Data Protection - Afrikan Heroes

Data Protection: What Startups In Nigeria Must Do To Be Data Privacy Compliant

June 2, 2021

In March this year, the Nigerian Information Technology Development Agency (NITDA), the body which, for now, regulates all activities related to data collection and protection, did the uncommon: it slammed the sum of ₦5 million ($13,123) against a financial services provider, Electronic Settlements Limited, for data protection breach.

In fact, NITDA did not stop there; it proceeded to place the fintech company, which is behind products like Paypad, a mobile Point of Sale (mPoS) service, and CashEnvoy, a web payment gateway, under an intense six-month oversight.

NITDA’s action was uncommon because, before then, matters of punishment for data protection breaches in Nigeria have been rare and far-fetched.

In fact, after that incident, the agency quickly published an implementation guide on the rules on data protection (passed in 2019 as Nigerian Data Protection Protection) to show it means every bit of its words on data protection in Nigeria.

Therefore, to assist Nigerian tech startups substantially comply with laws on data privacy, it would be important to clarify Nigeria’s regulatory ecosystem for data privacy in practice.

Nigeria data protection startups Nigeria data protection startups Nigeria data protection startups Nigeria data protection startups

S/N	COMPLIANCE AREAS	REQUIREMENTS	OTHERS/DOCUMENTATION	REPORTING TIMELINE/AUTHORITY

1	Consent	-Obtain positive consent from data subject on every point of data collection. Consent is positive if it allows data subject to act on it. -Consent must be explicit and never implied, such as the use of “tick-box” or “opt-in box”	Consent is required: -for any direct marketing activity, except to existing customers of the Data Controllers who have purchased goods or services; -for the Processing of Sensitive Personal Data; -for further processing; -for the processing of the personal data of a minor; – before personal data is processed in a country which is not in the Whitelist of Countries published by NITDA from time to time. -before the Data Controller makes a decision based solely on automated Processing which produces legal effects concerning or significantly affecting the Data Subject	–
2	Security	-Adhere to relevant security standards while protecting the company’s data. Adherence may be verified through data security certifications pursuant to standards such as ISO 27001; SOC2, etc.		–
3	Data Protection Impact Assessment (DPIA)	-Conduct DPIA whenever intense use of personal data is involved. -Specifically in Nigeria, conduct DPIA if data processing involves; a) evaluation or scoring (profiling); b) automated decision-making with legal or similar significant effect; c) systematic monitoring; d) when sensitive or highly Personal Data is involved; e) when Personal Data Processing relates to vulnerable or differently-abled data subjects; and f) when considering the deployment of innovative processes or application of new technological or organizational solutions. – DPIA is required for highly sensitive personal data such as: Biometric data; Data related to sexual preferences; Genetic data; Health data; Political opinions; Race and ethnic origin; Religious or philosophical beliefs; Trade union memberships. -Where the origin of the sensitive data is of a country other than Nigeria, conduct DPIA in accordance with the rules and regulations of the foreign country.		– DPIA report and approval obtained from NITDA for collecting data under paragraphs (a) to (f) in the requirement section. – Assessment reports may be facilitated by softwares such as Smartsheet; OneTrust ; TrustArc; Tugboat Logic
4	Internal Data Protection Policy	-Develop and circulate internal data protection policy to staff and vendors, especially as it concerns the collection and processing of Personal Data. -In the policy document, outline the steps they are to take to ensure the organisation’s direction is achieved and maintained; methods of responding to data breach, etc.		–
5	Data Protection Officer	-Appoint a data protection officer if: a) the core activities of the organisation involve the processing of the Personal Data of over 10,000 (ten thousand) Data Subjects per annum; b) the organisation processes Sensitive Personal Data in the regular course of its business; or the organisation possesses critical national information infrastructure (as defined under the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 or any amendment thereto) consisting of Personal Data. -If the Nigerian company is a subsidiary of an international company, appoint a data protection officer to be based in Nigeria. Also, give the Nigerian DPO full access to the entire data management system of the international company.	-The DPO shall not be liable if the company fails to comply with data protection rules. -The DPO shall oversee the entire data protection practices of the company.	– Appoint DPO within 6 months from starting a business or within six months from November, 2020.
6	Offshore Data Transfer/Sharing	-Make sure country of data transfer/sharing falls within NITDA’s White-List -Obtain an adequacy decision from Attorney-General of the Federation through NITDA -Where the destination of transfer falls outside the White-List, present verifiable consent documents to NITDA. -Implement a Binding Corporate Rule (BCR) or sign and submit a Standard Contracting Clauses (SCC) to NITDA where personal data transfer is to a foreign subsidiary or headquarters	Documents for approval of transfer: – the list of countries where the Personal Data of Nigerian citizens and residents are being transferred to in the regular course of business; -the data protection laws of the relevant data protection office/administration of such countries listed in (i) above; -the privacy policy of the Data Controller, which is NDPR-compliant; -an overview of the encryption method and data security standards; and -any other detail that assures the privacy of Personal Data is adequately protected in the target country	-Transfer reported to NITDA on a case-by-case basis; -BCR or SCC submitted separately on each occasion or included in data audit report.
7	Third Party Risk Management	-Enter into data processing agreements with third parties for every data sharing. In the third party agreement, ensure that clauses on data use only permit third parties to process expressly authorized data. The agreement must also grant the party sharing the data rights to delete, rectify or access the data. Insert a clause in the agreement to demand the third party receiver to comply with NPDR or their local data laws. -Secure confidence, either by agreements or document verifications, that the third parties have adequate security for the shared data. -Publish a list of third party data receivers. The publication must contain the category of third party receivers; the type of data disclosed; their countries; the purpose of the disclosure.		-Publication of third party data receivers included in the audit report and submitted to NITDA every 12 months.
8	Data Correction; Updating; Objection; Deletion Systems	Ensure there is a system in place for data: -correction, update, objection or deletion.		–
9	Data Retention	-State retention period of data collated in every contract, privacy policy with data subject. -Document evidence of data destruction		-Where no retention period is stated in the agreement, the retention period shall be -3 (three) years after the last active use of a digital platform. – (six) years after the last transaction in a contractual agreement. -Delete immediately if deceased relative presents evidence of death. -Delete immediately if data subject requests.
10	Data Protection Audit	– Engage a Data Protection Compliance Organization (DPCO) to perform a Data Protection Audit and file a report with NITDA	-DPCO must submit data protection audit every twelve months. -If the company is processing personal data of more than 1000 people in 6 months, submit a summary audit through DPCO to NITDA. – For company processing personal data of more than 2000 people in a year submit an audit report through DPCO to NITDA	– Deadline for submission is on or before every 15^th of March.
11	Data Breach Response	-Notify victims of breach within 72 hours. -Write an official letter to NITDA, notifying them of personal data breach within 72 hours of breach. -Write an official letter to Nigeria Computer Emergency Response Team (‘ngCERT’), notifying them of system breach within 7 days of each breach. – In the notification letter : describe breach; state period of breach; describe personal data breached; assess risk of harm of breach; estimate victims of breach; describe remedial steps; describe steps taken to inform victims; contact of the notifying company.		-Report to NITDA 72 hours of the breach. – Report to ngCERT within 7 days of each breach.
12	Data Protection Compliance On Website	-Publish privacy policy on website. -notify and allow data subjects CONSENT to the use of cookies on the website. Keep the cookies policy simple and easy to understand. The privacy policy should contain the following: a)what constitutes the Data Subject’s consent; b) description of collectable personal information; c) purpose of collection of Personal Data; d) technical methods used to collect and store personal information, cookies, JWT, web tokens etc.; e) access (if any) of third parties to Personal Data and purpose of access; f) available remedies in the event of violation of the privacy policy; g) the time frame for remedy;		-within 3 months of commencement of business.
13	Data Protection Compliance on apps	– Publish privacy policy on apps -Privacy policy should contain the following heads: i)Information the company collects ii) Why the information is collected iii) What the company does with the information it collects. iv) Consent and privacy controls v) Sharing information vi) Security of Information vii)Deleting, retaining information viii) Third party sites, etc. -There should be pop-up consent boxes at every point of information collection in the app for purposes of obtaining consent from data subjects.		-Within 3 months of commencement of business.
14	Continuous Training	-Train members of senior management and employees that collect data on Nigerian data protection laws and practices.		-within the first 6 (six) months of incorporation and then on a biennial basis

