Anxiety Heightens in Nigeria over EU’s GDPR Law
The May 25, 2018 deadline for the commencement of the General Data Protection Regulation (GDPR) law for European (EU) countries has continued to raise anxiety among businesses in Nigeria and beyond.
There are fears that the law will affect businesses in Nigeria, especially businesses that have international partnerships with foreign countries, which directly or indirectly have business affiliations with EU countries. Their fear stemmed from the global compliance with the law because of the heavy penalty that will come with the breach of the law when it takes effect from May 25, 2018. Some Nigerians are of the opinion that most businesses outside EU, including Nigeria might be grounded by the time the law takes effect. The GDPR law which was drafted April 2016, had two years of grace period for EU countries, and will take full effect including its penalties from May 25 this year. Although the law seeks to protect personal identifiable data for big and small organisations, it however comes with heavy penalty for breach, and Nigerian businesses with international affiliations are not prepared for the implementation yet, a situation that is creating panic among business owners in Nigeria and beyond. The law which is meant to change the face of global businesses, will certainty disrupt the operational modules of organisations that will be compelled to hire Data Processing Officers (DPOs) to manage data processing in organisations. It is estimated that over 75,000 DPOs will be employed globally to effect the necessary organisational changes that will come with EU’s GDPR law.
Microsoft had earlier in the week, raised awareness among Nigerian businesses about the law, but an Information security consultant and Chief Executive Officer, Petrovice Resources, Adesanya Ahmed, reasons that Article 3 of EU defines territorial scope. According to him, “The article states that organisations must comply with GDPR if they offer goods or services to EU citizens, even without payment, or monitoring the behaviour of EU citizens.
“The starting point should be to determine whether the organisation process personal data of EU citizens, either as a controller or processor of data, or whether a part of your organisation operate within the EU borders.
“If answer to one of the questions is yes, then it does not matter were your business headquarters are located. As long you are in the place were member state law applies by virtue of public international law, you need to comply with GDPR,” he added. He noted that complying with GDPR protects Nigerian organisations from not being sanction in global trade. For Instance, EU adopted a global best practice like: PCI DSS for risk management and also for cloud computing environments while the National Information Technology Development Agency (NITDA) in Nigeria, adopted COBIT 5 of ISACA as a regulatory framework.
“When adopting these regulations, it is advantageous for an enterprise to have a solid governance function in place, to help with implementation and execution. And if the organisation lacks that structure, GDPR compliance is a good reason to begin creating that structure in your enterprise.”