercise, contents drafting and advisory services.
In DataPro, our core competences include advisory and compliance
Can Nigeria Data Protection Regulation (NDPR) be used to fight
cybercrime in Nigeria?
The answer is yes. The NDPR (2019) is complimentary to the Nigeria Cybercrime Act of 2015. One sure way of combating crime is by apportioning effective, proportionate, dissuasive and commensurate punishment for offenders and those who go against the provisions of the regulation. The NDPR imposes both civil and administrative sanctions on violators and offenders.
According to the NDPR provisions, any person subject to the regulation found to be in breach of the data privacy rights of Nigerians shall be liable in addition to any other criminal liability to: (a) In the case of Data Controllers/Data Processors dealing with more than 10,000 Data subjects (such as IT companies, Payment companies, FinTechs, Banks, Insurance companies, etc) payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of N10m naira whichever is greater. In the case of a Data Controller/Data Processor dealing with less than 10,000 Data subject payments of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of N2m whichever is greater.
According to the NDPR a data Controller/processor means a legal entity (companies, organizations, government agencies excluding law
enforcement agencies) who either alone, jointly with others or in common with others or as a statutory body determines the purpose to which data is processed or is to be processed.
What also constitutes infringement under the regulation includes accidental or unlawful destruction of personal data, loss, alteration,
unauthorised disclosure of, or access to, personal data transmitted or stored either manually in paper form or electronically/digitally.
NITDA as the enforcer of the regulation also has the right to set up
Administrative panel to investigate allegation of breaches and can issue administrative orders to protect the privacy rights of all Nigerians.
So every Nigerian is free to report any infringement of their personal data protection and privacy rights to NITDA for necessary remediation and action.
How do you see technology companies evolve on the issue of data privacy and protection?
We need to go down memory lane to really capture the impact technology
companies have had on the issue of personal data privacy and protection.
Despite the long agitation for the right to respect of individual personal data, it took the coming of age of the computer revolution and the accompanying digitization and globalisation of businesses and personal data to drive awareness and put everything on the front burner.
The tipping point seems to be the global Face-Book-Cambridge
Analytical data scandal of 2018 when it was revealed that Cambridge
Analytical a UK company had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political advertising purposes in many countries.
This has been described by many as the watershed moment in the public
understanding of personal data, especially with the clarion call for tighter regulations of technology companies use of personal data.
So you are right. The tech companies are at the centre of the data protection and privacy regulation. What the NDPR (2019) has done is to provide clarity and consistency in the roles of data processors such as Tech companies.
They now have to provide transparent and easily accessible polices regarding notice of collection of personal data, notice of processing of personal data and the level of processing that will be entailed, and respect the rights of the data subject regarding data retention and deletion.
Under the NDPR, data subjects have the rights to have access to the data you have on them. They have the right to have inaccuracies corrected, the right to have the information or data you have on them as an IT processing company completely erased from your system.
They have the right to prevent you from using their personal data for
direct marketing purposes without first seeking their consent, they have the right to prevent you from automated decision making and profiling them without their consent and they have the right to data portability/transferability.
The NDPR also protects children and other vulnerable members (i.e the
elderly and disabled) of the society. So if you collect information about children under this age of 13, you will need parent/guardian consent to process this data lawfully.
So IT companies managing personal data and information must focus on
meeting the provisions of the regulation and ensure adequate and
efficient data storage infrastructure, identify where personal data is located and try and build a consistent architecture to be able to track and monitor what becomes of the data.
It becomes expedient that as soon as IT Companies process personal data, they will be held accountable for the use they make out of it. So they are expected to have data breach notification templates.
How does the NDPR affect digital marketing companies?
From what I have explained earlier, you will also be right to say
that those in digital advertising and marketing should also listen up to their obligations under the NDPR.
Under the NDPR, digital marketers have to be transparent any time they
So these are new responsibilities on the part of digital marketing companies in Nigeria and they have to obey the rules and regulations of the land. They now have to communicate very clearly that they want to collect people’s data and explain explicitly how the data is going to be used.
They also have to inform Nigerian’s about their right to refuse or withdraw their consent for you to send them text messages or e-mail even if they initially gave you such consent. In addition, you can only collect data that is necessary for the intended purpose of the collection.
For example during your data collection process if it’s only my name, telephone, photograph (yes pictures are also considered as part of what constitutes personal data) and email address you need for your research or advertising campaign, you do not need to collect my date of birth, sexual orientation etc if they are not relevant as this conflicts with the provisions of the NDPR under the principle of data minimisation.