The Oyo state government has officially commenced the implementation of Nigeria Data Protection Regulation (NDPR) for eight ministries, departments and agencies (MDAs) participating in the first phase of the scheme.
Weeks back, the state held an NDPR implementation kickoff meeting designed to be a preparatory session for all in stakeholders drawn from the eight MDAs. The state had earlier signed on Data Protection Services Limited (DSPL) for a comprehensive implementation of NDPR as Oyo, touted as the pacesetter state, work towards national and global compliance with data security, privacy regulations.
The MDAs include Ministry of Finance, Ministry Justice, Ministry of Agriculture, Natural Resources and Rural Development, Board of Internal Revenue, Ministry of Health, Civil Service Commission, and Bureau of Public Procurement.
NDPR is mandatory by law
The NDPR, issued by the National Information Technology Development Agency (NITDA), is Nigeria’s primary data protection legislation. It provides the legal framework for data protection compliance requirements and managing breaches including the imposition of penalties for defaulters.
Since 25th January 2019 when it became the effective regulation for data protection compliance, all public and private entities that process the personal data of more than 1000 data subjects in a period of six months and 2000 data subjects in a period of 12 months must submit a Data Protection Audit Report to the NITDA.
Data protection audit filing mandatory by law
By law, the submission is annual and mandatory. Data protection audit filing must be not later than March 15 of every year.
By the provision of the NDPR, “compliance is not a one-off obligation but a continuing activity for data controllers and processors in Nigeria. Failure to file these returns to NITDA is deemed a breach of the NDPR,” says one report by Mondaq AI.
“NDPR is no longer an option. Globally, it is a requirement and compliance is increasingly becoming the benchmark upon which state entities can access international grants or be able to access loan instruments for development. This has made it critical for civil servants to understand the existing guidelines for data privacy and security” said Managing Director of DSPL, Tunde Balogun at the opening training session in Ibadan, capital of the pacesetter state.
Oyo sets the pace for state-wide NDPR implementation
Oyo is the first state in Nigeria initiating a state-wide NDPR implementation across several MDAs as DSPL begins work this week in Ibadan. The implementation also covers NDPR exposure trainings expected to benefit no less than 40% of the state’s over 115,000 civil servants.
The public servants will undergo series of data protection, privacy trainings – all part of the deliverables by DSPL. Other deliverables include awareness creation for civil servants on data privacy policies for MDAs; collection of data, disposal of data; and audit of the state’s MDAs to assess their level of data protection readiness.
Oyo is the pacesetter state, and our governor believes that information technology including programmes like this could further help his agenda to rapidly develop the state and the people,” said Permanent Secretary (General Administration), said Mrs. Adejoke O. Eyitayo at the NDPR pre-implementation meeting.
Also during the NDPR kickoff meeting, Special Assistant on ICT & e-Governance for Oyo State Government, Mr. Adebayo Akande, had tasked the DSPL on the need to have a comprehensive approach to implementing the deliverables of the NDPR project in Oyo state. According to him, the Oyo state remains committed to improving the digital skill sets of all civil servants regarded by the governor as critical human resource.
“NDPR, impose specific legal compliance requirements on private and public entities in relations to handling of citizens’ personal data.Governments are the biggest processors of personal data of Nigerians. The tendencies for breaches or abuses are highest among MDAs whether at state or federal level. Preparing government officials for global best practice in data privacy and protection is critical to positioning the state for growth or ability to access global cooperation and international financing as the world increasingly tilts to digital economy” said DSPL’s Balogun.
“Our unique NDPR implementation life cycle consists of three phases – Prepare, Operate and Maintain – with each incorporating a number of supporting activities. The objective defined for each phase is attained once all of the activities for that phase have been successfully executed. The ultimate goal of our methodology is sustaining and evidencing compliance with the NDPR,” he had added during the pre-implementation meeting inside the Management Information Centre (MIC) within the governor’s office in Ibadan.
DSPL is one of the data protection compliance organizations (DPCOs) licensed by the NITDA and has built extensive experience in provisioning remote and on-site trainings on data protection compliance.
DSPL is already providing similar services to the government of Plateau State in central Nigeria. It has helped to guide the Plateau State Internal Revenue Service (PSIRS) to meet the NDPR compliance requirements.
“In addition to assisting private organisations meet the compliance requirements, DSPL has been able to develop unique tools to help MDAs adopt the NDPR guidelines and embark on their data protection journey with little or no encumbrances. We believe as we begin to interact, we can all diligently go through the learning curve to become more professional in our approaches and be able to drive the goals of our respective organisations” said Balogun.