As the world celebrate the Privacy Day today, the Managing Director, DataPro Limited, a licensed Data Protection Compliance Organisation, Abimbola Adeseyoju, in this interview speaks on the essence of data protection and privacy in combating cybercrime. Adedayo Adejobi brings the excerpts
What is the Privacy Day all about?
The day was first celebrated in Europe in 2007. By 2009, the United States started recognising the day as Privacy Day. And since then it has assumed global recognition and celebration. The day is set aside to raise awareness and promote privacy and data protection best practices. We are now in a digitised, globalised and technologically driven world. So, the day is also set aside to remind all operators and players within the digitalised world about their obligations on data privacy and protection and the need to avoid data breaches, abuse, and misuse. The day is particularly significant in Nigeria. We are happy that Nigeria has joined the rest of the developed world in recognising data privacy and protection as part of the fundamental rights of all Nigerians.
The importance of having the Nigeria Data Protection Regulation (NDPR) issued by the National Information Technology Development Agency (NITDA) on 28th of January, 2019, is that every citizen of Nigeria irrespective of wherever they reside all over the world is now guaranteed, data privacy as part of their fundamental human rights and can demand for justice any time this right is breached, abused or misused. So it is quite significant that Nigeria is joining the rest of the world to celebrate the occasion and awaken the sensibilities of all Nigerian on what the federal government has done to protect their rights. This is indeed a plus on the part of the government, and it again, calls for a pat on the back. They have done well in this regard.
What is the role of DataPro Limited as a DPCO?
The National Information Technology Development Agency (NITDA) in 2019 licensed Data Protection Compliance Organisation (DPCOs), of which DataPro Limited is one, to among other deliverables, evaluate the level of compliance to the NDPR by accountable institutions such as data controllers, data processors and some government agencies. The Data Protection Compliance Organisations are also expected to render services such as training and awareness programs, Data Protection Impact Assessment (DPIA), Audit exercise, contents drafting and advisory. At DataPro, our core competence includes guidance service on data protection, privacy policy formulation and communication, sensitisation and capacity building programs, Data Protection Impact Assessment (DPIA) and annual Audit.
Can the Nigeria Data Protection Regulation (NDPR) be used to fight cybercrime?
The answer is yes. The NDPR (2019) is complimentary to the Nigeria Cybercrime Act of 2019. One sure way of combating and crime is by appointing effective, proportionate, dissuasive and commensurate punishment for offenders and those who go against the provisions of the regulations. The NDPR imposes both civil and administrative sanctions on violators and offenders.
According to the provisions of the regulation, any person subject to the regulation found to be in breach of the data privacy rights of Nigerians shall be liable in addition to any other criminal liable to: (a) In the case of Data Controllers/Data Process dealing with more than 10,000 Data subject (such as IT companies, payment companies, fintechs, banks, insurance companies, etc), payments of fine of two per cent of Annual Gross Reverence of the preceding year or payment of the sum of N10 million, whichever is greater; (b) in the case of a Data Controller/Data Processor dealing with more than 10,000 Data subject payment of the fine of one per cent of the annual gross reverence of the preceding year or payment of the sum of N2 million whichever is greater. According to the NDPR, 2019, data Controller/processor means a legal person who either alone, jointly with other entities or in common with others or as a statutory body determines the purpose data is processed or is to be processed.
What constitutes infringement under the regulation including accidental or unlawful destruction of personal data, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or other prevent personal data. NITDA as the enforcer of the regulation also has right to set up administration – panel to investigate allegations of breaches and issuance of administrative orders to protect the privacy rights of all Nigeria. So, every Nigerian is free to report any infringement of their privacy rights to NITDA for necessary remediation and action.
How do you see technology companies evolve on the issue of data privacy and protection?
We need to go down memory lane to really capture the impact technology companies have had on the issue of personal data privacy and protection. Despite the long agitation for the right to respect of individual personal data, it took the young in age of the computer world and the accompanying digitisation and globalisation of business and personal data to drive the awareness and put everything on the front burner.
The tipping point seems to be the Face-book-Cambridge Analytical data scandal of 2018, when it was revealed that Cambridge Analytical had harvested the personal data of millions of people’s Facebook profiles without their consent and used it for political advertising purposes. This has been described by many as the watershed moment in the public understanding of personal data, especially with the clarion call for tighter regulations of technology companies use of personal data. So you are right.
The tech companies are at the centre of the data protection and privacy regulation. What the NDPR (2019) has done is to provide clarity and consistency in the roles of data processors such as tech companies. They now have to provide transparent and easily accessible polices regarding notice of collection of personal data, notice of processing of personal data and the level of processing that will be entailed, and respect the rights of the data subject regarding to data retention and deletion. Under the NDPR, data subjects have rights to have access to the data you have on them.
They have the right to have inaccuracies corrected, the right to have the information or data you have on them as an IT processing company completely erased from your system. They have the right to prevent you from using their personal data for direct marketing purposes without first seeking their consent, they have the right to prevent you from automated decision making and profiling them without their consent and they have the right to data portability. The NDPR also protects children and other vulnerable members of the society.
So, if you collect information about children under the age of 13, you will need parent/guardian consent to process this data lawfully. So, IT companies managing personal information must focus on their data storage infrastructure, identify where personal data is located and try and build a consistent architecture to be able to track and monitor what becomes of the data. So, the point is as soon as IT companies process personal data, they will be held accountable for the use they make out of it. So, they are expected to have data breach notification templates.
