Nigerian firms warned against flouting data protection
Companies and business organizations operating in the country have been urged to comply with the Nigeria Data Protection Regulation (NDPR).
ESET Nigeria, which made this call, said compliance with the NDPR will impact data protection governance, information systems and security configuration, as well as Documented Policies & Processes.
ESET emphasised that organizations, both public and private, are expected to comply with the NDPR, adding that these requirements are already in force, and its implications are complex and the potential penalties for non-compliance are severe.
The Managing Director, ESET Nigeria and Ghana, Olufemi Ake, at a zoom conference organized to discuss how organizations can comply with the data protection regulations, said encrypting data and creating an additional authentication for data accessibility in organizations are a few ways to help in meeting the new data security and compliance rules.
The National Information Technology Development Agency (NITDA), introduced the NDPR, and enforced its compliance from January 2019, as the new requirement on collection and processing of personal data, which requires such activities to be in accordance with lawful purpose consent by the data subject.
Due to this, organisations have been mandated to put compliance measures in place within the first year of the regulation.
“Compliance with this regulation will impact data protection governance, information systems and security configuration, as well as documented policies and processes,” Ake said.
He also enumerated objectives of the regulation as, “To safeguard the rights of natural persons to data privacy; foster safe conduct for transactions involving the exchange of personal data; to prevent manipulation of personal data; and to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a sound data protection regulation.
He said: “NDPR applies to all storage and processing of personal data conducted in respect of Nigerian citizens and residents, and it covers transactions intended for the processing of personal data, and to the actual processing of personal data and person(s) residing in Nigeria or residing outside Nigeria but of Nigeria nationality.
“Unlike the EU’s general data protection regulation (the GDPR), NDPR is not enforced on persons and organizations outside Nigeria that collect, store, or process data of Nigerians.
“The Maximum penalty for breaches of data privacy rights on international transfers can be up to N10 million or two per cent of yearly gross revenue of the preceding year, whichever is higher and based on the number of data subjects dealt with. Other massive losses that non-compliance could cause are reputational damage and prosecution of principal officers in the event of a severe data breach.”
He also affirmed ESET’s readiness to assist organizations on NDPR compliance, saying: “To ensure 100 per cent compliance, organisations should ensure the following solutions are deployed and proactively used.”
According to him, organizations are keenly advised to get data loss prevention (DLP) solution to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.
He added the likes of ‘Safetica’ that classify regulated, confidential and business-critical data and identifies violations of policies defined by organizations or within a predefined policy pack, typically driven by regulatory compliance such as HIPAA, PCI-DSS, or NDPR.
“Multi-factor Authentication will serve as an additional layer of protection of data from unauthorized users. This tool will help data controllers in securing all logins to database and networks (on-premise and cloud) by generating a one-time password that is not known to anyone but unique to a particular user and per login. An excellent example of such a solution is ESET Secure Authentication.
“Finally, organisations should also deploy data encryption technologies, develop organizational policy for handling personal data (and other sensitive or confidential data), protect emailing systems and ensure continuous capacity building for staff. Report has shown that most organisations in Nigeria seek the above solutions to meet up with the compliance requirements of NDPR on data security.”