Data protection in Nigeria – enforcement in post COVID-19 digital economy
Guest post by Yemi Adeniran, Managing Partner at Digiterhub
Data protection is the process of safeguarding information from threats, destruction, compromise or loss and unauthorized use.
According to United Nations, 132 out of 194 countries have enacted Data Protection and Privacy Legislation globally to protect their citizens data. Of these, Nigeria enacted “Nigeria Data Protection Regulation (NDPR)” in 2019 and presented for stakeholders review a “draft Data Protection Bill” in May 2020.
This paper discusses enforcement and the lack of capability for successful enforcement of data protection and privacy in Nigeria. This is more important in the new normal to aid digital economic growth as organizations struggle to adapt to the challenges arising from the pandemic.
The COVID-19 pandemic has wreaked havoc, created public health emergency and changed the way data are collected and processed by the public and private organizations. These are exceptional times in the nation’s history and makes the role of Data Protection in the post-COVID-19 era key to the digital economy ecosystem.
To date, the UK Information Commissioner’s Office (ICO) had taken 60 enforcement actions to ensure organizations meet their data protection and privacy obligations. Of these, the ICO fined British Airways (BA) £20m for failing to protect the personal and financial details of more than 400,000 of its customers. I was one of the victims of the BA data breach when BA suffered a severe cyber-attack in 2018. None could have envisaged the impact and consequences of the data breach on customers’ lives (anxiety and distress), which according to ICO, the data breach occurred as a result of BA poor decisions around personal data and the failure to mitigate or prevent the risk of a hacker being able to access BA internal network.
Nigeria is not alone in introducing nascent data protection laws to regulate organizations in how they collect, process and store data. Other nations in the sub-Saharan Africa are following the trend of increased data protection to protect personal data of citizens. Of the 54 countries in Africa, 27 have Data Protection Legislation, 9 have draft Data Protection Legislation and 13 have no Legislation according to United Nations.
An increasing amount of data is being processed in the digital economy as a result of the new normal, this makes it vital that the appropriate data protection law is enacted to safeguard data, empower individuals to take control of their personal data, support organizations in the use of data and ensure Nigeria is fully prepared for the post-COVID-19 digital economy.
Currently, the “operational” Nigeria Data Protection Regulation (NDPR) and the draft Data Protection Regulation Law laid down a number of data protection principles which organizations are meant to be in compliance to guarantee Data Privacy and Protection of citizens. However, enforcement and enforcement capability are gaps within the Data Protection Regulation ecosystem. This has resulted in some organizations (public and private) not maintaining compliance with the principles of Data Protection.
Why is enforcement not effective?
The gaps in the enforcement of the Data Protection Regulation is down to a number of factors:
i. Breach reporting obligations are not taken seriously by organizations in Nigeria under the Data Protection Regulation.
ii. Service Level Agreements (Requirements) on breach reporting are loosely defined between data controllers and data processors.
iii. The impact of organizations’ failing to implement regulatory data privacy controls.
iv. Lack of clarity on what is considered as data breach or data loss.
v. Inadequate Awareness and Training on Data Privacy and Protection principles, roles and responsibilities.
vi. Organizations Incident Response Plan (detection and reporting) is weak or not in existence.
vii. No established template or protocol to report data leak or data loss. Contrast that with the UK for example, the Information Commissioner’s Office have a written action policy on enforcement.
viii. Organizations are failing to own their compliance story by building data privacy compliance programmes.
ix. Organizations are failing to prioritize the Data Privacy Awareness and Training internally and thus paying lip-service to the education and awareness campaign. Where carrot of education goes unheeded, then the Regulator must use their stick – the Regulator must not be shy to take enforcement action and apply fines when warranted against these organizations (public or private).
Enforcement of the Data Protection Regulation
Whilst the Data Protection Regulation in principle creates an ecosystem and taxonomy that is respectful of users’ privacy by default, the main challenge to overcome for the Data Protection Commission or Regulator is the enforcement of the Data Protection Principles.
The Nigeria Data Protection Regulation and the draft Data Protection Act 2020 laid out the power of the Regulator to monitor compliance and impose fines. However, there is a need to provide clarity in terms of additional guideline on how enforcement would be conducted and the range of fines and penalties by category. This should be laid out for compliance to be taken seriously by organizations. The penalties for regulatory breaches should be reviewed on an agreed time basis by the commission or regulator.
For enforcement to be effective, regulator should not only place a duty on data controllers to notify the Commission as well as individuals that are affected by data breaches, but a policy of proactive monitoring rather than passive should be the norm. The following will address some of the factors that promotes proactive enforcement and enforcement capability within the Data Protection ecosystem:
The Nigerian Senate passed whistleblower’s Protection Bill into law in 2017. The bill was known as “An Act to Protect Persons Making Disclosures for the Public Interest and Others from Reprisals, to Provide for the Matters Disclosed to be Properly Investigated and Dealt with and for other Purposes Related Therewith”.
Based on this law, the Data Protection Commission or Regulator should introduce whistleblowing policy to encourage the report of data breaches that are normally kept hidden or denied by the respective organizations. The information received through whistleblowing disclosure must be used to develop intelligence for further investigations and subsequent enforcement actions.
