Matters Arising from EU’s Data Protection Law


Implementation of the European Union’s General Data Protection Law, which took effect from May 25, could have far-reaching implications for non-compliance that must be addressed, writes Emma Okonji

The much talked about European Union (EU)’s General Data Protection Regulation (GDPR) law, finally took effect from last week, precisely May 25, 2018, with broad reaching implications for non-compliance.

Although the GDPR law is a new EU privacy regulation law that is designed for EU member countries, which Nigeria is not part of, the law is binding on all organisations, government agencies and private businesses globally, that offer goods and services to people in the EU or that collect and analyse data linked to EU residents.
The GDPR law is therefore binding on Nigerians and Nigerian businesses that offer any type of goods and services to EU member countries.

The regulation, known as GDPR sets a new bar for privacy rights, security and compliance. It contains many requirements about collecting, storing, and using personal information to identify and secure personal data, accommodate new transparency requirements, detect and report personal data breaches. Nigerian businesses will therefore need to build the new requirements of the law into their own businesses, as well as play key role in helping customers handle all the complexities introduced by the GDPR. Failure to comply with the GDPR law will attract huge financial penalty as much as €20 million (N8.5 billion) or 4 per cent of company’s global turnover.

About EU’s GDPR law
The GDPR law is the EU’s new data protection law that replaces the Data Protection Directive, which has been in effect since 1995.

While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law, as it gives individuals greater control over their personal data and imposes many new obligations on organisations that collect, handle or analyse personal data. The GDPR law also gives national regulators new powers to impose significant fines on organisations that breach the law.

The GDPR law, which took effect from May 25, 2018, became a law in April 2016, when it was first published. But given the significant changes that some organisations will need to make to align with the regulation, a two-year transition period was added, hence the implementation date was extended to May 25, 2018.

The importance
According to the official document released by EU on GDPR, titled ‘Unlocking the EU General Data Protection Regulation,’ the GDPR law comes with many benefits and importance. First it provides a very wide-range policy that will impact almost every organisation that is based in the EU, as well as every organisation that does business in the EU, even if based outside the EU member countries.

Also, the EU legislators felt that organisations do no longer take their data protection responsibilities seriously enough, and so the GDPR dramatically increases the maximum penalties for non compliance to as much as €20 million (N8.5billion) or four per cent of global turnover and these numbers are specifically designed to attract C-Suite attention.
Another benefit, according to the document, is that the GDPR law raises the bar for full compliance significantly. It requires greater openness and transparency and imposes tighter limits on the use of personal data and gives individuals more powerful rights to enforce against organistions.

GDPR requirements
The GDPR law imposes a wide range of requirements on organisations that collect or process personal data, including a requirement to comply with six key principles.
According to the EU GDPR document, one of the six key principles included transparency, fairness and lawfulness by organisations in the course of handling and analysing personal data. Organisations need to be clear with individuals about how they are using personal data. Another principle is built around limiting the processing of personal data to specified, explicit and legitimate purposes, such that organisations will not be able to re-use or disclose personal data for purposes that are not compatible with the purpose for which the data was originally collected.

The third key principle is about minimising the collection and storage of personal data to that which is adequate and relevant for the intended purpose. The fourth key principle, according to the document, has to do with ensuring the accuracy of personal data and enabling it to be erased or rectified, while the fifth principle is centered around limiting the storage of personal data and ensure that organisations retain personal data only for as long as necessary to achieve the purposes for which the data was collected, while the sixth principle is about ensuring security, integrity and confidentiality of personal data. It is expected of organisations to take steps to keep personal data secure, through technical and organisational security measures.

Implications for non-compliance
Implications for non-compliance of the EU data protection law, will not only attract huge fines to the tune of N8.5 billion, but will also cut off such organisations from doing business with any EU member country, thus limiting the scope of business of such defaulting organisation. In addition, the GDPR empowers consumers and organisations acting on their behalf, to institute civil litigation against organisations that breach the GDPR law.

Complaint strategy
Experts in GDPR law compliance have come up with strategies on how organisations in Nigeria can comply easily with the EU’s data protection law, and remain competitive in global businesses within and outside of the EU member countries. Some of the strategies include awareness creation, training, making organisations GDPR ready, engagement and building of expertise skills on data laws, among others.

Microsoft for instance, has taken steps of commitment to become GDPR compliant across its cloud services in order to support its customers and partners in their transition to GDPR compliance

The leading software giant has therefore advised businesses in Nigeria, both small and large corporates that are aiming to expand their businesses beyond the shores of the country, with a desire to achieve global best practice in business, to immediately key into the GDPR law, which seeks to protect personal identifiable data across organisations.

Lead Commercial Attorney, Microsoft Middle East and Africa (MEA) Emerging Markets, John Edokpolor, said: “Companies are increasingly embracing the cloud, with unprecedented ability to capture and store massive amounts of data, which calls for an updated governance framework for data protection policy in this new age.”
According to him, in achieving compliance, businesses must address three things: people, processes, and preparedness.

Information security consultant and Chief Executive Officer, Petrovice Resources, Adesanya Ahmed, noted that compliance with GDPR would protect Nigerian organisations from not being sanctioned in global trade. He assured Nigerian businesses of easy technology tolls that will help achieve compliance.

Co-founder and Co-CEO, Vimmi, Eitan Koter, said: “Privacy and security are of utmost importance to Vimmi and we strive to ensure that our technical and organisational measures in place respect your data protection rights.”
This Privacy Policy describes how we manage, process and store personal data submitted in the context of providing our services, he added.

He further explained that the principal purpose of collecting personal data is to offer individuals a safe, optimum, efficient and personalised experience. He said personal data collected was used to inform consumers about Vimmi services, notify customers of major service or website updates, in response to customer service tickets, to address copyright infringement, defamation, or authorised use-related issues, to communicate to customers when they wish to learn more about Vimmi, its products and services.

Now that the GDPR law implementation has commenced globally, organisations in Nigeria will need experts to guide them through the compliance process.