What you should know about GDPR in Nigeria?
I hope this letter finds you well, if so, doxology. I thought to write you using this format as inspired by Uncle Leke, his depth of excellence and competence leaves me in awe.
It is no longer news that there is a regulation on data and in the light of protecting and preserving the rights to privacy.
In the current economy, digital has become a major enabler and with that has come its blessings and regulations. I hope this brief letter will give you some insights on how to stay on the right side of the law.
In Nigeria, the Data protection rule (DPR) has also been domesticated as the Nigerian Data Protection Rule, signed into law January 25, 2019, so there is hardly a way to say you are unaware, remember that ignorance is not an excuse in law.
How does this concern you as a business owner?
Businesses whose activities involve ‘regular or systematic’ monitoring of data subjects or a large volume of personal data or which involve processing large volumes of ‘special category data’ going by this makes your business a data controller or processor.
Being in the position of a controller or processor requires compliance with the principles of the regulation. The principles are at the centre of the GDPR; they are the guiding principles of the regulation and compliant processing. Data Controllers are also accountable for their processing and must demonstrate their compliance. This is set out in the new accountability principle.
The principles are set up to make sure that the risks associated with collecting, processing and storing of personal data can be reduced to the barest minimum. In other words, you as an organization (data controller) who collects specific data of Nigerians (or citizens of other countries) have responsibilities on how to collect, what to keep, when to delete, where store, how and what to share with third parties as well as consequences for breach.
Here are some of the 7 principles that guide data protection globally
- Lawfulness, fairness and transparency- data must be processed in all fairness and transparent manner to all relevant individuals to
- Purpose limitation – data must be collected, processed according to specific and legitimate reasons only.
- Data minimization – only data needed must be collected and not more than necessary
- Accuracy – data collected must be accurate and where changes have occurred must be updated or discarded.
- Storage limitation – data can only be kept for as long as necessary where there are no specific retention periods, or for the purposes of archiving, scientific or historical purposes
- Integrity and confidentiality (security) – processed in such a way that ensures the security of data from unauthorized access, unlawful processing, damage or destruction.
- Accountability – data processors must be accountable.
These principles may be subject to further interpretations or adapted to several data scenarios as they may occur.
You can send questions to: sabilawyer@gmail.com
May the Law always be in your favour.