By Michael Irene, PhD
Any data privacy regulation raises confusion, more thoughts, and sometimes, haphazard conclusions. This has been the case around the world. However, national data protection authorities rise to the occasion to address these obfuscations.
Last week, in my article, I argued that NITDA, as Nigeria’s designated data protection authority, is not doing enough to inform companies and the general public about the role of the Nigerian Data Protection Regulation in Nigeria. In this piece, I highlight a few areas in the regulation that might present confusion and would require further guidance.
Let’s delve into those areas. In part two, under lawful processing, the regulation states that processing of a data subject is lawful if it “is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract.” To perform a contract to which the data subject has consented, a data controller or a data processor may process information to meet a contractual obligation. However, the second part of that clause is a moot point. “Prior to entering a contract” means one of two things: (1) the data subject has not entered into the contract (2) the data subject might be having certain doubts as to whether to enter the contract. Live scenarios/examples are needed to explain such points.
Again, with regards to Due Diligence, in section 2.4, the regulation states that:
“A party to any data processing contract, other than an individual data subject, shall take reasonable measures to ensure the other party does not have a record of violating the principles set out in Section 5 and he is accountable to NITDA or a reputable regulatory authority for data protection within or outside Nigeria; accordingly, every Data Processor or Controller shall be liable for the actions or inactions of third parties which handles the personal data of Data Subjects under this Regulation;”
The above needs clear guidelines with copious examples. Although, another clause in the regulation raises the need to sign a data protection contract with the third party. However, the question remains: What should be the terms in this contract? Are there templates by NITDA that can guide companies? How should obligations and roles be defined in the engagement? These are not exhaustive questions as more can be raised and answered in a guide containing scenario situations.
In the case where there is a breach and it has been reported, the regulation states that any party involved must respond to the allegations made against it within seven days. Are these seven working days and does it include the weekend? What happens when a company finds out after seven days?
In terms of breach management, there needs to be a clear cut direction for companies to follow in case of breaches. If for example, a data controller—a company that collects or process personal data—finds out that there has been a breach within their system, there are certain steps they must take. In that light, NITDA should have clear steps for companies.
Let’s assume that XYZ Company discovers a breach in its Human Resources Information System (HRIS) and decides to treat the breach immediately. Does it have to still report the breach to NITDA? If the breach doesn’t put the lives of its employees in danger, should that breach be reported? NITDA should look at ways they can serve companies and help them in their compliance journeys.
In chapter 3, under Implementation Mechanisms, the regulation states that all data controllers should make “available to the general public their respective data protection Policies.” This statement willingly assumes that companies understand what data protection policies mean. Most company executives don’t know what these policies contain. Who should these policies be addressing?
Data Protection Compliance Organisations, described in the regulation, “shall on behalf of the Agency[NITDA] monitor, audit, conduct training and data protection compliance consulting to all Data Controllers under this Regulation.” Are there standards that data compliance organisations must maintain? At the moment, there is no rule book on how DPCOs should act and manage relationships with their clients and NITDA.
NITDA must develop a corporate communication model aimed at the general public and companies. The important component of this new function, as I stated last week, is to raise awareness about the regulation, educate the public and guide companies on their compliance journeys.