THE IMPORTANCE OF DATA PROTECTION COMPLIANCE
By RONALDSON DIETE-SPIFF, ESQ
INTRODUCTION
The widely recognized technique of making sure that sensitive information collected by companies and organizations is stored and handled in a way that complies with legal and constitutional requirements as well as corporate business norms is known as data protection compliance. Establishing rules that specify how data protection is accomplished in your company in accordance with current laws and regulations constitutes data protection compliance. Data protection compliance is the process of making sure that personal information about individuals collected by companies and organizations is protected and handled so that companies may comply with legal and constitutional requirements. These businesses frequently create internal guidelines outlining the steps necessary to comply with data protection laws.
To comply, an entity handling the personal information of data subjects must use the greatest care when collecting, storing, and managing the subjects’ sensitive or personal data. In this context, “the personal data” refers to any information belonging to a recognized or identifiable natural person. This kind of person is one who can be identified, directly or indirectly, by means of a name, identification number, location data, online identifier, or by means of distinctive physical, physiological, genetic, mental, economic, cultural, or social characteristics of that natural person.
Businesses and their customers have greater trust when data privacy regulations are followed. Additionally, it keeps the business from having to pay high fees for penalties, legal fees, reputational damage, and public humiliation. In order to comply with data protection laws, an organization must comprehend not only its contracts, policies, and legal agreements, but also its information technology, security, audit, and operational systems.
LEGAL FRAMEWORK
The Nigeria Data Protection Act 2023 (“NDPA”), which President Bola Ahmed Tinubu signed into law on June 14, 2023, is the main piece of data protection legislation in Nigeria. Other general legislation that impacts data protection are: The Constitution of the Federal Republic of Nigeria 1999 (as amended), The Nigeria Data Protection Regulation 2019 (“NDPR”), The NDPR Implementation Framework 2020, issued by the National Information Technology Development Agency (“NDPR Implementation Framework”), The Child Rights Act 2003, The Cybercrimes (Prohibition, Prevention, etc.) Act, 2015, The Freedom of Information Act, 2011, The National Health Act, 2014 and The HIV and AIDS (Anti-Discrimination) Act, 2014.
On the other hand, there are sector-specific legislation that impacts data protection and they are: The Consumer Code of Practice Regulations 2007 (“NCC Regulations, 2007”) published by the Nigerian Communications Commission (“NCC”), The Registration of Telephone Subscribers Regulations 2011, published by the NCC, The Consumer Protection Regulations 2020, issued by the Central Bank of Nigeria (“CBN”), Nigeria’s apex bank, The Lawful Interception of Communications Regulations, 2019 which was issued by the NCC, The Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020, issued by the NITDA, The Official Secrets Act 1962, The CBN Guidelines on Point of Sale Card Acceptance Services 2011, The CBN Regulatory Framework for Bank Verification Number Operations and Watch-List for The Nigerian Banking Industry 2017, The NITDA Guidelines for Nigerian Content Development in Information and Communication Technology 2019 (as amended), The Credit Reporting Act 2017.
BACKGROUND
The Federal Republic of Nigeria’s 1999 Constitution, Section 37, guarantees and protects the right to privacy in the country by stating that “[t]he privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications is hereby guaranteed and protected.” A plethora of other general and industry-specific laws protect (informational) privacy. Many of these laws, most notably the 2019 Nigeria Data Protection Regulation (NDPR), which is currently the most extensive informational privacy/data protection law in existence, are created and implemented by the National Information Technology Development Agency (NITDA), the nation’s preeminent information technology organization.
It is standard procedure for the majority of websites that provide online services to request personal information in order to create online accounts that allow users to make concurrent purchases and other online activities. The typical person has access to a wide range of online services that demand personal information, including email accounts, banking or finance apps, social media accounts (like Instagram and Facebook), online marketplaces like Amazon and Jumia, and betting companies like Betway and Naira Bet.
HOW ARE DATA PROTECTION LAWS ENFORCED IN NIGERIA
According to the Nigerian Constitution, a data subject may exercise his or her right of redress and fundamental rights to privacy. A data subject who feels wronged by the actions of a data controller or processor may file a complaint with the Commission, according to Section 46 of the NDPA. Nigeria clearly needs a robust enforcement ecosystem that supports administrative fines and victim compensation in addition to a robust data protection statute, as evidenced by the evaluation of the country’s institutional framework for data protection.
In Nigerian courts, data protection is subject to justiciability regardless of the legal classification (basic right or tort) assigned to it. The Federal High Court of Nigeria ruled in Incorporated Trustees of Laws and Rights Awareness Initiative v. National Identity Management Commission (NIMC) that a data subject can lawfully sue for breach of his data under the NDPR. Under the NDPR, victims of privacy rights violations can seek redress in court without prejudice to the proceedings of the ARP.
The Federal High Court of Nigeria and the High Court of a State both have concurrent jurisdiction over data protection issues, even though the NDPR does not expressly name a single court with this authority. There is, however, no Court of Appeal ruling regarding the status of the NDPR and the court with necessary jurisdiction to enforce data protection rights, particularly in the absence of primary legislation on the subject. The Ogun State High Court incorrectly declined jurisdiction over the NDPR in favor of the Federal High Court in two separate decisions rendered in 2020. Nigeria’s data protection case law is still in its infancy, and the appeal courts have not yet adopted a clear stance about the types of data protection rights that are granted.
CONCLUSION
Since it safeguards people’s right to privacy and averts data breaches, compliance with data rules and regulations is essential. Serious consequences, including fines and damage to one’s reputation, may arise from noncompliance.