In 2018, the European Union (EU) began the implementation of the General Data Protection Rule (GDPR), which regulates the processing of data by an individual, a company or organization relating to individuals in the EU. The following year, driven by concerns around privacy and the protection of personal data and the grave consequences of leaving personal data processing unregulated, the National Information Technology Development Agency (NITDA) unveiled the Nigeria Data Protection Regulation (NDPR).
The objectives of the regulation include safeguarding the rights of natural persons to data privacy, fostering safe conduct for transactions involving the exchange of personal data, preventing manipulation of personal data and ensuring that Nigerian businesses remain competitive in international trade through the safeguards afforded by a sound data protection regulation.
The NDPR requires that data controllers and processors engage a Data Protection Compliance Organization (DPCO), to perform a data protection audit and file a report with NITDA within the stipulated timeline. It also requires them to document and publish a data protection policy in line with the demands of the data protection regulation.
All storage and processing of personal data conducted in respect of Nigerian citizens and residents are captured in the regulation. Examples of personal data include employee information as managed by the human resource department, customer and subscribers’ data as well as vendors and service provider’s information. Personal data may contain among others names, phone numbers, location information, financial information, gender, ethnicity, health records, sexual orientation etc.
Potential consequences for non-compliance with NDPR include fines, reputational damage and prosecution of principal officers in the event of severe data breach.
Data protection is so important because any information that a business or an individual stores digitally needs to be properly protected. From financial information to payment details and contact information for staff, data usage needs to be protected by law in Nigeria as it is in developed countries. Data needs to be protected to prevent that data from being misused by third parties for fraud, such as phishing scams, and identity theft. To that extent, data protection is not just a legal necessity, but crucial to maintaining and protecting businesses.
The good news, according to Kashifu Inuwa Abdullahi, Director-General of NITDA, is that records show that so far in Africa, Nigeria is one of the most active countries in respect of data protection. The country is one of the very few in the world that has begun using data audit filing as a basis to measure compliance. He noted that a total of 635 audit reports were filed with NITDA. It is also important to point out that 36.3% of the filed reports is from the financial services industry.
With the intrusion of the COVID-19 pandemic into normal lives, there is now a swift recourse to more creative ways of living, working and learning. This has been rightly described as the “new normal” in different corners of the world. Abdullahi opined that this new normal being created will significantly be enabled by digital services, and data would be the primary driver of its sustainability. “Before the digital revolution, customer trust was primarily based on product quality. But with technology, as our lives have moved online—socially and financially, the trust has shifted to focusing on how customers’ data are protected,” the NITDA boss stated.
The banking sector is a primary target for data breach due to the superficial value of the underlying data. Therefore, the proactiveness of this sector in complying with the NDPR and Information Technology standards and regulations is a welcome development, which will in turn build trust in customer relationship. Although it is acknowledged that the financial industry is doing comparatively well, there is still room for improvement.
To a large extent, NDPR has been a success story. Although the revolution of digital transformation has taken considerable effort since the issuance of the NDPR, Nigeria has turned the corner in her quest to be recognized as a digital country. Abdullahi noted that “the level of compliance is growing at a fast rate, with the requirement to file a data audit report serving as the key compliance indicator. Article 4.1(5) of the Regulation requires the filing of an initial data audit report and a subsequent annual audit report by every data controller and processor. This process provides a regulatory overview of the state of data governance in the reporting entity. Likewise, it has helped us understand the necessary intervention points to improve data governance, cyber-security, and privacy protection.”
Before the introduction of the NDPR, no Nigerian entity could boast of compliance with data protection laws. Selected multinationals had some level of compliance imposed on them by their parent companies. But all of that changed within one year. The NITDA boss said from almost zero compliance, the country has recorded impressive growth in compliance with data protection. “Nigeria now has a verifiable database of statutory audit reports filed by various entities. This is however a significant leap considering the low level of awareness and various challenges faced by all stakeholders,” he stated.
“Initially”, Abdullahi recalled, “there were some resistance from various quarters regarding NITDA’s statutory powers and capacity to implement the NDPR. But the resistance helped to stimulate and focus the Agency on delivering valid results. Critical stakeholders represented by Data Protection Officers (DPO) have validated NITDA’s innovative approach to NDPR implementation. And the Agency’s role in pioneering data protection in Nigeria is also critical as the experiences garnered so far would be of immense benefit to the country.”
However, it is necessary to highlight some of the achievements of Nigeria’s data protection journey over the past one year. The first point to make is that the African Union Working Group on Data Protection Harmonisation and Localisation (Policy and Regulatory Initiative for Digital Africa- PRIDA) has appointed NITDA as Vice-Chair of the working group. Secondly, NITDA has licensed over 70 Data Protection Compliance Organizations (DPCO). Thirdly, the DPCO industry has created over 2,700 new jobs in the last one year. Fourthly, NITDA has inaugurated Data Breach Investigation Team in conjunction with the office of the Inspector General of Police, Fifthly, the data protection sector is now valued at N2,295,240,000 (using median value of audit implementation cost)
In addition to the above, NITDA also issued 230 compliance and enforcement notices within a year, initiated and deposited 8 data breaches with the police, resolved over 790 data breaches and investigated and fined Lagos Internal Revenue Service (LIRS) for breach. This case happens to be the first data breach case closed in Nigeria. The Agency has also helped the Federal Government earned the sum of N12,650,000 and has issued a supplementary guidelines on Use of Personal Data by Public Institutions and is currently working on the NDPR Implementation Framework 2020 which will be published soon.
The important lessons here are that there is no doubt that government can stimulate economic activities through regulations. And there is a need to do more in that regard. Customers should be aware that covid-19 has accelerated digital adoption and increased privacy and cybersecurity risks. Last but not the least, there is a need for more awareness on data privacy issues and everyone has to be on board.
Kudos to the leadership of the Honourable Minister of Communications and Digital Economy Dr Isa Ali Ibrahim Pantami and Director General National Information Technology Development Agency Kashifu Inuwa Abdullahi.
Mr Ahmed, an IT expert, writes from Wuse, Abuja.