Monday, March 2, 2020 /
04:37PM / By Olubunmi Abayomi-Olukunle / Header Image
Credit: CPO Magazine
As you may already be aware, Nigeria has now aligned herself with the global regulatory trend around regulating the collection and processing of the Personal Data of Nigerian citizens.
On this basis, the National Information Technology Development Agency (NITDA) has recently published the Nigerian Data Privacy Regulations (Data Privacy Regulations). We now have some confirmation that the NITDA seeks to commence the issuance of regulatory actions after March 31, 2020 up to 100 erring companies.
In summary, the approach taken by NITDA in the Data Privacy Regulations is to place additional compliance obligations on all Nigerian companies/employers in regard to how they collect, use and process the Personal Data of employees and customers/users or prospects. Kindly note that by law, failure to comply with these obligations may culminate in a fine of up to 2% of your company's Annual Gross Revenue.
Here are a few quick points to note in the compliance walk.
1. Immediately Conduct an Initial Data Audit:
2. Annual Data Audits/Submission:
This requirement only applies to organisations/employers who have processed the Personal Data of over 2000 Data Subjects in the last 12 months. The deadline for filing a summary of this Data Audit is March 15, of every year. Please note that these audits are to be conducted independently by external compliance professionals, technology-focused lawyers or other licensed data privacy professionals. The Annual Data Audit submission to NITDA for this year is due in less than 3-weeks from now.
3. Provide Data Privacy Awareness & Training for all Employees:
We generally advise that employers/organisations consider this point because an employees are at the centre of all Data Privacy Compliance Frameworks. A failure in an employee's judgement of data privacy issues can present a level of regulatory risk for an employer. At the very minimum, it would be prudent for key designations like Chief Technical Officer, Chief Product Officer, Data Scientists, Database Manager & Engineers and the Board of Directors/Management/Founders to have a clear and working understanding of the requirements of the Data Privacy Regulations. We generally pay additional attention to deconstructing the Legal Standards pertaining to the definition of "Personal Data", "Data Controller", "Data Processor", "Data", "Data Subject", "Filing System", "Consent", "Sensitive Personal Data" etc and how Nigerian courts will interpret these Legal Standards in a dispute or regulatory action scenario.
4. How About Institutional Private Equity, Venture Capital or Strategic Investors/Accelerators?
Although there is no direct obligation under the Data Privacy Regulations in relation to portfolio companies, equity investments may suffer significantly where a fine is levied on a portfolio company by NITDA for failure to comply with the Data Privacy Regulations. On this basis. it would be prudent for investors to now seek confirmation from all their portfolio companies that such portfolio companies have complied with the mandatory requirements of the Data Privacy Regulations. Also, non-resident investors who collect Personal Data on their websites from founding teams in Nigeria, will need to comply with the relevant provisions of the Data Privacy Regulations. Lastly, investors with a local entity for sourcing deals or fund manager entities registered locally, as the case maybe, would also be caught by the provisions of the Data Privacy Regulations.
5. Obtain Data Processing Consent from all existing and prospective employees to process Employee Data:
This can be achieved by ensuring that all existing and prospective employees sign a Data Consent Declaration.
6. The Headcount:
Please note that for purposes of determining the qualifying threshold of 1000 or 2000 Data Subjects as per thresholds stipulated by the Data Privacy Regulations, all employees and customers/users are captured including part-time employees, contract staff, full time staff, and one-off or non-paying customers.
In the Business Update available via this link , we share some additional insights from some of the Data Privacy Audits that we have conducted recently.
Please feel free to let us know if you require our support with regard to conducting a Data Privacy Audit for your Company and making the necessary filings at the NITDA. Please note that the conduct of a Data Audit is a paid service.
We generally provide free Employee Training and Awareness Program for all our retained clients or as a compliment for a Data Audit engagement. Please feel free to reach out, to confirm and agree a suitable timing for this Program, which we may conduct virtually or in-person, depending on the peculiar circumstances of your company.
Olubunmi Abayomi-Olukunle is a partner and Lead Counsel at the Private Equity, Venture Capital & Emerging Companies sector-focused, specialist investment & finance law firm of Balogun Harold - www.balogunharold.com or via e-mail: email@example.com
3. Report Sets Out Governance of Key OTC Derivatives Data Elements - Oct 09, 2019
4. The Economics of Data - Sept 23, 2019
Related News - Business Regulation
Related News on Data & Financial Inclusion