Nigerian businesses on spot as EU data protection law begins today

Violators risk €20 million fine or 4% of global yearly turnover
The European Union (EU) General Data Protection Regulation (GDPR) implementation and enforcement begins today, May 25, with advice from experts to Nigerian businesses to ensure compliance.

The EU GDPR law is one of the most wide-ranging and comprehensive pieces of legislation regarding sensitive consumer data ever enacted. It is an important step forward for privacy rights in Europe and around the world.

The regulation, which was adopted on April 27, 2016 and becomes enforceable May 25 replaces the data protection directive of 1995. It applies whether the data controller – an organization that collects data from EU residents or processor – an organization that processes data on behalf of data controller such as data centres or the data subject – the person whose personal data has been collected is based within or outside any EU member state, if they collect or process personal data of EU citizens and residents, such must comply with the law.

The Guardian learnt that the regulation requires that data controllers and processors must seek consent from data subjects in an intelligible and easily accessible form, clearly specifying the purpose for the collection. It also stipulates that consent must be clear and distinguishable from other matters and presented in a clear and plain language.

The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

Therefore, Nigerian businesses, especially those that collect, store and process personal data of EU citizens for the provision of goods and services are expected to comply with the new GDPR.

Failure of businesses in the country or other climes to comply would have them face a €20 million fine or have four per cent of their global yearly turnover levied.

The Guardian gathered that under the law, information such as customer IP addresses and even web cookies will be subject to the same strict security standards as physical addresses and social security numbers.

According to the Director-General, National Information Technology Development Agency (NITDA), Dr. Isa Ali Ibrahim Pantami, while urging affected businesses in Nigeria to comply, noted that the Agency realised that this regulation might have huge impact on Nigerian businesses and/or individuals that use Information Technology to collect, store, process and transact on EU citizens personal data in EU territory or elsewhere.

Pantami called on Nigerian organisations that are controllers and processors of personal data of EU nationals to note that companies that meet the following criteria must comply; have offices in an EU member state; have no offices in any EU member state but processes personal data of EU nationals and residents; have more than 250 employees; and have fewer than 250 employees but its data processing impacts the rights and freedoms of data subjects or occasionally includes certain types of sensitive personal data.

To Lead Commercial Attorney, Microsoft MEA Emerging Markets, John Edokpolor, although the GDPR law is an EU law, it is relevant to businesses around the world, especially businesses that have trade ties with Europe, especially those that deals with data.

To be compliant with the new EU law on data protection, Edokpolor said businesses must address three things: people, processes, and preparedness, and to address these, organisations must manage their data like they manage their money.

The Executive Vice President, Africa & Middle East, Sage, Pieter Bensch, listed six measures organizations and business firms can take to avoid any embarrassment.

These measures, according to him, include getting informed; doing an audit, review of consent mechanisms; refreshing privacy policies and contracts; training of extended workforce and appointing a data protection officer.