Anxiety is palpable in Nigeria over GDPR implementation
European Union’s General Data Protection Regulation (GDPR) requires any enterprise in the world that conducts business with at least one citizen of the EU to comply with GDPR protections of personally identifiable information or face stiff penalties.
Adesanya Ahmed, an Information security consultant and chief executive officer, Petrovice Resources, said that based on Article 3 of EU, which defines territorial scope.
“The article states that organizations must comply with GDPR if they offer goods or services to EU citizens, even without payment, or monitoring the behaviour of EU citizens.
“The starting point should be to determine whether the organization process personal data of EU citizens, either as a controller or processor of data, or whether a part of your organization operate within the EU borders.
“If answer to one of the questions is yes, then it does not matter were your business headquarters are located. As long you are in the place were member state law applies by virtue of public international law, you need to comply with GDPR,” he added.
He noted that complying with GDPR protects Nigerian organizations from not being sanction in global trade. For Instance, EU adopted a global best practice like: PCI DSS for risk management and also for cloud computing environments while NITDA adopted COBIT 5 of ISACA as a regulatory framework.
“When adopting these regulations, it is advantageous for an enterprise to have a solid governance function in place, to help with implementation and execution. And if the organization lacks that structure, GDPR compliance is a good reason to begin creating that structure in your enterprise.”
Dragan Jovicic, Information Security Audit Manager, Serbia, urged organizations outside of EU to perform a data protection impact assessment as a required element of GDPR.
“This is an initial step in determining the need to comply with GDPR in the process of GDPR implementation. Once the organization determines that it has to comply with the regulation, the compliance program must include all parts of data processing.
“Data processing includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.” GDPR applies to both automated and manual data processing.
The organization being impacted by GDPR needs to assess, implement and comply with specific GDPR requirements.
These requirements will impact the entire organization and how day-to-day operations are being conducted with respect to personal data.
New processes and controls should be implemented to protect personal data of EU citizens and also to protect the organization from liabilities caused by non-compliance with GDPR.
Organizations that see 25 May not only as a deadline, but more as the starting point of a long-lasting GDPR compliance program, will have an advantage in processing personal data applying GDPR principles.
No comments yet