The NDPR isn’t perfect but it’s a step to data protection for Nigeria
With its huge population, often estimated at 200 million, Nigeria is a data miner’s treasure field. On a daily basis, millions of critical information are giving away by Nigerians to local and international businesses, government agencies and institutions, most of which are unaccounted for. The lack of accountability also means people’s information are getting into the wrong hands and are being used to target them for fraud and other criminal activities online.
In 2015, Nigeria witnessed 2,175 cyber attacks. In the same year, 14 percent of internet users suffered a form of cyberattacks. In 2017, the country was ranked third - behind the US and UK - in the world for cybercrime according to the Nigerian Communications Commission (NCC). Cyber-attack cost the Nigerian economy about $500 million per annum.
Experts at a recent data security roundtable organised by Bloomfield Law in collaboration with Citrix said there is no going back on data protection for Nigeria and that an overarching policy to hold data handlers accountable was long overdue. Until recently, only the 1999 Constitution was the only legal document that referred to data protection.
“Data is the new oil and no business can survive today without access to data,” Ayodele Oni a partner at Bloomfield said.
The Nigerian Information Technology Development
Agency ( NITDA) in 2013 had moved to address data insecurity with a Guideline on Data Protection policy in 2013. But the guideline was largely considered a failure as its provisions were not able to hold industry players accountable and protect people’s data.
In January 2019, NITDA released the Nigeria Data Protection Regulation (NDPR), which is to a large extent a mirror of the European Commission’s General Data Protection Regulation (GDPR). The NDPR has been described by many stakeholders as the most comprehensive generally applicable legislation on data protection in Nigeria. It prescribes the minimum data protection requirements for the collection, storage, processing, management, management, operation and technical data in Nigeria.
Olufemi Daniel a senior legal officer for NITDA and one of the creators of the NDPR said the principle behind the regulation is to drive investment by ensuring local businesses are competitive globally; keep people’s information safe and prevent manipulation of data.
“We want to build a data culture in Nigeria,” he said. “What we have tried to do is to create opportunities for the private sector.”
The NDPR defines data as characters, symbols, and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals is stored in any format or any service.
While stakeholders agree with Daniel that a new data culture will drive investment, they say collaboration between NITDA and the private sector has not been one hundred percent.
“There is a lack of synergy among stakeholders,” said Fatai Tella, chief data officer, Sterling Bank Plc. “We need to sit down and ask what we are solving? What are the data breaches that should necessitate a policy?”
The lack of uniformity in data control is also a major challenge according to Tella as it exposes individuals and businesses to multiple entry points. However, Olufemi Oyenuga, chief Customer Enterprise Architect, Oracle Nigeria, said the existence of many buckets of data was not exclusive to Nigeria. The difference is that whereas the countries in the western world have attained a certain level of maturity in the handling of buckets of data, Nigeria is still on the way.
NITDA had also in the past created policies that rubbed off wrongly on businesses. In some cases, the agency’s inability to respond proactively to changing industry environment contributed to the erosion of profitability of companies in the IT sector. For instance, the lack of clarity on what constitutes critical infrastructure and making policies to protect them continues to be a sore spot in NITDA’S relationship with many telecom operators.
“There are a multiplicity of policies, but we’ve yet to see the impact,” said Ifeloju Alakija, head, Regulatory Services, Mainone. “We do not have a regulation that protects the technology infrastructures in this country.”