Charles Rapulu Udoh

Charles Rapulu Udoh is a Lagos-based lawyer who has advised startups across Africa on issues such as startup funding (Venture Capital, Debt financing, private equity, angel investing etc), taxation, strategies, etc. He also has special focus on the protection of business or brands’ intellectual property rights ( such as trademark, patent or design) across Africa and other foreign jurisdictions.
He is well versed on issues of ESG (sustainability), media and entertainment law, corporate finance and governance.
He is also an award-winning writer

Data Protection in an Evolving Threat Landscape By Johan Scheepers

October 5, 2020

Johan Scheepers, Country HeadCommvault South Africa

Information Technology (IT) has become simpler and more complex. This is best described with the cloud making it easier to consume while adding challenges of massive data growth, increased siloes and growing numbers of workloads. In addition, ransomware and malware attacks are a very valid concern. Data protection needs to be modernised to meet changing needs, simplified to mitigate complexity, and flexible to adapt to a changing world.

***Johan Scheepers, Country Head at Commvault South Africa***

Above all, data needs to be consolidated to provide an all-encompassing view of it as a strategic business asset, moving beyond backups to data management. In a data-driven world the impact of a disaster is magnified.

With the emergence and growth of cloud technologies, data outages have become far less frequent. However, the impact of an outage is a lot more extreme. This is due to a number of factors, including the importance of data to a business, the interdependencies between various platforms, and our reliance on technology systems – which is far greater than ever before.

Data has become a key strategic asset, and digital transformation is driving innovation and new customer experiences. Businesses are expected to be online and available 24 hours a day, seven days a week and 365 days a year. Without access to their data, the majority of modern enterprises simply cannot function.

