By Michael Irene, PhD
If anything, data protection compliance is something slightly new in Nigeria. It is new because Nigerian Data Protection Regulation (NDPR) is in its infant stages. As such, data compliance is relatively a new concept. The chance of any Nigerian company attaining a hundred percent compliance is minuscule.
This article points out, in brief detail, certain data compliance areas companies may want to focus on. One major difficulty in the compliance journey is consent management. There are many reasons for this. First, most companies find it hard to keep a consistent record of how, why and when consent was collected from the data subject. Companies must demonstrate that data subject gave affirmative action – either by opting-in or opting out – that their data can be processed for a performance of a service or contract. It is also good practice for companies to have consent registers to record various consent issues or use third party SaaS platforms for consent management.
With regards to breaches, it is not “if” they happen but when they happen. Most companies believe they are breach-proof. However, the expanding technological landscape in the twenty-first-century exposes companies to sophisticated levels of breaches. Exposure can come from anywhere and anyone. The question is: are there measures to protect or stop them?
For example, a company became aware that they were the victim of unauthorised third-party access to a g-mail account of one of their staff members. The staff member’s email account contained some customer data. Based on the investigation performed, it was believed that the purpose of the unauthorised access was to conduct a phishing campaign from the account, rather than to access and remove data. Customers whose data was potentially compromised were 2,512 customers as at the time when the hack was discovered. However, because there were no treatment strategies in place, or guidelines to follow when such an attack took place, staffs and management ran around in unguided forms and watched as the number of affected customers increased. Before treatment, over 10,000 customers were affected. This leads to litigations, reputation damage and financial losses. It is, therefore, never ‘if” but “when” and when it does, is the company ready to tackle or manage a breach.
Retention schemes are another important part of compliance. Companies must realise that they do not have to hold on to data for long periods. They must have in place retention policies and procedures. Often, as I have found from experience, most companies tend to write retention policies; however, when the policies are put to practical tests, they fails. For example, an insurance company claimed that after a data subject enquires about their products via their web-form they usually keep the customer’s information for thirty-days. If the individual turns into a customer, they update their registers and if the customer fails to purchase products, the customer’s data is deleted. Upon investigation, it was found out that the company still retains this information for more than thirty days following legal obligations. However, their retention policies stated something different. Compliance is not about putting fine words together, it is about ensuring that protocols are in place to back these words.
Data compliance is a vital attribute for those Nigerian companies that wish to be data protection compliant or who wish to achieve anything worthwhile in the data protection scheme of things. Any such acknowledgment is not a weakness of the company’s procedure; it is a sign of clear management thinking.
I have highlighted some areas that need compliance. That is not an exhaustive list. A data mapping exercise, as described in my last article, would reveal areas of concern to the company and would drive the company towards a holistic compliance journey.