Anxiety Heightens in Nigeria over EU’s GDPR Law


Emma Okonji

The May 25, 2018 deadline for the commencement of the General Data Protection Regulation (GDPR) law for European (EU) countries has continued to raise anxiety among businesses in Nigeria and beyond.

Nigerian business men and women are of the view that the law will affect businesses in Nigeria, especially businesses that have international partnerships with foreign countries, which directly or indirectly have business affiliations with EU countries.

Their fear is based on the global compliance with the law because of the heavy penalty that will come with the breach of the law when it takes effect from May 25, 2018. Some are of the opinion that most businesses outside EU, including Nigeria may be grounded by the time the law takes effect.

The GDPR law which was drafted April 2016, had two years of grace period for EU countries, and will take full effect including its penalties from May 25 this year.

Although the law seeks to protect personal identifiable data for big and small organisations, it however comes with heavy penalty for breach of the law, and Nigerian businesses with international affiliations are not prepared for the implementation yet, a situation that is creating panic among business owners in Nigeria and beyond.

The law which is meant to change the face of global businesses, will certainty disrupt the operational modules of organisations that will be compelled to hire Data Processing Officers (DPOs) to manage data processing in organisations. It is estimated that over 75,000 DPOs will be employed globally to effect the necessary organisational changes that will come with EU’s GDPR law.

Microsoft had earlier in the week, raised awareness among Nigerian businesses about the law, but an Information security consultant and Chief Executive Officer, Petrovice Resources, Adesanya Ahmed, has also come up to say that Article 3 of EU defines territorial scope.

According to him, “The article states that organisations must comply with GDPR if they offer goods or services to EU citizens, even without payment, or monitoring the behaviour of EU citizens.

“The starting point should be to determine whether the organisation process personal data of EU citizens, either as a controller or processor of data, or whether a part of your organisation operate within the EU borders.

“If answer to one of the questions is yes, then it does not matter were your business headquarters are located. As long you are in the place were member state law applies by virtue of public international law, you need to comply with GDPR,” he added.

He noted that complying with GDPR protects Nigerian organisations from not being sanction in global trade. For Instance, EU adopted a global best practice like: PCI DSS for risk management and also for cloud computing environments while the National Information Technology Development Agency (NITDA) in Nigeria, adopted COBIT 5 of ISACA as a regulatory framework.

“When adopting these regulations, it is advantageous for an enterprise to have a solid governance function in place, to help with implementation and execution. And if the organisation lacks that structure, GDPR compliance is a good reason to begin creating that structure in your enterprise.”

Information Security Audit Manager at Serbia, EU, Dragan Jovicic, urged organisations outside of EU to perform a data protection impact assessment as a required element of GDPR.

“This is an initial step in determining the need to comply with GDPR in the process of GDPR implementation. Once the organisation determines that it has to comply with the regulation, the compliance program must include all parts of data processing.

“Data processing includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data,” Jovicic said.

Organisations that see 25 May not only as a deadline, but more as the starting point of a long-lasting GDPR compliance program, will have an advantage in processing personal data applying GDPR principles. Organisations should use this moment as an opportunity to implement best practices and realise benefits from GDPR, Ahmed advised.