Considering how the internet has made things a lot easier for the humans, personally identifiable information among other things are exchanged in cyberspace to aid seamless conversations and processes. People divulge their personal data when visiting websites, purchasing products, or even signing up for services. Putting out personal information could open up room for theft and other crimes that could potentially harm not just individuals but organizations as a whole.
Given several privacy breaches in Nigeria such as the case between NITDA and Truecaller, and the famous Facebook-Cambridge Analytics Data Privacy Scandal, the need to protect personal data cannot be overstated. This has prompted the implementation of various laws/legislation such as the Nigerian Data Protection Regulation (NDPR) 2019, Cybercrimes Act, and the General Data Protection Regulation 2018 to mention a few.
The overall legislation that extensively touches on data security in Nigeria is the NDPR 2019. It is in consonance with global best practices and standards and it regulates data protection and security in Nigeria. The Nigerian Information Technology Development Agency (NITDA) is the regulatory institution responsible for implementing the provisions of the NDPR 2019. The Regulation applies to residents of Nigeria, citizens of Nigeria residing outside of Nigeria, and organizations that process the personal data of such individuals. Other laws regulating data privacy and security in Nigeria include The Freedom of Information Act 2011, The Child’s Rights Act 2003, The Federal Competition and Consumer Protection Act 2019 to mention a few. The NDPR touches on the principles of data processing, the requirements of Data Compliance Officers, the requirement of data subject’s consent for collecting and processing data, requirements for the international transfer of data, rights of data subjects, and prescribes penalty for non compliance with the regulation.
Data Controllers: These are organizations or individuals who determine the purposes for which data will be used. They are required to develop adequate security systems including measures for protecting systems from hackers, firewalls, and employing data encryption technologies to protect data within their custody. Personal Data must be collected and processed in accordance with a specific, legitimate and lawful purpose consented to by the Data Subject. It must also be adequate, accurate, and without prejudice to the dignity of the human person; stored only for the period which it is reasonably needed, and must be secure against all foreseeable hazards and breaches. When a breach occurs, data controllers are to report such breach to the NITDA within 72 hours of becoming aware of the breach.
Data subjects must consent before any data is collected and such data must be collected and processed in a lawful manner, and the purpose for which such data is collected must be communicated to the data subject. Data Controllers are required to display on any medium of data collection, a conspicuous, intelligible and clear privacy notice. This notice informs data subjects of how their data is collected, used, retained, and disclosed.
In conclusion, the NDPR 2019 alongside other legislation regulates the protection of personal data in Nigeria. It ensures that individuals and organisations alike adopt the best practices in securing their personally identifiable information against risks and threats. Organisations that do not comply with the requirement of the regulation are liable to sanctions/penalties as prescribed in the Regulation.