EU’s data regulation: What Nigerians should know
Last week the National Information Technology Development Agency (NITDA) alerted Nigerians to new European Union’s data regulation. How does it really concern Nigerians?
When the National InformationTechnology Development Agency (NITDA) alerted Nigerians on new European Union’s data regulation last week not a few a Nigerian asked how did it concern them?
The agency brought to the attention of Nigerian businesses, especially those that collect, store and process personal data of European Union (EU) citizens for the provision of goods and services, and the general public, the implications of the new EU General Data Protection Regulation (GDPR), it said.
The regulation which was adopted on 27 April 2016 and becomes enforceable from 25 May 2018 is replacing the data protection directive of 1995.
It applies whether the data controller - an organization that collects data from EU residents or processor - an organization that processes data on behalf of data controller such as data centres or the data subject - the person whose personal data has been collected is based within or outside any EU member state, if they collect or process personal data of EU citizens and residents, according to NITDA.
The NITDA’s Director General, Dr Ali Isa Ibrahim Pantami, in a statement, said it was in the utmost interest of the agency to protect Nigerian businesses from unnecessary exposure to the risks of the new regulation.
According to Dr Pantami, failure to follow the new regulation may affect businesses in the country.
“The regulation requires that data controllers and processors must seek consent from data subjects in an intelligible and easily accessible form, clearly specifying the purpose for the collection.
“It also stipulates that consent must be clear and distinguishable from other matters and presented in a clear and plain language”, Dr Pantami said.
According to him, a breach of the regulation can attract a fine of up to 4% of a company’s annual global turnover or an equivalent of twenty million euros (€20 million).
“A breach of the regulation can attract a fine of up to 4% of a company’s annual global turnover or an equivalent of twenty million euros (€20 million). Furthermore, companies can be fined up to 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment”, he said.
Explaining the new regulation, he said: “The regulation also gives data subjects the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
“They also have the right to transmit data they had previously provided to another controller. Furthermore, they are entitled to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
“Therefore, NITDA is calling on Nigerian businesses, especially those carrying out online transactions and meet the Guidelines on Data Protection (GDPR) compliance criteria to put in place appropriate measures to observe the provisions of this regulation to avoid being sanctioned for a liable breach. Organisations are also required to note the provisions of the NITDA Guidelines on Data Protection, issued in 2013 and currently being revised. In an effort to make the Agency’s rule making process transparent and industryfocused, the revised guideline will soon be presented for stakeholder consultation as stipulated in the Rulemaking Process Regulation of NITDA.”
The agency, he explained, has realized that this regulation might have huge impact on Nigerian businesses and/or individuals that use Information Technologies to collect, store, process and transact on EU citizens personal data in EU territory or elsewhere.
It is in the utmost interest of the agency, he further said, to protect Nigerian businesses from unnecessary exposure to the risks of this regulation and/or any regulations that might have negative impact on their businesses as well as the rights of Nigerians that have dual citizenship of any EU member state.
It called Nigerian organisations that are controllers and processors of personal data of EU nationals to note that companies that meet the following criteria must comply:
• have offices in an EU member state;
• have no offices in any EU member state but processes personal data of EU nationals and residents;
• have more than 250 employees; and
• have fewer than 250 employees but its data processing impacts the rights and freedoms of data subjects or occasionally includes certain types of sensitive personal data.
The regulation requires that data controllers and processors must seek consent from data subjects in an intelligible and easily accessible form, clearly specifying the purpose for the collection. It also stipulates that consent must be clear and distinguishable from other matters and presented in a clear and plain language.
The regulation also gives data subjects the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. They also have the right to transmit data they had previously provided to another controller. Furthermore, they are entitled to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
The National Information Technology Development Agency (NITDA) is an Agency of the Federal Government of Nigeria. The Agency was created in April 2001 to implement the Nigerian Information Technology Policy and co-ordinate general IT development and regulation in the country. Specifically, Section 6(a & c) of the Act mandates NITDA to create a framework for the planning, research, development, standardization, application, coordination, monitoring, evaluation and regulation of Information Technology practices, activities and systems in Nigeria; and render advisory services in all information technology matters to the public and private sectors.
But a cybersecurity expert who spoke with our reporter on what the new regulation entails said there isn’t a big deal in it.
Mr Oluseyi Akindehinde, the Chief Technical Officer of Digital Encode told Daily Trust the regulation is just all about ensuring safety European citizens’ data and documents.
According to him, Nigerian businesses who keeping records of Europeans’ data have nothing to fear if they are into genuine businesses.
He called on the federal government to emulate the EU by tightening our cyber security regulation and make it difficult for Nigerians’ data to be compromised.
Another expert, Michael Oseji, said banks and other financial institutions in the country are vulnerable to cyber-attacks as cyber security in Nigeria is next to nothing.
Nigeria is facing increasing cyber security threats from within and outside the country and only “proactive measures from the government, using the right experts, can stem the tide against the criminals”, Mr Oseji, who is an expert in cyber security, added.
He stated that 70 per cent of Nigerians have their data online and most of these data are at the mercy of criminals.
The expert accused Nigeria firms and MDAs of downplaying the huge cyber security threats being faced by them.
“It is real and the earlier they own up and find solution to it, the better for them. CBN alone lost N40billion naira in 2015 to cyber attacks, so the threat is actually real and government needs to engage the right people to combat it”, he said.
But Andreas Linde of Sweden based Advenica, a cybersecurity firm said cyber security is a global and Nigeria is not alone in it.
He said the likelihood of cybercriminals getting caught is minimal once they crime is committed.
He said most of organisations don’t even know they are under attacks, adding that the best solution to cybercrimes is prevention.
He said it will take an average of between four and nine months for a very good cyber security expert to detect an attack from a hacker.
Another expert, Mr Remi Afon said to reduce cybercrimes, the government should enact a data protection regulation which makes it compulsory on all organisations to put in place strong data protection strategy.