• Friday, March 29, 2024
businessday logo

BusinessDay

As NDPR audit kicks off, NITDA outlines companies exempted from data regulation

As NDPR audit kicks off, NITDA outlines companies exempted from data regulation

As companies across the financial, banking, insurance, oil and gas, manufacturing, FMCG and service sector move to comply with data audit notices, NITDA says businesses processing less than 2000 data subjects are exempted. However, where there is a case of a data breach by such entity, the availability of documented data management process ameliorates the possibilities of fines and other criminal charges.

 

In January 2019, NITDA released the Nigeria Data Protection Regulation (NDPR), which is to a large extent a mirror of the European Commission’s General Data Protection Regulation (GDPR). The NDPR has been described by many stakeholders as the most comprehensive generally applicable legislation on data protection in Nigeria. It prescribes the minimum data protection requirements for the collection, storage, processing, management, management, operation and technical data in Nigeria.

 

Olufemi Daniel, NDPR desk officer who also helped craft the regulation, in an exclusive interview with BusinessDay explained that the NDPR audit is meant to assess the data management practices of organisations and for the government to provide necessary policies and directions to enhance compliance.

 

So far, awareness for the data audit has mostly been focused on organisations within Lagos and Abuja. To reach other states, NITDA recently trained selected media executives on the NDPR. The agency says another round of awareness is planned for the month of December, while NITDA would be coordinating, in partnership with the private sector, Nigeria’s biggest World Privacy Day celebration which would hold in January 2020

 

The audit includes a series of questions that are published in the draft NDPR Implementation framework.

 

To carry out the audit, NITDA had licensed about eleven Data Protection Compliance Organisations (DPCOs). The DPCOs look at the company’s personal data collection process to ensure they create processes that protect customer and employee data.

 

Companies that default are exposed to a fine of N2 million or 2 percent of turnover for the last year (whichever is more). The deadline for the data audit was October 25, 2019.

 

Read also: Apple launches research app in bid to gather users’ health data

According to a source whose company is partnering with one of the DPCOs, a memo which originated from NITDA to the DPCOs last week, requested for a list of companies that have audited or are in the process of auditing for data protection compliance. Zenith Bank is one of the Nigerian banks the source identified has commenced the audit process. Some organisations have already submitted their audits to NITDA.

 

“The NDPR is not focused on imposing fines, however, where a data breach by a non-compliant entity is established, this makes the imposition of fine optimum,” Daniel told BusinessDay. “Non-filing of the data audit report is an indication of unwillingness to protect personal data.”

 

One of the barriers to compliance is the cost of the audit. Daniel says that it depends on the number of data subjects.

 

“The highest amount an entity pays is N20,000 for the filing,” he said. “DPCOs charge companies based on different factors and the complexity of requirements of the controller. We are, however, trying to cost to encourage companies. However, the cost cannot be compared to the cost of non-compliance which may include brand image damage, civil suit by data subjects, fines under NDPR and criminal charge under the NITDA Act 2007.”

 

Organisations can also negotiate with their DPCOs which could reduce the cost of the audit. However, the size of the company and the complexity of the data collection systems are very vital to costing.

 

“We have a discounted programme for them as an organisation because we believe data protection is needed to build a solid system of trust for the proper scaling of businesses online,” Enyioma Madubuike, a lawyer and data protection expert told BusinessDay.

 

According to Daniel, the audit is only the first step to data protection compliance for Nigeria. After the audit, a team of experts would be invited by the government to access the data management and security level of the country and advise the government and private sector on how to improve practices in order to make businesses more cyber-resilient and reduce incidents of a breach. Organisations will also be advised by the NITDA licensed data protection compliance organisations on remedial actions to be taken to improve on data and cybersecurity management.