NDPR: OVERVIEW AND BUSINESS IMPLICATIONS
Transcript of NDPR: OVERVIEW AND BUSINESS IMPLICATIONS
NDPR: OVERVIEW AND BUSINESS
IMPLICATIONSTAXTECH AWARENESS SEMINAR
OLUFEMI DANIEL ESQ. DESK OFFICER- NDPR
Copyright Reserved September 2019
BEFORE PROTECTION, THERE WAS PRIVACY
▪ The right to be left alone is a constitutional concept that arose from
Justice L.D Brandei- Olmstead v. US 277 US.438 (1928).
▪ Privacy right was promoted to limit the intrusion of government on
private life.
▪ Right to privacy covers private correspondence, email and internet
use, medical record, personal data, sexual orientation.
▪ What is private depends on the importance attached to such thing by
the society. E.g millions of medical records in the hands of a
pharmaceutical company is a treasure trove.
National Information Technology Development Agency 2
NITDA AND DATA PROTECTION▪ NITDA was established to implement the National IT Policy of 2000.
Strategy 13.3(iii) of the Policy provides Ensure the protection ofindividual and collective privacy, security, and confidentiality ofinformation
▪ S.6(c) of NITDA Act 2007 provides- the Agency shall-
(a) Create a frame work for the planning, research, development,standardization, application, coordination, monitoring, evaluation andregulation of Information Technology practices, activities and systemsin Nigeria and all matters related thereto and for that purpose…
(c) develop guidelines for electronic governance and monitor the use ofelectronic data interchange and other forms of electroniccommunication transactions as an alternative to paper-based methods
National Information Technology Development Agency 3
JUDICIAL IMPRIMATUR▪ Paradigm Initiative for Information Technology v. NIMC
FHC/ABJ/CS/58/2019
The crux of the matter was whether NIMC had right to collect personal
data without adequate security and regulatory framework to guide the
process. The court took notice of the issuance of the NDPR by NITDA and
therefore dismissed the case on the basis that the issues complained of by
the Claimant has been taken care of through the NDPR and other measures
established by NIMC.
The court invariably recognized the NDPR as the national legal regime upon
which other data processing activities may ride
National Information Technology Development Agency 4
OVERVIEW OF THE NDPR▪ The Objectives of the NDPR is to safeguard data privacy; foster safe
conduct of transactions involving personal data and to make Nigerian
institutions globally competitive and relevant.
▪ Scope: Art. 1.2 This Regulation applies to all transactions intended for the
processing of Personal Data, to the processing of Personal Data
notwithstanding the means by which the data processing is being
conducted or intended to be conducted in respect of natural persons in
Nigeria.
National Information Technology Development Agency 5
THE DATA PEOPLE
▪ DATA SUBJECT- The individual whose data is to be protected
▪ DATA CONTROLLER- An entity who determines the purposes for and the manner in which Personal Data is processed
▪ DATA ADMINISTRATOR/PROCESSOR- One who processes data
▪ DPO- In-house Data Officer of a large Data Controller
▪ DPCO- NITDA Licensed Orgs. Who provide Data Protection services
National Information Technology Development Agency 6
PRINCIPLES OF THE NDPR
National Information Technology Development Agency 7
COMPARISM WITH EU GDPR
National Information Technology Development Agency 8
COMPARISM WITH EU GDPR
National Information Technology Development Agency 9
CONTENTS OF THE NDPR▪ The Regulation addresses:
✓ RIGHTS OF DATA SUBJECT
✓ BASIS FOR LAWFUL PROCESSING
✓ MEANING AND MEANS OF PROCURING VALID CONSENT
✓ CONTENT OF PRIVACY POLICY
✓ DATA SECURITY
✓ 3RD PARTY PROCESSING
✓ PENALTIES
✓ TRANSFER TO A FOREOGN COUNTRY
National Information Technology Development Agency 10
EU GDPR MAJOR FINES TILL DATE
National Information Technology Development Agency 11
LEGAL BASIS FOR HOLDING DATA
National Information Technology Development Agency 12
DATA
CONSENT OF SUBJECT CONTRACTLEGAL
COMPLIANCE
VITAL INTEREST OF
DATA SUBJECTPUBLIC INTEREST LEGITIMATE INTEREST
COMPLIANCE APPROACH
National Information Technology Development Agency 13
NITDA (As National DPO)
DPCO DATA CONTROLLER/PROCESSOR
KPIs FOR DPCOs▪ DOCUMENTATIONS
✓ Data Protection Strategy
✓ Privacy Policy
✓ Review of Contracts in line with NDPR/GDPR
✓ Forms- Data Subject Access Request; Rectification etc.
