THE NIGERIA DATA PROTECTION REGULATION (NDPR) 2019 AND APPLICATION TO BANKS.
The main aim of the NDPR is to safeguard the rights of natural persons to data privacy; to foster safe conduct of transactions involving the exchange of personal data; to prevent manipulation of personal data and to safeguard the rights of natural persons with regards to the processing of their personal data. In this opinion, a data controller is the organization that acquires and processes individual data and the data subject is the individual that owns and provides his data for use by the data controller. Section 1.0 of NDPR.
NDPR provides for principles which are the basic building block for good data protection practices.
These principles are: Lawfulness, transparency and fairness; Purpose; Limitation; Accuracy; Data Security; Storage; Limitation; Accountability
The Principle of Lawfulness, transparency and fairness.
This principle states that the data controller must have legal grounds to process personal information and be clear, open and honest about how they use data subjects personal data.
The regulation identified 6 legal grounds for processing information: Consent, Contract, Legitimate Interest, Legal Obligation, Public Interest, Vital Interest.
The Principles of Purpose Limitation, Accuracy, Data Security, Storage Limitation and Accountability.
These principles provide seriatim as follows: organizations must have a clear and valid purpose to obtain and process personal information. Organizations should periodically review information kept on individuals and delete or update incorrect information accordingly. Organizations should ensure that all necessary procedures and measures are in place to safeguard personal data. This may include security from internal threats such as unauthorized use, accidental loss or harm, as well as external threats such as phishing, malware or theft. Organizations should delete or destroy personal data when they no longer need it for the reason for which it was obtained, unless there are any reasons for keeping it. The NDPR does not specify how long you can keep your personal data. It is up to the organization to decide this, depending on the purposes of the processing. Organizations must take responsibility for the data they keep and show compliance with the other principles. This ensures that organizations must be able to show the measures they have taken to show compliance.
Implementation Mechanism of NDPR in Organizations.
The NDPR provides that all public and private organizations in Nigeria that control data of natural persons shall within 3 months after the date of the issuance of this Regulation make available to the general public their respective data protection Policies; which Policies shall be in conformity with the Regulation. Within 6 months after the date of issuance of this Regulation, each organization shall conduct a detailed audit of its privacy and data protection practices. Every Data Controller shall designate a Data Protection Officer for the purpose of ensuring adherence to this Regulation, relevant data privacy instruments and data protection directives of the data controller; provided that a data controller may outsource data protection to a verifiably competent firm or person. Sections 3.1 – Section 3.15 of NDPR
Rights of Data Subjects.
Organizations will have to accommodate the rights of the data subject should they choose to exercise them. The rights of data subject include the right to access data, right to rectification of data, right to the erasure of data, right to restriction of processing of data, right to data portability. Sections 2.13.8 – Section 2.13.15 of NDPR
Data transfer protection and restriction
NDPR restricts the transfer of personal data that is intended for processing to a foreign country. NDPR does not allow the transfer of data to foreign countries that do not have adequate data protection laws. Restriction of transfers include: transfer to another company outside the country, transfer to another company within the same corporate group, sending of emails or attachments containing personal data, personal data stored on server abroad. Consent of the data subject must be sought and obtained for the specific purpose before the data controller processes or transfers such data. Sections 2.11 and 2.2 NDPR.
Sanctions for breach of NDPR.
Sanctions for breach of NDPR are divided into levels:
- a) Fine up to N10million, or 2% annual global turnover in the case of a data controller dealing with more than 10,000 data subjects – whichever is greater.
- b) Fine up to N2million, or 1% annual global turnover in the case of a data controller dealing with less than 10,000 data subjects –whichever is greater. Section 2.10 of NDPR.
Application of NDPR to Banks
Banks that control data of natural persons i.e. its customers, employees, vendors and business partners, should comply with the NDPR. The Bank should set up a Data Protection Policy and designate a Data Protection Officer for the purpose of ensuring adherence to NDPR. The Bank should also conduct a detailed audit of its data protection practices to avoid a breach of the NDPR. With the involvement of LOLC as foreign partners in the business of any Bank, the Bank should seek the consent of data subjects that their data may be needed, processed and used by foreign partners and the Bank should ensure that foreign partners and other foreign countries where data may be needed have a data protection law.