Companies Urged to Comply with Data Protection Regulation


Emma Okonji

ESET Nigeria has urged companies to comply with the Nigeria Data Protection Regulation (NDPR), insisting that compliance will impact on data protection governance, information systems and security configuration, as well as documented policies and processes.

ESET emphasised that organisations, both public or private which operate in Nigeria were expected to comply with the NDPR rules. These requirements are already in force, and its implications are complex and the potential penalties for non-compliance are severe, ESET warns.

The Managing Director, ESET Nigeria and Ghana, Mr. Olufemi Ake, who gave the warning during a recent zoom conference organised to discuss how organizations can comply with the data protection regulations, stated that encrypting data and creating an additional authentication for data accessibility in organisations, were a few ways to help in meeting the new data security and compliance rules.

The National Information Technology Development Agency (NITDA) introduced NDPR rule and enforced its compliance from January 2019 as the new requirement on collection and processing of personal data and requires such activities to be in accordance with a lawful purpose consent by the data subject.

Based on the enforcement, organisations have been mandated to put compliance measures in place within the first year of the regulation.
According to Ake, “Compliance with this regulation will impact data protection governance, information systems and security configuration, as well as documented policies and processes.”

He also listed the objectives of the regulation to include: to safeguard the rights of natural persons to data privacy; foster safe conduct for transactions involving the exchange of personal data; to prevent manipulation of personal data; and to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a sound data protection regulation.

Ake further said, “NDPR applies to all storage and processing of personal data conducted in respect of Nigerian citizens and residents and it covers transactions intended for the processing of personal data and to the actual processing of personal data and person(s) residing in Nigeria or residing outside Nigeria but of Nigeria nationality.

“Unlike the EU’s General Data Protection Regulation (GDPR), NDPR is not enforced on persons and organisations outside Nigeria that collect, store, or process data of Nigerians.

“The Maximum penalty for breaches of data privacy rights on international transfers can be up to N10 million or two per cent of annual gross revenue of the preceding year, whichever is higher and based on the number of data subjects dealt with. Other massive losses that non-compliance could cause are reputation damage and prosecution of principal officers in the event of a severe data breach.”
Ake however affirmed ESET’s readiness to assist organisations on NDPR compliance.

According to him, “To ensure 100 per cent compliance, organisations should ensure the following solutions are deployed and proactively used.
“Organisations are keenly advised to get a data loss prevention solution to ensure that sensitive data is not lost, misused, or accessed by unauthorised users. Most importantly the likes of ‘Safetica’ that classify regulated, confidential and business-critical data and identifies violations of policies defined by organisations or within a predefined policy pack, typically driven by regulatory compliance such as HIPAA, PCI-DSS, or NDPR.

“Finally, organisations should also deploy data encryption technologies, develop organisational policy for handling personal data and other sensitive or confidential data, protect emailing systems and ensure continuous capacity building for staff.