✓ Inventory of Processing Activities
✓ Data Protection Impact Assessment
▪ TRAINING/CAPACITY DEVELOPMENT
✓ General Trainings
✓ In-house pre and postimplementation orientation
✓ Consultations
✓ Recruitment and capacity for DPOs
OTHERS:
✓ Brand Enhancement through Compliance
✓ Responding to Regulatory queries
✓ Incident Management
March, 2019National Information Technology Development Agency 14
DATA BREACH RISK CLASSIFICATION TABLEClasses of
Data Assets
PII (name, contact,
education, career…)
Financial
information and
records
Sensitive personal
information (medical,
sexual orientation,
biometric…)
Sensitive Financial
Information (BVN,
Card details, login
credentials…
Risks of Compromise Unsolicited contact;
Identity Theft
Marketing Nuisance;
financial loss; risk to
safety
Reputational Damage;
financial loss;
opportunity loss
Financial loss; Identity
theft; reputational
damage
> I million data
Subjects
100k – 999k Data
Subjects
10k-99,999k Data
Subjects
1k to 9,999k Data
Subjects
<1k data
subjectsNational Information Technology Development Agency 15
RISK BASED STRATIFICATION
▪ Banks, Telcos, CBN, PFC/PFA/ Big Insurance Coys etc.
Big Fintechs, Notable Hospitals, NIMC, Stock Brokers
Large Coys, Medium Financial Coys, PENCOM
Schools, Transport Companies, Courier coys etc.
SMEs, payroll etc.
March, 2019National Information Technology Development Agency 16
VERY HIGH
HIGH
AVERAGE
LOW
VERY LOW
COMPLIANCE CHECKLIST FOR CONTROLLERS
SN CHECKLIST NDPR
1 Conduct Data Audit Art. 3.1(7)
2 What is Legal Basis for Processing? Art. 2.2
3 Clarity on Data Processing Art. 2.5
4 Privacy by Design Art. 2.6
5 Awareness and Capacity Art. 4.1(3)
6 Develop and Circulate Data Privacy Policy- which
contains DPIA Process; Notification of Authority
Art. 2.5
7 Design system for easy rectification, portability etc.
National Information Technology Development Agency 17
WHAT DOES IT MEAN TO PROCESS DATA?
▪ Art. 1.3 defines “Processing” as any operation or set of
operations which is performed on personal data or on
sets of personal data, whether or not by automated
means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available,
alignment or combination, restriction, erasure or
destruction;
National Information Technology Development Agency 18
WHAT IS PERSONAL DATA▪ “Personal Data” means any information relating to an identified or
identifiable natural person (‘Data Subject’); an identifiable natural person
is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person; It can be anything from a name, address, a
photo, an email address, bank details, posts on social networking websites,
medical information, and other unique identifier such as but not limited
to MAC address, IP address, IMEI number, IMSI number, SIM, Personal
Identifiable Information (PII) and others;
National Information Technology Development Agency 19
CLASSIFICAL PERSONAL DATA
National Information Technology Development Agency 20
NAME
ADDRESS
PHONE NUMBER
BIRTHDATE
BIRTH PLACE
PHOTO
EMAIL ADDRESS
PERSONAL HEALTH/BIO INFORMATION
ACCOUNT/FINANCIAL INFO
GEO INFO ETC.