The need to regulate and enforce data protection law or regulation is crucial in the post-COVID-19 digital economy, the will and power to do so must be absolute. The whistle blowing disclosure will help the Regulator but without adequate funding, subsequent enforcement measures of the Data Protection Regulation will be ineffective. The draft Data Protection bill 2020 enumerated sources of funding, beginning with fines, levies and other sources including gift. However, the global best practice of funding Data Protection Commission or Regulator is by organizations paying data protection fee, in majority of cases, the funding is usually supplemented by fines and government grant. Therefore, without adequate funding, enforcement as one of the stated objectives is going to be difficult to achieve.
Data Privacy Building Blocks
The post-COVID-19 digital economy brings a lot of challenges that reconstruct the building blocks of Privacy by Design and Data Protection Impact Assessment (DPIA). The advent of contact tracing apps, travel portal to collect data on airline passengers, the biometric database, data collected by COVID-19 testing centres, Financial Institutions, Telecoms, and others for identity means Nigeria Data Protection Commission or Regulator must take a fair and reasonable approach to enforcement of Data Privacy and Protection Principles as we saw exponential growth in personal data collected due to the pandemic.
Data Privacy Culture
Data Privacy laws and regulations are coming thick and fast in the sub-Saharan Africa. In order for organizations to operate effectively in the new normal, Data Protection Regulator and organizations need to do more than create policies and processes to comply with these regulations. Organizations ought to create a culture around data privacy and protection that will cascade through to staff. This should not be done by lip service or mere training only. Senior Management (executives) will need to align their organization’s culture with privacy principles. Awareness training around the knowledge and norms employees must master in the new world of data privacy must be communicated from the top down in order to change the mindset of the organization.
Cybersecurity in a digital world and data protection are synonymous. Data Protection in Nigeria is key to securing personal data of citizens at rest and in transit.
The effectiveness of data protection relies heavily on data controller and data processor putting in place adequate cyber and information security controls to protect data from hackers and malicious interference. Therefore, the post COVID-19 digital economy requires organizations (public and private) that handles data to evaluate the risks of processing so that appropriate counter measures can be implemented to mitigate the risks of data breach and data loss.
Data Protection Commission or Regulator should develop advisory services, guidelines, sandboxes and other regulatory measures that support a safe environment to test data and secure coding to promote best practices in the post-COVID-19 digital economy. In developing post-COVID-19 regulatory action policy, the policy should lay down, among other things, technical and organizational measures to address data breach investigation and enforcement action for non-compliance.
The Data Protection Regulation act as the primary law regulating how companies protect Nigerian citizens personal data. Under the data protection regulation, organizations must ensure that effective cyber and information security measures and controls are in place to ensure that all attempts to exploit their computer systems are made difficult. As I often say to clients: “The question is not whether you are going to be breached, but when you are going to be breached. Therefore, implement effective controls”.
In recent months, we have seen organizations that have gathered personal data, processed data, stored data but have not implemented adequate controls to secure the data. We have seen Mobile & Web Apps released into production with all the unintended flaws and weaknesses in the App that led it to process critical data in an unsecure method. Surely, organizations have to do more and take responsibility for the security of personal data collected.
Application Security (AppSec) controls have been neglected or inadequate in the Application Development Life Cycle. AppSec is part of what Application Developers must do to protect critical data from threats and unintended exposure. Organizations must build Apps securely without slowing innovation to support digital economy.
All these alleged breaches were particularly concerning given the number of basic security inadequacies across organizations’ systems, which gave easy access to the hackers. The multiple serious defects fell below the standard expected of best information security practices.
Fines for Infringements
Where carrot of education on the need for internal controls and regular review of risk treatment options goes unheeded, then the Regulator must use their stick. The Regulator must take a cue from the UK Regulator’s 20million GBP fine levied against BA for failure to mitigate the risk of an attacker being able to access customer data on BA network. Whilst it is generally accepted that before issuing fines, Regulators take into account economic impact and affordability (UK ICO). A soft fine on infringements will make a mockery of the hard work of the Nigerian Data Protection Regulator and defeat the overall enforcement objective.
Secure Data Exchange
Nigeria have a number of data exchange agreement with foreign entities. Of these, the Nigeria Immigration Services directly transmit information on Lost and Stolen Passports to the INTERPOL HQ in Lyon, France.
Similarly, the Nigeria Identity for Digital (ID4D) Project has huge implication on Data Privacy and Protection. Also, there is a request for the establishment of National DNA data bank to support the national security architecture.
In addition, organizations that frequently exchange data between their local and international offices must do so with secure and automated templates and such transfer of data must be subjected to DPIA.
The Data Protection Impact Assessment (DPIA) must be conducted for each of these projects, to ensure appropriate level of personal data security controls are put in place, taking into account the risks presented by the data processing activities.
With more and more of our lives becoming digital, organizations have to take seriously data protection and privacy, but enforcement actions have to be visible and amplified by the Regulator. Digital economy has the potential to add billions to the economy if implemented correctly and enforcement of Data Privacy has a key role to play in the roadmap. We at Digiterhub have developed a number of Data Privacy and Protection training and awareness services that would help organizations in their compliance journey towards building Data Privacy compliance programmes.
About the Author
Yemi Adeniran, Managing Partner at Digiterhub, is a cybersecurity, data privacy, program management expert and public speaker.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.