Data Protection: What Startups In Nigeria Must Do To Be Data Privacy Compliant

In March this year, the Nigerian Information Technology Development Agency (NITDA), the body which, for now, regulates all activities related to data collection and protection, did the uncommon: it slammed the sum of ₦5 million ($13,123) against a financial services provider, Electronic Settlements Limited, for data protection breach. 

In fact, NITDA did not stop there; it proceeded to place the fintech company, which is behind products like Paypad, a mobile Point of Sale (mPoS) service, and CashEnvoy, a web payment gateway, under an intense six-month oversight. 

NITDA’s action was uncommon because, before then, matters of punishment for data protection breaches in Nigeria have been rare and far-fetched. 

Read also:South Africa’s Telkom Group Records Growth in Mobile Business

In fact, after that incident, the agency quickly published an implementation guide on the rules on data protection (passed in 2019 as Nigerian Data Protection Protection) to show it means every bit of its words on data protection in Nigeria. 

Therefore, to assist Nigerian tech startups substantially comply with laws on data privacy, it would be important to clarify Nigeria’s regulatory ecosystem for data privacy in practice.

Nigeria data protection startups
Soure: PrivacyMatters

Nigeria data protection startups Nigeria data protection startups Nigeria data protection startups Nigeria data protection startups

S/NCOMPLIANCE AREASREQUIREMENTSOTHERS/DOCUMENTATIONREPORTING TIMELINE/AUTHORITY
1Consent-Obtain positive consent from data subject on every point of data collection. Consent is positive if it allows data subject to act on it. -Consent must be explicit and never implied, such as the use of “tick-box” or “opt-in box”Consent is required: -for any direct marketing activity, except to existing customers of the Data Controllers who have purchased goods or services; -for the Processing of Sensitive Personal Data; -for further processing; -for the processing of the personal data of a minor; – before personal data is processed in a country which is not in the Whitelist of Countries published by NITDA from time to time. -before the Data Controller makes a decision based solely on automated Processing which produces legal effects concerning or significantly affecting the Data Subject
2Security-Adhere to relevant security standards while protecting the company’s data. Adherence may be verified through data security certifications pursuant to standards such as  ISO 27001; SOC2, etc. 
3Data Protection Impact Assessment (DPIA)-Conduct DPIA whenever intense use of personal data is involved. -Specifically in Nigeria, conduct DPIA if data processing involves; a) evaluation or scoring (profiling); b) automated decision-making with legal or similar significant effect; c) systematic monitoring; d) when sensitive or highly Personal Data is involved; e) when Personal Data Processing relates to vulnerable or differently-abled data subjects; and f) when considering the deployment of innovative processes or application of new technological or organizational solutions. – DPIA is required for highly sensitive personal data such as: Biometric data; Data related to sexual preferences; Genetic data; Health data; Political opinions; Race and ethnic origin; Religious or philosophical beliefs; Trade union memberships. -Where the origin of the sensitive data is of a country other than Nigeria, conduct DPIA in accordance with the rules and regulations of the foreign country. – DPIA report and approval obtained from NITDA for collecting data under paragraphs (a) to (f)  in the requirement section. – Assessment reports may be facilitated by softwares such as Smartsheet; OneTrust ; TrustArc; Tugboat Logic
4Internal Data Protection Policy-Develop and circulate internal data protection policy to staff and vendors, especially as it concerns the collection and processing of Personal Data. -In the policy document, outline the steps they are to take to ensure the organisation’s direction is achieved and maintained; methods of responding to data breach, etc. 
5Data Protection Officer-Appoint a data protection officer  if: a) the core activities of the organisation involve the processing of the Personal Data of over 10,000 (ten thousand) Data Subjects per annum;  b) the organisation processes Sensitive Personal Data in the regular course of its business; or the organisation possesses critical national information infrastructure (as defined under the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 or any amendment thereto) consisting of Personal Data. -If the Nigerian company is a subsidiary of an international company, appoint a data protection officer to be based in Nigeria. Also, give the Nigerian DPO full access to the entire data management system of the international company.-The DPO shall not be liable if the company fails to comply with data protection rules. -The DPO shall oversee the entire data protection practices of the company.– Appoint DPO within 6 months from starting a business or within six months from November, 2020.