While outages have become less likely, they still happen as a result of human error, natural disaster, and increasingly due to a data breach or other ransomware attack. There is no longer any acceptable level of downtime, and outages and data loss events have a financial impact on business that can run into the millions.

However, the impact on the reputation of a business can be even greater, particularly when it comes to data breaches. The cost of recovery also needs to be considered, as well as any fines associated with compliance regulations, which are a real possibility when a data breach occurs. Having the right business continuity model, Disaster Recovery (DR) and data protection strategies in place is imperative.

Data growth has exploded in the last five years, and data has become increasingly fragmented as it occurs in multiple siloes. With the growing prevalence of multi-cloud and the emergence of new technologies like the Internet of Things (IoT), Artificial Intelligence (AI) and Machine Learning (ML), this trend is accelerating.

While the old threats have not gone away, the threat landscape too is evolving, with ransomware becoming increasingly sophisticated and the number of attacks accelerating rapidly. In fact, according to the ESG Research Report: 2020 Technology Spending Intentions Survey, 60% of businesses surveyed experienced a ransomware attack in the past year.

Results from IBM’s 2019 Cost of a Data Breach Report estimate that it takes South African businesses an average of 213 days to identify and remediate a breach, and the cost of a successful attack can exceed $5 million. Data protection workloads have become one of the top priorities for business, and requirements have evolved beyond backup into data management. While best practices around backup still apply, businesses now need an integrated view of their data to simplify and centralise control, in order to manage and consolidate siloes. This is essential to enable them to protect access, govern and use all of their data across all of the various locations.

Beyond better backup

Data is not a technology problem, it is a strategic business asset, and it needs to be treated as such. Data protection strategy needs to solve business challenges and align with business priorities. A simple solution that scales up and out as needed, and meets objectives for areas of risk, is essential for mitigating exposure.

Improving data strategies and moving away from legacy solutions will offer better backups, more resiliency and ultimately better data protection, all essential in a data-driven and evolving technology world. Moving beyond backup and into the realms of data management, including Disaster Recovery and Business Continuity, can help businesses to improve efficiency, simplify complexity and enhance flexibility.

Modernising and simplifying data protection, in alignment with business goals and digital transformation strategy, is vital for meeting data needs today and in the future.

Johan Scheepers, Country Head at Commvault South Africa

Kelechi Deca

Kelechi Deca has over two decades of media experience, he has traveled to over 77 countries reporting on multilateral development institutions, international business, trade, travels, culture, and diplomacy. He is also a petrol head with in-depth knowledge of automobiles and the auto industry

South Africa Legislates on Data Protection of Personal Information

July 16, 2020

The South Africa government has become the latest African country to legislate that organisations must now move to comply with new regulations to protect identifying and personal information it collects, stores and manages. This development is in line with the African Union’s Convention on Cyber Security and Data Protection (known as the Malabo Convention) which outlines principles which urge all AU member states to respect and protect individuals’ rights to privacy online and offline.

Multiple member states have already ratified the Malabo convention or put in place data protection laws but many have been foot-dragging on enforcement except Kenya, Nigeria, and Botswana, thus South Africa has become the latest African country to legislate the protection of personal information, with the country’s Protection of Personal Information Act (POPIA) in South Africa that came into effect on 1 July 2020. Along with countries including Kenya, Botswana and Nigeria, South African organisations must now move to comply with new regulations to protect identifying and personal information it collects, stores and manages.

Global best practice in the protection of personal information will become increasingly important as pan-African trade picks up, and as African countries seek to boost exports internationally. However, compliance with pan-African and global data privacy, security laws and regulations can be a daunting task for any organisation. Especially since requirements are often vague and ambiguous, with little specific guidance as to how to achieve compliance. In a 2019 survey conducted by Sophos, only 34% of South African organisations are reportedly ready to comply with POPIA.

So where should you begin? Here are three simple steps to help you get started:

Start with a business privacy impact assessment

Condition seven of the South African POPIA Act (“Security Safeguards”) requires organisations to take “appropriate and reasonable measures” to safeguard personal information. The concept of acting “reasonably” is used in many privacy laws all over the world and requires a business to do what is appropriate to protect its data. Note that this does not require perfection. Rather, the business must take a risk-based approach and do what is reasonable to mitigate that risk. By conducting a business privacy impact and risk assessment, you’ll identify privacy risks in your organisation and come up with a plan to either remediate or accept them.

Prioritise your high-risk processes

High-risk processes should always come first. Start with client/customer personal data and work your way towards employee personal data. This will involve collaboration with many departments, so executive buy-in is a must; and privacy compliance should be pitched as business enablement.

Drive an awareness campaign

Employees need to be made aware of and get trained in the security requirements of the organisation, as well as learn about the basic privacy principles and best practice, and how to apply these at work. Security awareness training for employees is one of the most effective means for reducing the potential for costly errors in handling sensitive information and protecting company information systems.

Requirements around data protection can seem tedious, but they provide the foundation for trust in the digital environment and there are plenty of resources to assist with training around POPIA, GDPR and other privacy and cybersecurity content. In fact, KnowBe4 Africa has new training material on data protection and can assist your organisation in achieving legislative compliance.

Kelechi Deca