The Managing Director, DataPro Limited, Abimbola Adeseyoju, a
frontline compliance solutions company and licensed Data Protection
Compliance Organisation(DPCO) speaks on the
unique essence of the data protection and privacy day, its role in
helping Nigerians entrench their rights, the unified fight against
cybercrime.
What is the significance of National Piracy Day to Nigeria?
The day was first celebrated in Europe in 2007. By 2009, the United
States Government started recognizing the day as National Day Privacy
Day. And since then it has assumed global recognition and celebration.
The day is set aside to raise awareness and promote privacy and data
protection best practices. We are now in a digitalized, globalised and
technologically driven world. The commemoration of the day is to
remind all operators and players within the digitalized world about
their obligations on data privacy and protection and the need to avoid
data breaches, abuse and mis-use.
The day is particularly quite significant in Nigeria. We are happy
that Nigeria has now joined the rest of the developed world in
recognising data privacy and protection as part of the fundamental
rights of all Nigerians.
The importance of having the Nigeria Data Protection Regulation (NDPR)
issued by the National Information Technology Development Agency
(NITDA) on the 25th of January, 2019 is that every citizen of Nigeria
irrespective of wherever they reside all over the world is now
guaranteed, data privacy as part of their fundamental human rights and
can demand for justice any time this right is breached, abused or
mis-used.
So it’s quite significant that Nigeria is joining the rest of the
civilized world to celebrate the occasion and awaken the sensibilities
of all Nigerian on what the Federal Government has done to protect
their rights. This is indeed a plus on the part of the government, and
it again, calls for a pat on the back. They have done well in this
regard.
What are the roles of DataPro Limited as a DPCO?
The National Information Technology Development Agency (NITDA) in 2019
licensed Data Protection Compliance Organisations (DPCOs) of which
DataPro Limited is one. It was to, among other deliverables; evaluate
the level of compliance to the NDPR by accountable institutions such
as Data Controllers, Data Processors and some Government agencies.
The Data Protection Compliance Organisations are also expected to
render services such as training and awareness programs, Data
Protection Impact Assessment (DPIA), Audit exercise, contents drafting
and advisory services.
In DataPro, our core competences include advisory and compliance
services on data protection, privacy policy formulation and
communication, sensitization, training and capacity building programs,
Data Protection Impact Assessment (DPIA) and Annual Audit.
Can Nigeria Data Protection Regulation (NDPR) be used to fight
cybercrime?
The answer is yes. The NDPR (2019) is complimentary to the Nigeria
Cybercrime Act of 2015. One sure way of combating crime is by
apportioning effective, proportionate, dissuasive and commensurate
punishment for offenders and those who go against the provisions of
the regulation. The NDPR imposes both civil and administrative
sanctions on violators and offenders.
According to the NDPR provisions, any person subject to the regulation
found to be in breach of the data privacy rights of Nigerians shall be
liable in addition to any other criminal liability to: (a) In the case
of Data Controllers/Data Processors dealing with more than 10,000 Data
subjects (such as IT companies, Payment companies, FinTechs, Banks,
Insurance companies, etc) payment of the fine of 2% of Annual Gross
Revenue of the preceding year or payment of the sum of N10m naira
whichever is greater (b) In the case of a Data Controller/Data
Processor dealing with less than 10,000 Data subject payments of the
fine of 1% of the Annual Gross Revenue of the preceding year or
payment of the sum of N2m whichever is greater.
According to the NDPR a data Controller/processor means a legal entity
(companies, organizations, government agencies excluding law
enforcement agencies) who either alone, jointly with others or in
common with others or as a statutory body determines the purpose to
which data is processed or is to be processed.
How do you see technology companies evolve on the issue of data
privacy and protection?
We need to go down memory lane to really capture the impact technology
companies have had on the issue of personal data privacy and
protection.
Despite the long agitation for the right to respect of individual
personal data, it took the coming of age of the computer revolution
and the accompanying digitization and globalization of businesses and
personal data to drive the awareness and put everything on the front
burner.
The tipping point seems to be the global Face-Book-Cambridge
Analytical data scandal of 2018 when it was revealed that Cambridge
Analytical a UK company had harvested the personal data of millions of
people’s Facebook profiles without their consent and used it for
political advertising purposes in many countries.
This has been described by many as the watershed moment in the public
understanding of personal data, especially with the clarion call for
tighter regulations of technology companies use of personal data.
So you are right. The tech companies are at the centre of the data
protection and privacy regulation. What the NDPR (2019) has done is to
provide clarity and consistency in the roles of data processors such
as Tech companies.
They now have to provide transparent and easily accessible polices
regarding notice of collection of personal data, notice of processing
of personal data and the level of processing that will be entailed,
and respect the rights of the data subject regarding to data retention
and deletion.
Under the NDPR, data subjects have rights to have access to the data
you have on them. They have the right to have inaccuracies corrected,
the right to have the information or data you have on them as an IT
processing company completely erased from your system.
They have the right to prevent you from using their personal data for
direct marketing purposes without first seeking their consent, they
have the right to prevent you from automated decision making and
profiling them without their consent and they have the right to data
portability/transferability.
The NDPR also protects children and other vulnerable members( i.e the
elderly and disabled) of the society. So if you collect information
about children under this age of 13, you will need parent/guardian
consent to process this data lawfully.
So IT companies managing personal data and information must focus on
meeting the provisions of the regulation and ensure adequate and
efficient data storage infrastructure, identify where personal data
is located and try and build a consistent architecture to be able to
track and monitor what becomes of the data.
How does the NDPR affect the digital marketing coys?
From what I have explained earlier, you will also be right to say
that those in digital advertising and marketing should also listen up
to their obligations under the NDPR.
Under the NDPR, digital marketers have to be transparent any time they
wish to collect data from the public. It is a violation of the
regulation to send unsolicited text massages to people. I need to
first give you consent if I want to be receiving any form
advertisement messages from your agency or not before you start waking
me up with messages. This also applies to visit to company’s website
to use cookies to collect personal information. There must be
provision for consent before you can collect my personal details
on-line
So these are new responsibilities on the part of digital marketing
companies in Nigeria and they have to obey the rules and regulations
of the land. They now have to communicate very clearly that they want
to collect people’s data and explain explicitly how they data is going
to be used.
