By Michael Irene, PhD
Nigerian Information Technological Development Agency’s (NITDA) ability to gain and deploy sufficient knowledge to data subjects and companies about new developments in the Nigerian Data Protection Regulation(NDPR) is an important consideration now and for the future. Without it, companies, individuals and even legislators will be confused about the role of data protection in the grand scheme of things. Yet, NITDA’s capacity to inform, educate and equip the public and companies with these developments is questionable. So far, there has not been much in terms of the latest developments within NITDA about data protection. Improvements in creating awareness, therefore, is a matter of concern, especially given the Nigerian Data Protection Regulation’s demands on companies.
One of the most distinctive features of NITDA is their assignment to monitor both private and public businesses in Nigeria with regards to their management of datasets in their possession. NITDA faces a difficult task when fulfilling these missions and acting as guardians for both companies and data subjects. A structured approach to disseminating information is key if NITDA must move forward in ensuring that companies align with NDPR requirements.
From various engagement with company executives, there is an almost disregard for the NDPR and a large confusion as to what exactly to do to be compliant. Most company executives believe that there is not enough information as to what is expected of them. They claim that there is a dearth of information about data protection. In other countries, some company executives claim, there is ample information that guides and informs companies about the development. A visit to the NITDA website says nothing interesting or new about data protection.
Any data protection system must be supported by the governing body through a rigorous awareness program. For example, NITDA should: (1) engage in social media campaigns explaining how they help individuals guard against senseless privacy intrusions from Nigerian companies (2) constantly create educational materials with copious guidance notes for companies (3) Write reports on how it is working with the government to ensure that their position is respected by companies(4) Create regular workshops or conferences covering the data protection issues in Nigeria. (5) Make companies aware of audit reports that must be submitted to NITDA about their data protection compliance framework.
The new Nigerian Data Protection Regulation has provided Nigerians with a range of rights enforceable against organisations processing their data. Yet, a good percentage of Nigerians are unaware about the Nigerian Data Protection Regulation and those who are aware, doubt that that’s something that would be taken seriously in Nigeria.
How many Nigerians know that they can object to the processing of their personal data for marketing purposes? How many Nigerians know they can access their data and have the data transferred to another data controller(data portability)? How many Nigerians know they can obtain the information held about them? How many know they can request that their data be deleted? How many know they can withdraw consent to the processing of their data or lodge a complaint with NITDA? If one were to hazard a guess, at least less than twenty percent understand their rights or what the new Nigerian Data Protection Regulation represents. NITDA must do more to create a wide-spread awareness about the data protection regulation.
*Dr. Irene is Data Protection Consultant and writes in from London.