What is the role of DataPro Limited as a DPCO?
The National Information Technology Development Agency (NITDA) in 2019 licensed Data Protection Compliance Organizations (DPCOs) of which DataPro Limited is one, to among other deliverables, evaluate the level of compliance to the NDPR by accountable institutions such as Data Controllers, Data Processors and some Government agencies.
The Data Protection Compliance Organizations are also expected to render services such as Training and Awareness Programs, Data Protection Impact Assessment (DPIA), Audit exercise, contents drafting and advisory services.
Could the Nigeria Data Protection Regulation (NDPR) be used to fight cybercrime in Nigeria?
The answer is yes. The NDPR (2019) is complimentary to the Nigeria Cybercrime Act of 2015. One sure way of combating crime is by apportioning effective, proportionate, dissuasive and commensurate punishment for offenders and those who go against the provisions of the regulation. The NDPR imposes both civil and administrative sanctions on violators and offenders.
According to the NDPR provisions, any person subject to the regulation found to be in breach of the data privacy rights of Nigerians shall be liable in addition to any other criminal liability to: (a) In the case of Data Controllers/Data Processors dealing with more than 10,000 Data subjects (such as IT companies, Payment companies, FinTechs, Banks, Insurance companies, etc) payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of
N10m Naira whichever is greater (b) In the case of a Data Controller/Data Processor dealing with less than 10,000 Data subject payments of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of N2m whichever is greater.
According to the NDPR a data Controller/processor means a legal entity (companies, organizations, government agencies excluding law enforcement agencies) who either alone, jointly with others or in common with others or as a statutory body determines the purpose to which data is processed or is to be processed.
What also constitutes infringement under the regulation includes accidental or unlawful destruction of personal data, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted or stored either manually in paper form or electronically/digitally.
NITDA as the enforcer of the regulation also has right to set up administrative– panel to investigate allegation of breaches and can issue administrative orders to protect the privacy rights of all Nigerians.So every Nigerian is free to report any infringement of their personal data protection and privacy rights to NITDA for necessary remediation and action.
How do you see technology companies evolve on the issue of data privacy and protection?
We need to go down memory lane to really capture the impact technology companies have had on the issue of personal data privacy and protection.Despite the long agitation for the right to respect of individual personal data, it took the coming of age of the computer revolution and the accompanying digitisation and globalisation of businesses and personal data to drive the awareness and put everything on the front burner.
The tipping point seems to be the global Facebook-Cambridge Analytica data scandal of 2018 when it was revealed that Cambridge Analytica a UK company had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political advertising purposes in many countries.This has been described by many as the watershed moment in the public understanding of personal data, especially with the clarion call for tighter regulations of technology companies use of personal data.
So you are right. The tech companies are at the centre of the data protection and privacy regulation. What the NDPR (2019) has done is to provide clarity and consistency in the roles of data processors such as Tech companies.
They now have to provide transparent and easily accessible polices regarding notice of collection of personal data, notice of processing of personal data and the level of processing that will be entailed, and respect the rights of the data subject regarding to data retention and deletion.
Under the NDPR, data subjects have rights to have access to the data you have on them. They have the right to have inaccuracies corrected, the right to have the information or data you have on them as an IT processing company completely erased from your system. They have the right to prevent you from using their personal data for direct marketing purposes without first seeking their consent, they have the right to prevent you from automated decision making and profiling them without their consent and they have the right to data portability/transferability.
The NDPR also protects children and other vulnerable members ( i.e the elderly and disabled) of the society. So if you collect information about children under this age of 13, you will need parent/guardian consent to process this data lawfully.
So IT companies managing personal data and information must focus on meeting the provisions of the regulation and ensure adequate and efficient data storage infrastructure, identify where personal data is located and try and build a consistent architecture to be able to track and monitor what becomes of the data.
It becomes expedient that as soon as IT Companies process personal data, they will be held accountable for the use they make out of it . So they are expected to have data breach notification templates.
How does the NDPR affect the digital marketing companies?
From what I have explained earlier you will also be right to say that those in digital advertising and marketing should also listen up to their obligations under the NDPR.
So these are new responsibilities on the part of digital marketing companies in Nigeria and they have to obey the rules and regulations of the land. They now have to communicate very clearly that they want to collect people’s data and explain explicitly how they data is going to be used.They also have to inform Nigerian’s about their right to refuse or withdraw their consent for you to send them text messages or e-mail even if they initially gave you such consent. In addition, you can only collect data that is necessary for the intended purpose of the collection.
For example during your data collection process if its only my name, telephone, photograph (yes pictures are also considered as part of what constitutes personal data) and email address you need for your research or advertising campaign, you do not need to collect my date of birth, sexual orientation etc if they are not relevant as this conflicts with the provisions of the NDPR under the principle of data minimization.
So digital marketers now have to put the interest of their customer first and this is good news for all Nigerians