DIGITAL PERSONAL DATA/ONLINE IDENTIFERS
SOCIAL MEDIA
ACCOUNT
E-MAIL ADDRESS
METADATA
IP ADDRESS
MAC ADDRESS
IMEI NUMBER
IMSI NUMBER
National Information Technology Development Agency 21
DIGITAL CONSENT▪ ‘Consent’ of the Data Subject means any freely given, specific, informed
and unambiguous indication of the Data Subject's wishes by which he or
she, through a statement or a clear affirmative action, signifies agreement
to the processing of Personal Data relating to him or her (Article 1.3iii).
▪ Consent Requirement
➢ Transparency
➢ No Implied Consent
➢ No Bundled Consent
➢ Access to Data
➢ Special Category Consent
SEE ALSO VALID CONSENT GUIDE
National Information Technology Development Agency 22
DATA AUDITS Art. 4.1(7)
▪ Non-filing of Annual Audit report by a Data Controller is a prima facie case of breach.15th of March is the Latest date for filing of Annual Data Audit Report.
▪ Filing Fees
✓ Less than 10,000 Data Subjects N5,000
✓ 10,000-50,000 Data Subjects N10,000
✓ More than N50,000 Data Subjects N20,000
Content of the Audit Report is as specified in Art. 3.1(7). We have a template attached for ourreview.
Every Data Audit Report (DAR) must be accompanied by aVerification Statement by DPCO
A CURRENTLY RETAINED FINANCIAL AUDITOR CANNOT PERFORM DATA AUDITINGSERVICE TOTHE SAME ENTITY
National Information Technology Development Agency 23
TRANSFER OF DATA ABROADTO TRANSFER DATA ABROAD, CONTROLLER MUST SHOW-
a)evidence of consent of the data subject
b)Privacy policy of the company as at the time of consent.
c)The countries where the data would be stored
d)Overview of encryption method and data security standard
e)The particular Data Protection Laws and summary of processes
on data management (if any) of the jurisdiction.
f) Contact of the country’s Data Protection office
National Information Technology Development Agency 24
DURATION OF DATA RECORD STORAGE ▪ NDPR does not specify length of time for storage for many reasons. In
determining length Controllers should consider the following:
❖ The contract term agreed by parties;
❖ Whether the transaction type has statutory implication;
❖ Whether there is an express request for deletion by the Data Subject,
where such Subject is not under an investigation which may require
the data; and
❖ The cost implication of storage of such data by the Data Controller.
National Information Technology Development Agency 25
REPORT OF DATA PRIVACY BREACH▪ Self Reporting of Data Breach by Controller is a major consideration in
determining the amount of fine to be levied. Report must be made within
72 hours from time of knowledge of the Breach.
National Information Technology Development Agency 26
NDPR TIMELINES
ISSUED: 25TH JAN,
2019
REVIEWED PRIVACY POLICY
25TH APRIL, 2019
DATA AUDIT
25TH
OCTOBER 2019
ANNUAL DATA AUDIT FILING
15TH
MARCH
National Information Technology Development Agency 27
PROCESSING BY MULTINATIONALSMultinational Companies (MNC) are deemed to be processing data in
Nigeria if one of these three conditions exist:
➢ The MNCs has a branch or subsidiary intended to promote its activities
which is orientated towards Nigerians
➢ The parent company designates an entity in Nigeria as its subsidiary for
the purpose of contracting on its behalf for advertising or other legal or
commercial purposes.
➢ The branch or subsidiary in Nigeria forwards to the parent or other
members of the group located outside Nigeria requests or requirements
relating to data subjects
National Information Technology Development Agency 28
Google v. AEPD SpainWhere Multinational has local subsidiary
▪ (The Court held: When a single controller is established on the territory
of several Member States, particularly by means of subsidiaries, he must
ensure, in order to avoid any circumvention of national rules, that each of
the establishments fulfils the obligations imposed by the national law
applicable to its activities. Google Spain SL, Google Inc. v AEPD Mario Costeja
Gonzalez (C-131/12))
National Information Technology Development Agency 29
ARE DATA AGGREGATORS ALSO CONTROLLERS?
