NDPR: OVERVIEW AND BUSINESS IMPLICATIONS

NDPR: OVERVIEW AND BUSINESS

IMPLICATIONSTAXTECH AWARENESS SEMINAR

OLUFEMI DANIEL ESQ. DESK OFFICER- NDPR

Copyright Reserved September 2019

BEFORE PROTECTION, THERE WAS PRIVACY

▪ The right to be left alone is a constitutional concept that arose from

Justice L.D Brandei- Olmstead v. US 277 US.438 (1928).

▪ Privacy right was promoted to limit the intrusion of government on

private life.

▪ Right to privacy covers private correspondence, email and internet

use, medical record, personal data, sexual orientation.

▪ What is private depends on the importance attached to such thing by

the society. E.g millions of medical records in the hands of a

pharmaceutical company is a treasure trove.

National Information Technology Development Agency 2

NITDA AND DATA PROTECTION▪ NITDA was established to implement the National IT Policy of 2000.

Strategy 13.3(iii) of the Policy provides Ensure the protection ofindividual and collective privacy, security, and confidentiality ofinformation

▪ S.6(c) of NITDA Act 2007 provides- the Agency shall-

(a) Create a frame work for the planning, research, development,standardization, application, coordination, monitoring, evaluation andregulation of Information Technology practices, activities and systemsin Nigeria and all matters related thereto and for that purpose…

(c) develop guidelines for electronic governance and monitor the use ofelectronic data interchange and other forms of electroniccommunication transactions as an alternative to paper-based methods


JUDICIAL IMPRIMATUR▪ Paradigm Initiative for Information Technology v. NIMC

FHC/ABJ/CS/58/2019

The crux of the matter was whether NIMC had right to collect personal

data without adequate security and regulatory framework to guide the

process. The court took notice of the issuance of the NDPR by NITDA and

therefore dismissed the case on the basis that the issues complained of by

the Claimant has been taken care of through the NDPR and other measures

established by NIMC.

The court invariably recognized the NDPR as the national legal regime upon

which other data processing activities may ride


OVERVIEW OF THE NDPR▪ The Objectives of the NDPR is to safeguard data privacy; foster safe

conduct of transactions involving personal data and to make Nigerian

institutions globally competitive and relevant.

▪ Scope: Art. 1.2 This Regulation applies to all transactions intended for the

processing of Personal Data, to the processing of Personal Data

notwithstanding the means by which the data processing is being

conducted or intended to be conducted in respect of natural persons in

Nigeria.


THE DATA PEOPLE

▪ DATA SUBJECT- The individual whose data is to be protected

▪ DATA CONTROLLER- An entity who determines the purposes for and the manner in which Personal Data is processed

▪ DATA ADMINISTRATOR/PROCESSOR- One who processes data

▪ DPO- In-house Data Officer of a large Data Controller

▪ DPCO- NITDA Licensed Orgs. Who provide Data Protection services


PRINCIPLES OF THE NDPR


COMPARISM WITH EU GDPR


CONTENTS OF THE NDPR▪ The Regulation addresses:

✓ RIGHTS OF DATA SUBJECT

✓ BASIS FOR LAWFUL PROCESSING

✓ MEANING AND MEANS OF PROCURING VALID CONSENT

✓ CONTENT OF PRIVACY POLICY

✓ DATA SECURITY

✓ 3RD PARTY PROCESSING

✓ PENALTIES

✓ TRANSFER TO A FOREOGN COUNTRY


EU GDPR MAJOR FINES TILL DATE


LEGAL BASIS FOR HOLDING DATA


DATA

CONSENT OF SUBJECT CONTRACTLEGAL

COMPLIANCE

VITAL INTEREST OF

DATA SUBJECTPUBLIC INTEREST LEGITIMATE INTEREST

COMPLIANCE APPROACH


NITDA (As National DPO)

DPCO DATA CONTROLLER/PROCESSOR

KPIs FOR DPCOs▪ DOCUMENTATIONS

✓ Data Protection Strategy

✓ Privacy Policy

✓ Review of Contracts in line with NDPR/GDPR

✓ Forms- Data Subject Access Request; Rectification etc.

✓ Inventory of Processing Activities

✓ Data Protection Impact Assessment

▪ TRAINING/CAPACITY DEVELOPMENT

✓ General Trainings

✓ In-house pre and postimplementation orientation

✓ Consultations

✓ Recruitment and capacity for DPOs

OTHERS:

✓ Brand Enhancement through Compliance

✓ Responding to Regulatory queries

✓ Incident Management

March, 2019National Information Technology Development Agency 14

DATA BREACH RISK CLASSIFICATION TABLEClasses of

Data Assets

PII (name, contact,

education, career…)

Financial

information and

records

Sensitive personal

information (medical,

sexual orientation,

biometric…)

Sensitive Financial

Information (BVN,

Card details, login

credentials…

Risks of Compromise Unsolicited contact;

Identity Theft

Marketing Nuisance;

financial loss; risk to

safety

Reputational Damage;

financial loss;

opportunity loss

Financial loss; Identity

theft; reputational

damage

> I million data

Subjects

100k – 999k Data

Subjects

10k-99,999k Data

Subjects

1k to 9,999k Data

Subjects

<1k data

subjectsNational Information Technology Development Agency 15

RISK BASED STRATIFICATION

▪ Banks, Telcos, CBN, PFC/PFA/ Big Insurance Coys etc.

