NITDA partners operators on data protection plans

The National Information Technology Development Agency (NITDA), has issued the cloud policy strategy and implementation framework that mandate domiciliation of data.

According to the agency, this move is to develop local storage capacity and increase employment in Nigeria.

Nigerian Data Protection Regulation (NDPR) Desk Officer, NITDA, Olufemi Daniel, said the agency has identified issues that could mitigate local data storage by finding ways to resolve them.

Speaking during the first interactive session on Nigeria Data Protection Compliance, organised by Taxtech and AO2 Law, in partnership with NITDA, Daniel said the agency is aware of issues plaguing local data storage, but is ready to offer incentives and improve business environment.

Urging Nigerians to support NITDA, he said the domiciliation of data is to increase security. “If we do not develop our local storage capacity, jobs would be lost to other countries. NITDA is also mindful of increasing compliance burden and do not want to create unnecessary panic,” he added.

Daniel said the regulatory agency was established to implement the national Information Technology (IT) policy of 2000. He added that Section 36 provides the fine of N8billion for non-compliance to the data protection regime.

“Because IT is ubiquitous, we constitute a national advisory committee on data protection. The committee is coordinated by Chairman, Ministry of Communication to ensure that there is a synergy and we can as a nation move in one direction. What we want to achieve is to ensure that data protection is progressing and not about whose power it’s being exercised,” he said.

Noting that the regulation was issued in January 2019, he said that there are some milestones that we have given every organisation to comply.

“We expect firms to have published a revised privacy policy and seek subject consent based on the new privacy policy. Firms also should have done the initial data audit by October 25. So, data were supposed to be analysed based on the stipulated timelines. Also, data collated before January 2019 are not exempted from full protection,” he added.

Software Engineer, Taxaide Technologies Ltd (Taxtech), a Data Protection Compliance Organisation (DPCO), Joseph Udonsak, said the NDPR would change the dynamics of business operations and data processes.

“This is because firms cannot take data just because you have the power to. Now, the challenge is understanding the data floor, and how you handle data,” he added. Udonsak said the data subject’s right is protected by this new regime as firms are expected to explain the reason for data collation.

He added that firms that have not taken the whole process from data collection to security standards would have a lot of restructuring to do.

He stressed that the NDPR does not require firms to have all the requirements in place now.

“Organisations that don’t have any security infrastructure would be required to have a remediation strategy in place, which would be submitted for the preliminary audit in October 25. This is to show some level of implementation to avoid sanction,” Udonsak added.

Furthermore, he said that the NDPR applies to all businesses, whether big or small. “For small businesses, I don’t think it will be too data for them to manage. The idea is to establish a data process and put security infrastructure in place,” he said.

Managing Partner, AO2 Law, Chinedu Anaje, stressed on the need for organisations to seek redress if they are wrongfully fined by the regulators.

Anaje said that NITDA provides organisations opportunity to redress in a court of law, as done in Europe and North America.

Adding: “We expect that there would be an increase in data breach cases in the future.”

Co-Founder, FarmCrowdy, Ifeanyi Anazodo, observed that apart from implementation, monitoring is a big challenge to the NDPR.

Applauding the data protection as a good initiative, Anazodo said compliance might be a little difficult due to corruption and no stringent laws that apply to all.

On the local data domiciliation, he noted that it is expensive to store data in Nigeria because of power and regulation.“It is cheaper and easier to dump my data in Microsoft Azure and other international cloud because I know that they are a global brand and the laws that bind them are stricter than ours. So, if they are offering me a cheaper service, I will go for it.

“So the law should not place restrictions on how and where we store our data because it will impact negatively on the cost of operation, which in turn would make services unaffordable for consumers,” Anazodo added.

Lawyer at Infusion Lawyers, Lilian Chidera Obichendu, said that Nigeria is still at her early days in data protection compliance.

She said: “Data controllers are yet to fully grasp the legal implications of data collection, processing and transfer. And these have resulted in abuse of personal data and infringement on data subject’s privacy.”

To ensure compliance, Obichendu said beyond regulation, there is need for adequate awareness, and constant engagements between NITDA with other relevant authorities.

She added: “From my experience, the common breaches involve unauthorised use of data subject’s personal details such as email address and phone number for digital marketing by third parties.

“Other common breaches involve sharing or even selling data subject’s personal information without consent. There have also been instances where service providers fail to protect the sensitive information of their customers, such as PINS, passwords, etc.”

She charged both private and public organisations to start putting measures in place to ensure compliance. “Since we are in a data-driven economy with Artificial Intelligence (AI), Blockchain, Big Data, and Internet of Things (IoT), and other emerging technologies, data controllers must start embracing privacy by incorporating privacy into technological devices and systems by default. This will greatly enhance data protection and privacy,” she added.