DataPro Privacy Day Training: The Outlook For Data Protection Compliance In 2023
In light of the realities of today’s digital environment, Data Subjects need to be continually sensitised on their privacy rights and good conduct with personally identifiable information. Similarly, Data Controllers need to continuously build the capacity of their workforce to maintain and uphold best practices in Data Security and Protection.
During the privacy day training our facilitator Dr. Wence Nwoga shared deep insights on the conceptual framework of data protection and privacy and practicable strategies for navigating data security and risk mitigation.
The highlights of the webinar are as follows:
Personal Data as defined by the Nigeria Data Protection Regulation (2019) is as any information relating to an identified or identifiable natural person (data subject).
Data Protection is the process of ensuring that personal data is safeguarded from unlawful access by unauthorised parties.
Data Privacy Day aims to remind and draw the attention of the public to the immense value of data and the need for constant awareness, protection, privacy and security.
The Nigeria Data Protection Regulation 2019 (NDPR) dictates required procedures to foster the safe conduct of transactions involving the exchange of personal data by customers/clients of both public and private organizations. Consumer Protection is a major pillar of the regulation. It also dictates the Rights of Data Subjects such as the Right to Information, Right to Access, Right to Rectification, Right to withdraw consent, Right to Object, Right to object to Automated Decision Making, Right to be forgotten, Right for data portability, Right to Object to the Processing, etc. Every Nigerian, therefore, has a right to data privacy.
The NDPR sets out Seven Governing Principles for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data. The seven principles include Lawfulness, Fairness and Transparency; Purpose Limitation; Data Minimization; Accuracy; Storage Limitation; Integrity and Confidentiality (Security); and Accountability.
The Nigeria Data Protection Bureau (NDPB) established in 2022, complements the work of statutory institutions of the government with the common goal of safeguarding the privacy of natural persons.
Grounds for the Lawful Processing of data include Consent, Legitimate Interest, Public Interest, Contractual Necessity, Legal Obligation and Vital Interest.
In Nigeria, all Data Controllers & Processors must file Annual Data Protection & Privacy Audit Report through DPCO to NDPB on the specified date.
Contact us at email@example.com for more information.
Basic Data Protection Compliance Implementation Steps are as follows:
- Conduct Staff Training
- Appoint Data Protection Officer
- Develop Data Inventory
- Review of Data Processing Contracts
- Review Data Security Infrastructure and Documentation
- Conduct a Data Protection Compliance Audit
The Data Protection Bill is expected to be passed this year as it was recently approved by FEC for transmission to the National Assembly. The new bill is expected to provide a more robust and efficient regulatory framework for the protection of personal data.
A Personal Data Breach can be broadly defined as a security incident that has affected the Confidentiality, Integrity or Availability (CIA Principle) of personal data.
The use of Pseudonymization, Anonymization and Encryption are Mitigation Techniques to keep personally identifiable information secure.
Data Controllers should ensure that anyone acting under their authority with access to personal data does not process data unless instructed to do so. Information should always be shared on a need-to-know basis intracompany. It is therefore vital that your staff understand the importance of protecting personal data, are familiar with your security policy and put its procedures into practice.
Personal Data Breach Best Practice includes the following:
• Report certain types of personal data breaches to NDPB within 72 hours of becoming aware of the breach, where feasible
• Inform the individuals involved if the breach is likely to result in a high risk of adversely affecting their rights and freedoms
Have internal procedure
• Ensure you have robust breach detection, investigation and internal reporting procedure in place. This will facilitate decision making
Keep incident log
• Keep a record of any personal data breaches, regardless of whether you are required to notify
See the full webinar video below