Big Fintechs, Notable Hospitals, NIMC, Stock Brokers

Large Coys, Medium Financial Coys, PENCOM

Schools, Transport Companies, Courier coys etc.

SMEs, payroll etc.


VERY HIGH

HIGH

AVERAGE

LOW

VERY LOW

COMPLIANCE CHECKLIST FOR CONTROLLERS

SN CHECKLIST NDPR

1 Conduct Data Audit Art. 3.1(7)

2 What is Legal Basis for Processing? Art. 2.2

3 Clarity on Data Processing Art. 2.5

4 Privacy by Design Art. 2.6

5 Awareness and Capacity Art. 4.1(3)

6 Develop and Circulate Data Privacy Policy- which

contains DPIA Process; Notification of Authority

Art. 2.5

7 Design system for easy rectification, portability etc.


WHAT DOES IT MEAN TO PROCESS DATA?

▪ Art. 1.3 defines “Processing” as any operation or set of

operations which is performed on personal data or on

sets of personal data, whether or not by automated

means, such as collection, recording, organisation,

structuring, storage, adaptation or alteration,

retrieval, consultation, use, disclosure by transmission,

dissemination or otherwise making available,

alignment or combination, restriction, erasure or

destruction;


WHAT IS PERSONAL DATA▪ “Personal Data” means any information relating to an identified or

identifiable natural person (‘Data Subject’); an identifiable natural person

is one who can be identified, directly or indirectly, in particular by

reference to an identifier such as a name, an identification number,

location data, an online identifier or to one or more factors specific to

the physical, physiological, genetic, mental, economic, cultural or social

identity of that natural person; It can be anything from a name, address, a

photo, an email address, bank details, posts on social networking websites,

medical information, and other unique identifier such as but not limited

to MAC address, IP address, IMEI number, IMSI number, SIM, Personal

Identifiable Information (PII) and others;


CLASSIFICAL PERSONAL DATA


NAME

ADDRESS

PHONE NUMBER

BIRTHDATE

BIRTH PLACE

PHOTO

EMAIL ADDRESS

PERSONAL HEALTH/BIO INFORMATION

ACCOUNT/FINANCIAL INFO

GEO INFO ETC.

DIGITAL PERSONAL DATA/ONLINE IDENTIFERS

SOCIAL MEDIA

ACCOUNT

E-MAIL ADDRESS

METADATA

IP ADDRESS

MAC ADDRESS

IMEI NUMBER

IMSI NUMBER


DIGITAL CONSENT▪ ‘Consent’ of the Data Subject means any freely given, specific, informed

and unambiguous indication of the Data Subject's wishes by which he or

she, through a statement or a clear affirmative action, signifies agreement

to the processing of Personal Data relating to him or her (Article 1.3iii).

▪ Consent Requirement

➢ Transparency

➢ No Implied Consent

➢ No Bundled Consent

➢ Access to Data

➢ Special Category Consent

SEE ALSO VALID CONSENT GUIDE


DATA AUDITS Art. 4.1(7)

▪ Non-filing of Annual Audit report by a Data Controller is a prima facie case of breach.15th of March is the Latest date for filing of Annual Data Audit Report.

▪ Filing Fees

✓ Less than 10,000 Data Subjects N5,000

✓ 10,000-50,000 Data Subjects N10,000

✓ More than N50,000 Data Subjects N20,000

Content of the Audit Report is as specified in Art. 3.1(7). We have a template attached for ourreview.

Every Data Audit Report (DAR) must be accompanied by aVerification Statement by DPCO

A CURRENTLY RETAINED FINANCIAL AUDITOR CANNOT PERFORM DATA AUDITINGSERVICE TOTHE SAME ENTITY


TRANSFER OF DATA ABROADTO TRANSFER DATA ABROAD, CONTROLLER MUST SHOW-

a)evidence of consent of the data subject

b)Privacy policy of the company as at the time of consent.

c)The countries where the data would be stored

d)Overview of encryption method and data security standard

e)The particular Data Protection Laws and summary of processes

on data management (if any) of the jurisdiction.

f) Contact of the country’s Data Protection office


DURATION OF DATA RECORD STORAGE ▪ NDPR does not specify length of time for storage for many reasons. In

determining length Controllers should consider the following:

❖ The contract term agreed by parties;

❖ Whether the transaction type has statutory implication;

❖ Whether there is an express request for deletion by the Data Subject,

where such Subject is not under an investigation which may require

the data; and

❖ The cost implication of storage of such data by the Data Controller.


REPORT OF DATA PRIVACY BREACH▪ Self Reporting of Data Breach by Controller is a major consideration in

determining the amount of fine to be levied. Report must be made within

72 hours from time of knowledge of the Breach.


