By Michael Irene, PhD
Data protection regulation has come to stay. It helps data protection authorities like the National Information Technology Development Agency(NITDA) regulate and audit data processing in companies. Many company’s stakeholders in Nigeria claim they are compliant with the new Nigerian data protection regulation but, upon closer inspection, one notices serious gaps in their framework. Over eighty percent of Nigerian companies are not compliant with Nigerian Data Protection Regulation and Europe’s General Data Protection Regulation(GDPR). Some indicative signs show that a company needs help with data protection in Nigeria.
Your company processes millions of data every day. This includes health information, religious beliefs, biometric data, and religious beliefs daily. Do you know who handles these data sets and have you considered the right identity access management techniques? Are you aware of the security measures employed for the protection of these data sets? Do you have a robust Records of Processing Activities(ROPA) register? How it is collected? If you can’t give clear answers to these questions, you need help.
You are a bank, a hospital or a large organisaiton, and you have more than two hundred staffs. This indicates that you have various individuals carrying out various daily tasks. Have they been trained? Do they understand their duties concerning data protection principles? Is there a data champion? How often is training done? Sensitising staff is an important compliant mechanism in the data protection framework. If you can’t train your staff, seek external help.
What types of policies do you have? Do you know whether you have the right policies? The company should have appropriate policy documentary evidence that sets out and explains the company’s procedures for securing compliance with the Nigerian data protection regulation. When a company executive looks around and finds out there are no policies, explaining, for example, how staff should handle a breach, then a data protection expert should be sought.
Have we carried out a data protection audit? Data protection audit provides an assessment of whether the organisation is following good data protection practice. The audits play a key role in assisting organisations in understanding and meeting their data protection obligations. The audit looks at whether the company has effective controls in place alongside fit for purpose policies and procedures to support their data protection obligations. If an organisation doesn’t know if its procedures align with the policies, then it needs help with data protection.
Deciding whether you need an in-house data protection officer or whether outsourcing the role is the best step. Having gone through your audit, you have found out that you process large information daily and can’t decide whether you need a data protection officer or chief privacy officer. To save extra cost, it is good that a company understands the implications of having an in-house data protection expert or simply outsourcing the data protection management of its procedures. Seek the right guidiance.
You can’t get your business processes to align with the regulation. You have tried but still feel something is missing. Business pocesses, no matter how complex, can be re-built to meet the data protection principles. If after trying a couple of steps, you can’t merge regulation and the processes, then seek external assistance.
This is not an exhaustive list. There are other indications, for example, Data Protection Impact Assessment(DPIA), Data Subject Access Request (DSARs), and cybersecurity analsysis must be part of the data protection package. Does your company add this to her data protection toolkit? If not, seek external help.
*Dr. Irene is Data Protection Consultant and writes in from London.
Equities November 21, 2019