Nigeria: Essential Data Privacy And Protection Policies Every Organisation In Nigeria Should Have

Introduction

With the rapid advancement of technology resulting in technological breakthroughs like the digitalization of data, electronic transmission and storage of personal data, it has become imperative for every organisation engaged in data processing operations to develop appropriate policy documents primarily for governing data processing operations within the organisation. Data protection policies assist organisations in setting out rules, guidelines, procedures and standards on data protection compliances for an organisation.² They help identify a management's support, direction and approach towards data protection compliances.³

Under the Nigeria Data Protection Regulation ("NDPR" or "the Regulation),⁴ all entities that process personal data of natural persons are required to make their respective data protection policies available to the general public within three (3) months after the date of the issuance of the Regulation.⁵ In the same vein, every organisation is required to conduct an in-depth audit of its privacy and data protection practices with at least each audit stating the organisation's policies and procedures for privacy and data protection.⁶ In this regard, it is vital to note that every organisation involved in data processing is expected to develop the underlisted data protection policies for effective compliance with the requirements of the NDPR.

Some relevant data protection policies required under the NDPR

1. Data Protection Impact Assessment (DPIA) Policy

A DPIA Policy is one of the essential data protection policies that should be prepared by an organisation, especially where it intends to embark on projects that may involve the intensive use of personal data.⁷ The relevance of conducting a DPIA is to identify possible areas where data breaches may likely occur upon the commencement of the project and develop a strategy for addressing such risks.⁸ DPIAs are required to be conducted on an organisation's processes, services and technology periodically, to ensure continuous compliance.⁹ A DPIA may be required in the following circumstances: "for evaluation or scoring (profiling); automated decision-making with legal or similar significant effect; systematic monitoring; when sensitive or highly personal data is involved; when personal data processing relates to vulnerable or differently-abled data subjects; and when considering the deployment of innovative processes or application of new technological or organizational solutions."¹⁰

A DPIA policy is expected to contain the following information:¹¹

1. A description of the envisaged processing operations;
2. The purposes of the processing;
3. The legitimate interest pursued by the controller;
4. An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
5. An assessment of the risks to the rights and freedoms of data subject;
6. Risk mitigation measures being proposed to address the risk.
7. Privacy Policy

Every organisation that processes personal data is required under the NDPR, to develop and display a simple and conspicuous privacy policy in any medium through which personal data is being collected or processed.¹² Such policy is required to be unambiguous, easy to comprehend and interpret by the category of data subjects targeted.¹³ A copy of an organisation's privacy policy is expected to be published on its website for easy accessibility by the targeted data subjects.¹⁴ Asides publication on its website, the privacy policy of an organisation can be published via, any one or combination of the following: in a digital media; posted at conspicuous parts of the data controller's business premises; by reading or providing a copy to the Data Subject; or publication in any public media.¹⁵

It is pertinent to note that, the privacy policy of a data controller or processor must contain the following:¹⁶

1. what constitutes the data subject's consent;
2. description of collectable personal information;
3. purpose of collection of personal data;
4. technical methods used to collect and store personal information, cookies, JWT, web tokens etc.
5. access (if any) of third parties to Personal Data and purpose of access;
6. a highlight of the principles of data processing in the NDPR;
7. available remedies in the event of violation of the privacy policy; and
8. the time frame for remediation.

In addition to the above, the privacy policy of an organisation is expected to identify the type of personal data collected by a data controller and processor, how the personal data is processed, who processes the personal data, the security standard implemented by the data controller and processor etc.¹⁷ It should be noted that data controllers or processors whose processing activities are targeted at children should ensure that its privacy policy is made in a child-friendly manner with the aim of making children and their guardians have clear understanding of their data processing activities before giving their consent.¹⁸

3. Internal Data Protection Policy

An internal data protection policy is developed to assist relevant stakeholders within an organisation understand the entity's direction in respect of handling personal data, data collection, processing, storage etc.¹⁹ It identifies the measures they are expected to take to ensure that the organisation's direction towards the management of personal data is achieved. It is expected to be circulated amongst all members of staff and relevant third parties involved in the processing operation within an organisation.²⁰

4. Information Security Policy

The NDPR requires any entity involved in data processing operations to develop an information security standard and organizational policy for handling personal data.²¹ Such policies are required to incorporate security technologies and measures for protecting systems from hackers, setting up firewalls, storing data securely with restricted access, employing data encryption technologies, pseudonymization, and anonymization of data etc.²² There are various kinds of information security policies an organisation can develop, some of which include: Network Security Standard, Encryption Key Protection Policy, Remote Access Policy, Information Transfer Security Standard, Anti-Malware Security, etc.²³

Conclusion

The formulation of data privacy policies is a major step that could be taken by an organisation towards data protection compliance. It symbolizes an organisations willingness to safeguard the personal data in its custody and comply with the requisite data privacy laws and regulations. However, the preparation of these policies requires a certain level of skillset, training and expertise which may not be readily available internally for most corporate entities without adequate support. It is therefore essential for organisations involved in data processing operations to engage a Data Protection Compliance Organisation (DPCO) or an individual with sufficient knowledge, skill and expertise in data policy drafting to prepare the necessary data privacy and protection policies required of their organisation under the data protection law(s) and regulation(s).

Footnotes

1. Sandra Eke, Associate Intellectual Property & Technology Department, SPA Ajibade & Co., Lagos, Nigeria.

2. ITPro, "Data protection policies and procedures" https://www.itpro.co.uk/data-protection/28177/data-protection-policies-and-procedures accessed 15 December 2021.

3. See Para. 3.2(vi) NDPR Implementation Framework.

4. See Nigeria Data Protection Regulation (NDPR), 2019, available at: https://ndpr.nitda.gov.ng/ Content/ Doc/NigeriaDataProtectionRegulation.pdf accessed 10 December 2021.

5. See Art. 4.1(1) NDPR.

6. See Art. 4.1(5)(h) NDPR.

7. See Para. 3.2(viii) NDPR Implementation Framework.

8. Ibid.

9. Ibid.

10. See Para. 4.2 NDPR Implementation Framework.

11. See Art.4.1(5) NDPR Implentation Framework.

12. See Art. 2.5 NDPR. See also, Para 13.2 NDPR Implementation Framework.

13. See Bisola Scott and Oreoluwa Adebayo, "Data Protection Rights and Obligations in an Employer - Employee Relationship in Nigeria" available at: http://www.spaajibade.com/resources/data-protection-rights-and obligations-in-an-employer-employee-relationship-in-nigeria-bisola-scott/ accessed 19 December 2021.

14. See Para 3.2(iv) NDPR Implementation Framework.

15. Ibid.

16. Ibid.

17. See Para 5.2(a) NDPR Implementation Framework.

18. See Para 5.5 NDPR Implementation Framework. See also, Art 3.1 NDPR.

19. See Para 3.2 (vi) NDPR Implementation Framework.

20. Ibid.

21. See Art. 2.6 NDPR.

22. Ibid.

23. KirkPatrickPrice, "15 Must-Have Information Security Policies" available at: https://kirkpatrickprice.com/blog/15-must-have-information-security-policies/ accessed 17 December 2021.

Originally published 21 December, 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.