A Data Aggregator is one who creates a platform to process, arrange and
disseminate information originally collected by a third party or itself.
Aggregators include search engine operators; financial platforms; e-
commerce sites etc. in the popular case of Google Spain SL, Google Inc. v
AEPD Mario Costeja Gonzalez (C-131/12)). The court held that
search engines
❑ control dissemination of aggregate data;
❑ facilitate access by users
❑ Determine how data is accessed
❑ Search engines are strictly liable for their breach of personal data
National Information Technology Development Agency 30
INVENTORY OF PROCESSING ACTIVITIES▪ An IPA helps to fulfill ACCOUNTABILITY AND COMPLIANCE.
▪ The IPA Can be done in two ways:
➢ Make Inventory of all Personal Data and state the processing it goes
through
➢ Make inventory of processing activities and state the data involved in the
processing.
IPA MUST ANSWER THE FOLLOWING QUESTIONS:
1. WHAT ARE THE PROCESSING ACTIVITIES CARRIED OUT BY THE
ORG.?
ANS: Customer Onboarding; Staff. Marketing etc.
March, 2019National Information Technology Development Agency 31
INVENTORY OF PROCESSING ACTIVITIES
2. WHAT IS THE BASIS FOR PROCESSING ACTIVITIES
ANS: MAP activities to one of the six basis listed above
3. WHO IS PERFORMING THIS ACTIVITY?
ANS: List the Department or Unit that performs the processing
4. WHICH PERSONAL DATA ARE WE PROCESSING?
ANS: Name, Email, phone etc.
5. WHERE IS THE PERSONAL DATA STORED?
ANS IT System with description for easy identification
March, 2019National Information Technology Development Agency 32
INVENTORY OF PROCESSING ACTIVITIES▪ 6. IS THERE INVOLVEMENT OF A PROCESSOR?
ANS: YES OR NO
7. DO WE (OR OUR PROCESSORS) USE A THIRD PARTY?
ANS: Provide a list of such third party processors
8. DO WE TRANSFER DATA OUTSIDE OF NIGERIA
ANS: If Yes, state the country, any law on data protection and contact of its
DPO
9. DO WE HANDLE SENSITIVE PERSONAL DATA
ANS: IF YES SPECIFY SUCH
March, 2019National Information Technology Development Agency 33
INVENTORY OF PROCESSING ACTIVITIES10. IS THERE A RETENTION LAW ON THE DATA PROCESSING
ACTIVITIES
ANS: Specify the law
11. HOW LONG IS THE DATA TO BE RETAINED
ANS: State minimum retention period
12 WHAT ACTION IS TAKEN ON THE PERSONAL DATA ONCE
RETENTION PERIOD EXPIRES
ANS: state action taken eg. Data is anonymized, pseudonymized etc
March, 2019National Information Technology Development Agency 34
PENALTIES
▪ A Data Controller dealing with more than
10,000 Data Subjects- payment of the fine of 2%
of Annual Gross Revenue of the preceding year
or payment of the sum of 10 million Naira,
whichever is greater
▪ CRIMINAL PROSECUTION UNDER NITDA
ACT
National Information Technology Development Agency 35
DPCO- THE WHAT, WHY AND HOW
National Information Technology Development Agency 36
Data Protection Officer (DPO)
National Information Technology Development Agency 37
▪ Article 4.2 Data Controller ( organization) to appoint a DPO and DPCO
- DPO Preferably a lawyer or one knowledgeable on compliance
- Must be a staff of the organization specifically hired to preform such
function
- Must be well trained and properly resourced
- Must not be involved in other departmental or SBU operations of the
firm to avoid impairment of judgement
- Must only report to Senior management of the organization
Roles of DPO➢ Ensuring adherence to this regulation
➢ Adherence to other similar regulations
➢ Development of Privacy Policy and updates
➢ Monitor adherence to Data Controllers directives
➢ Review compliance of data processors ( internal and external)
* DPCO can play or support this role
National Information Technology Development Agency 38
QUESTIONS
AND
ANSWERS
National Information Technology Development Agency 39