NDPR TIMELINES

ISSUED: 25TH JAN,

2019

REVIEWED PRIVACY POLICY

25TH APRIL, 2019

DATA AUDIT

25TH

OCTOBER 2019

ANNUAL DATA AUDIT FILING

15TH

MARCH


PROCESSING BY MULTINATIONALSMultinational Companies (MNC) are deemed to be processing data in

Nigeria if one of these three conditions exist:

➢ The MNCs has a branch or subsidiary intended to promote its activities

which is orientated towards Nigerians

➢ The parent company designates an entity in Nigeria as its subsidiary for

the purpose of contracting on its behalf for advertising or other legal or

commercial purposes.

➢ The branch or subsidiary in Nigeria forwards to the parent or other

members of the group located outside Nigeria requests or requirements

relating to data subjects


Google v. AEPD SpainWhere Multinational has local subsidiary

▪ (The Court held: When a single controller is established on the territory

of several Member States, particularly by means of subsidiaries, he must

ensure, in order to avoid any circumvention of national rules, that each of

the establishments fulfils the obligations imposed by the national law

applicable to its activities. Google Spain SL, Google Inc. v AEPD Mario Costeja

Gonzalez (C-131/12))


ARE DATA AGGREGATORS ALSO CONTROLLERS?

A Data Aggregator is one who creates a platform to process, arrange and

disseminate information originally collected by a third party or itself.

Aggregators include search engine operators; financial platforms; e-

commerce sites etc. in the popular case of Google Spain SL, Google Inc. v

AEPD Mario Costeja Gonzalez (C-131/12)). The court held that

search engines

❑ control dissemination of aggregate data;

❑ facilitate access by users

❑ Determine how data is accessed

❑ Search engines are strictly liable for their breach of personal data


INVENTORY OF PROCESSING ACTIVITIES▪ An IPA helps to fulfill ACCOUNTABILITY AND COMPLIANCE.

▪ The IPA Can be done in two ways:

➢ Make Inventory of all Personal Data and state the processing it goes

through

➢ Make inventory of processing activities and state the data involved in the

processing.

IPA MUST ANSWER THE FOLLOWING QUESTIONS:

1. WHAT ARE THE PROCESSING ACTIVITIES CARRIED OUT BY THE

ORG.?

ANS: Customer Onboarding; Staff. Marketing etc.


INVENTORY OF PROCESSING ACTIVITIES

2. WHAT IS THE BASIS FOR PROCESSING ACTIVITIES

ANS: MAP activities to one of the six basis listed above

3. WHO IS PERFORMING THIS ACTIVITY?

ANS: List the Department or Unit that performs the processing

4. WHICH PERSONAL DATA ARE WE PROCESSING?

ANS: Name, Email, phone etc.

5. WHERE IS THE PERSONAL DATA STORED?

ANS IT System with description for easy identification


INVENTORY OF PROCESSING ACTIVITIES▪ 6. IS THERE INVOLVEMENT OF A PROCESSOR?

ANS: YES OR NO

7. DO WE (OR OUR PROCESSORS) USE A THIRD PARTY?

ANS: Provide a list of such third party processors

8. DO WE TRANSFER DATA OUTSIDE OF NIGERIA

ANS: If Yes, state the country, any law on data protection and contact of its

DPO

9. DO WE HANDLE SENSITIVE PERSONAL DATA

ANS: IF YES SPECIFY SUCH


INVENTORY OF PROCESSING ACTIVITIES10. IS THERE A RETENTION LAW ON THE DATA PROCESSING

ACTIVITIES

ANS: Specify the law

11. HOW LONG IS THE DATA TO BE RETAINED

ANS: State minimum retention period

12 WHAT ACTION IS TAKEN ON THE PERSONAL DATA ONCE

RETENTION PERIOD EXPIRES

ANS: state action taken eg. Data is anonymized, pseudonymized etc


PENALTIES

▪ A Data Controller dealing with more than

10,000 Data Subjects- payment of the fine of 2%

of Annual Gross Revenue of the preceding year

or payment of the sum of 10 million Naira,

whichever is greater

▪ CRIMINAL PROSECUTION UNDER NITDA

ACT


DPCO- THE WHAT, WHY AND HOW


Data Protection Officer (DPO)


▪ Article 4.2 Data Controller ( organization) to appoint a DPO and DPCO

- DPO Preferably a lawyer or one knowledgeable on compliance

- Must be a staff of the organization specifically hired to preform such

function

- Must be well trained and properly resourced

- Must not be involved in other departmental or SBU operations of the

firm to avoid impairment of judgement

- Must only report to Senior management of the organization

Roles of DPO➢ Ensuring adherence to this regulation

➢ Adherence to other similar regulations

➢ Development of Privacy Policy and updates

➢ Monitor adherence to Data Controllers directives

➢ Review compliance of data processors ( internal and external)

* DPCO can play or support this role


QUESTIONS

AND

ANSWERS


NDPR: OVERVIEW AND BUSINESS IMPLICATIONS

Documents

Transcript of NDPR: OVERVIEW AND BUSINESS IMPLICATIONS