Taxtech, AO2 Law’s first data protection session takes on proposed NDPR

by Frank Eleanya On Sep 24, 2019

The Nigeria Data Protection Regime () which is the country’s version of the EU’s General Data Protection Regulation (GDPR) was the highlight at an interactive forum organised by Taxtech in partnership with AO2 Law, on Wednesday.

The NDPR 2019 was designed by the National Information Technology Development Agency (NITDA) with the aim of safeguarding the rights of people to data privacy, foster safe-conduct for transactions involving the exchange of personal data, to prevent manipulation of personal, and to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which is in tune with best practice.

It was released 25 January. At the time, NITDA projected that the regulation will not only stem the wanton abuse of data but also improve the global image of the Nigerian business environment as well as lead to the creation of 300,000 jobs.

While the NDPR is yet to become legislation, having not passed through the legislative process, NITDA has set an October deadline for data audit of companies that control data and March 15, 2020, for annual data audit filing.

During his presentation, Olufemi Daniel, desk officer, NDPR, said data protection is beyond obeying the law but about individuals feeling secured. The NDPR, therefore, applies to all transactions intended for the processing of personal data, to the processing of personal data notwithstanding the means by which the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria.

The NDPR is related to the EU GDPR in many ways. First, it makes provision for the individual’s permission to be obtained before the data is put to use. Also like the GDPR, the NDPR provides that the individual or subject has the right to receive the personal data concerning him or her which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. This is known as data portability.

Other areas of similarity between NDPR and the GDPR include the privacy by design, the right to be forgotten, definitive consent, the information in clear readable language and limits on the use of profiling.

There are clear differences between the NDPR and the GDPR. For instance, where the punishment for non-compliance was 4 per cent of global revenue in the GDPR, it is only 2 per cent in the NDPR. It should also be noted that the NDPR also allows conflict resolution through NITDA before resorting to the court.

“We are baby steps; learning as we go along,” Daniel said. “The GDPR has had over 30 years to get to where it is and we are just starting. If we take everything in GDPR, we will be coming across as too hard on companies.”

He also disclosed that NITDA has plans to inaugurate a data breach team that will ensure that the appropriate punishment is meted out to organisations who do not comply.

Despite Daniel’s assertion of “baby steps”, some leaders in the private sector who participated in the session said the NDPR needs a closer interrogation.

“We need to critically look at how we apportion blame in terms of data breaches,” said Edward Popoola, chief technology officer at Cowrywise, a fintech company.

Big Fintech companies, notable hospitals, NIMC, and stockbrokers fall under the ‘red’ (high risk) category. Banks, telcos, CBN, PFC/PFA, and Big Insurance companies are under the ‘black’ (highly risky) category.

“NITDA gives organisations an opportunity to redress in a court of law, there are numerous cases of that nature in Europe and North America,” Chinedu Anaje, managing partner, AO2 Law said. “We expect there will be an increase in data breach cases in the future.”