The National Information Technology Development Agency is in the process of issuing a new guideline on data protection, the Director-General of the agency, Dr. Isa Ibrahim, has said. In a statement made available to our correspondent in Abuja on Monday, 19th of February 2018, Ibrahim stated that the existing guideline, which was issued in 2013, was being revised. He noted, “Organisations are required to note that the provisions of the NITDA Guidelines on Data Protection issued in 2013 are currently being revised.
“In an effort to make the agency’s rule-making process transparent and industry-focused, the revised guideline will soon be presented for stakeholder consultation as stipulated in the Rule-making Process Regulation of the NITDA.”
Ibrahim also highlighted the implications of the new European Union General Data Protection Regulation on Nigerian businesses, especially those that collect, store and process personal data of EU citizens. The regulation, which was adopted on April 27, 2016 and becomes enforceable from May 25, 2018, replaces the data protection directive of 1995.
It applies whether the data controller, an organisation that collects data from EU residents; or processor, an organisation that processes data on behalf of data controller (such as data centres or the data subject) and the person whose personal data has been collected is based within or outside any EU member state (if they collect or process personal data of EU citizens and residents).
Ibrahim said, “The agency (NITDA) has realized that this regulation might have huge impact on Nigerian businesses and/or individuals that use information technologies to collect, store, process and transact on EU citizens personal data in EU territory or elsewhere.
“It is in the utmost interest of the agency to protect Nigerian businesses from unnecessary exposure to the risks of this regulation and/or any regulations that might have negative impact on their businesses as well as the rights of Nigerians that have dual citizenship of any EU member state.
“The regulation requires that data controllers and processors must seek consent from data subjects in an intelligible and easily accessible form, clearly specifying the purpose for the collection. It also stipulates that consent must be clear and distinguishable from other matters and presented in a clear and plain language.”
He added, “A breach of the regulation can attract a fine of up to four per cent of a company’s annual global turnover or an equivalent of €20m. Furthermore, companies can be fined up to two per cent for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.”
“The regulation also gives data subjects the right to obtain from the data controller confirmation as to whether or not personal data concerning them were being processed, where and for what purpose. They also have the right to transmit data they had previously provided to another controller.”
The NITDA boss therefore called on Nigerian businesses, especially those carrying out online transactions, to meet the GDPR compliance criteria by putting in place appropriate measures to observe the provisions of the regulation to avoid being sanctioned for a liable breach.