The National Information Technology Development Agency (NITDA) has alerted Nigerian businesses on the implications of the new EU General Data Protection Regulation (GDPR). The new GDPR particularly concerns those that collect, store and process personal data of European Union (EU) citizens for the provision of goods and services.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
The implementation of the GDPR has commenced. But “25th of May 2018 is the day that all data protection arrangements in companies have to be changed accordingly. It does not only affect European businesses, but every company or enterprise that processes personal data of European citizens.”
The general principles of processing personal data require that it is processed transparently. The purpose of processing has to be clear and legitimate. The amount of processed data has to be kept to a minimum, depending on the purpose. The data has to be accurate and the storage time has to be limited to a period that is bound to the purpose. Additionally, integrity and confidentiality of the data have to be protected. In short:
- Lawfulness, transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
With the new GDPR it becomes more important to inform the customer, or the person whose data you process, about what happens to their data. What you have to be aware of is summed up in the following points:
- The right to disclosure of the subject
- Right to erasure: The ‘right to be forgotten’
- Right to restriction of processing
- Right to data portability
- Right to object
The responsibility to comply with the GDPR lies with companies that process personal data. They have to implement
As part of its responsibility and commitment to ensure compliance with global regulation and trends, the Nigerian IT agency issued an alert on the GDPR this morning in Abuja advising enterprises on adherence to the data protection regulation. The statement signed by its Director General/CEO, Dr Isa Ali Ibrahim Pantami, is published below:
The management of the National Information Technology Development Agency (NITDA) would like to bring to the attention of Nigerian businesses, especially those that collect, store and process personal data of European Union (EU) citizens for the provision of goods and services, and the general public, the implications of the new EU General Data Protection Regulation (GDPR).
The regulation which was adopted on 27 April 2016 and becomes enforceable from 25 May 2018 is replacing the data protection directive of 1995. It applies whether the data controller – an organization that collects data from EU residents or processor – an organization that processes data on behalf of data controller such as data centres or the data subject – the person whose personal data has been collected is based within or outside any EU member state, if they collect or process personal data of EU citizens and residents.
The Agency has realized that this regulation might have huge impact on Nigerian businesses and/or individuals that use Information Technologies to collect, store, process and transact on EU citizens personal data in EU territory or elsewhere. It is in the utmost interest of the Agency to protect Nigerian businesses from unnecessary exposure to the risks of this regulation and/or any regulations that might have negative impact on their businesses as well as the rights of Nigerians that have dual citizenship of any EU member state.
NITDA therefore calls on Nigerian organisations that are controllers and processors of personal data of EU nationals to note that companies that meet the following criteria must comply:
- have offices in an EU member state;
- have no offices in any EU member state but processes personal data of EU nationals and residents;
- have more than 250 employees; and
- have fewer than 250 employees but its data processing impacts the rights and freedoms of data subjects or occasionally includes certain types of sensitive personal data.
The regulation requires that data controllers and processors must seek consent from data subjects in an intelligible and easily accessible form, clearly specifying the purpose for the collection. It also stipulates that consent must be clear and distinguishable from other matters and presented in a clear and plain language.
A breach of the regulation can attract a fine of up to 4% of a company’s annual global turnover or an equivalent of twenty million euros (€20 million). Furthermore, companies can be fined up to 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
The regulation also gives data subjects the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. They also have the right to transmit data they had previously provided to another controller. Furthermore, they are entitled to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Therefore, NITDA is calling on Nigerian businesses, especially those carrying out online transactions and meet the GDPR compliance criteria to put in place appropriate measures to observe the provisions of this regulation to avoid being sanctioned for a liable breach. Organisations are also required to note the provisions of the NITDA Guidelines on Data Protection, issued in 2013 and currently being revised. In an effort to make the Agency’s rule making process transparent and industry-focused, the revised guideline will soon be presented for stakeholder consultation as stipulated in the Rule making Process Regulation of NITDA.