6Offshore Data Transfer/Sharing-Make sure country of data transfer/sharing falls within NITDA’s White-List -Obtain an adequacy decision  from Attorney-General of the Federation through NITDA -Where the destination of transfer falls outside the White-List, present verifiable consent documents to NITDA. -Implement a Binding Corporate Rule (BCR) or sign and submit a Standard Contracting Clauses (SCC) to NITDA where personal data transfer is to a foreign subsidiary or headquartersDocuments for approval of transfer: – the list of countries where the Personal Data of Nigerian citizens and residents are  being transferred to in the regular course of business; -the data protection laws of the relevant data protection office/administration of such countries listed in (i) above; -the privacy policy of the Data Controller, which is NDPR-compliant; -an overview of the encryption method and data security standards; and -any other detail that assures the privacy of Personal Data is adequately protected in the target country-Transfer reported to NITDA on a case-by-case basis; -BCR or SCC submitted separately on each occasion or included in data audit report.
7Third  Party Risk Management-Enter into data processing agreements with third parties for every data sharing. In the third party agreement, ensure that clauses on data use only permit third parties to process expressly authorized data. The agreement must also grant the party sharing the data rights to delete, rectify or access the data. Insert a clause in the agreement to demand the third party receiver to comply with NPDR or their local data laws. -Secure confidence, either by agreements or document verifications, that the third parties have adequate security for the shared data. -Publish a list of third party data receivers. The publication must contain the category of third party receivers; the type of data disclosed; their countries; the purpose of the disclosure. -Publication of third party data receivers included in the audit report and submitted to NITDA every 12 months.
8Data Correction; Updating; Objection;  Deletion SystemsEnsure there is a system in place for data: -correction, update, objection or deletion. 
9Data Retention-State retention period of data collated in every contract, privacy policy with data subject. -Document evidence of data destruction -Where no retention period is stated in the agreement, the retention period shall be -3 (three) years after the last active use of a digital platform. – (six) years after the last transaction in a contractual agreement. -Delete immediately if deceased relative presents evidence of death. -Delete immediately if data subject requests.
10Data Protection Audit– Engage a Data Protection Compliance Organization (DPCO) to perform a Data Protection Audit and file a report with NITDA  -DPCO must submit data protection audit every twelve months. -If the company is processing personal data of more than 1000 people in 6 months, submit a summary audit through DPCO to NITDA. – For company processing personal data of more than 2000 people in a year submit an audit report   through  DPCO to NITDA– Deadline for submission is on or before every 15th of March.
11Data Breach Response-Notify victims of breach within 72 hours. -Write an official letter to NITDA, notifying them of personal data breach within 72 hours of breach. -Write an official letter to Nigeria Computer Emergency Response Team (‘ngCERT’), notifying them of system breach within 7 days of each breach. – In the  notification letter : describe breach; state period of breach; describe personal data breached; assess  risk of harm of breach; estimate victims of breach; describe remedial steps; describe steps taken to inform victims; contact of the notifying company. -Report to NITDA 72 hours of the breach. – Report to ngCERT within 7 days of each breach.
12Data Protection Compliance On Website-Publish privacy policy on website. -notify and allow data subjects CONSENT to the use of cookies on the website. Keep the cookies policy simple and easy to understand. The privacy policy should contain the following: a)what constitutes the Data Subject’s consent; b) description of collectable personal information; c) purpose of collection of Personal Data; d) technical methods used to collect and store personal information, cookies, JWT, web tokens etc.; e) access (if any) of third parties to Personal Data and purpose of access; f) available remedies in the event of violation of the privacy policy; g) the time frame for remedy; -within 3 months of commencement of business.  
13Data Protection Compliance on apps– Publish privacy policy on apps -Privacy policy should contain the following heads: i)Information the company collects ii) Why the information is collected iii) What the company does with the information it collects. iv) Consent and privacy controls v) Sharing information vi) Security of Information vii)Deleting, retaining information viii) Third party sites, etc. -There should be pop-up consent boxes at every point of information collection in the app for purposes of obtaining consent from data subjects. -Within 3 months of commencement of business.
14Continuous Training-Train members of senior management and employees that collect data on Nigerian data protection laws and practices. -within the first 6 (six) months of incorporation and then on a biennial basis

Charles Rapulu Udoh

Charles Rapulu Udoh is a Lagos-based lawyer who has advised startups across Africa on issues such as startup funding (Venture Capital, Debt financing, private equity, angel investing etc), taxation, strategies, etc. He also has special focus on the protection of business or brands’ intellectual property rights ( such as trademark, patent or design) across Africa and other foreign jurisdictions.
He is well versed on issues of ESG (sustainability), media and entertainment law, corporate finance and governance.
He is also an award-winning writer