Compliance with the Nigeria Data Protection Regulation (NDPR) will impact data protection governance, information systems and security configuration, as well as documented policies and processes, says ESET Nigeria.
ESET, the internet security company that offers anti-virus and firewall products, emphasised that organisations, both public and private, operating in Nigeria are expected to comply with the NDPR. These requirements are already in force, and its implications are complex and the potential penalties for non-compliance are severe.
Olufemi Ake, the managing director, ESET Nigeria and Ghana, at a zoom conference recently organised to discuss how organisations can comply with the data protection regulations, said that encrypting data and creating an additional authentication for data accessibility in organisations are a few ways to help in meeting the new data security and compliance rules.
The National Information Technology Development Agency (NITDA) introduced The Nigerian Data Protection Regulation (NDPR) and enforced its compliance from January 2019 as the new requirement on collection and processing of personal data. It requires such activities to be in accordance with a lawful purpose consent by the data subject.
Due to this, organisations have been mandated to put compliance measures in place within the first year of the regulation.
“Compliance with this regulation will impact data protection governance, information systems and security configuration, as well as documented policies and processes,” Ake said.
He also enumerated objectives of the regulation as; “to safeguard the rights of natural persons to data privacy; foster safe conduct for transactions involving the exchange of personal data; to prevent manipulation of personal data; and to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a sound data protection regulation.
“NDPR applies to all storage and processing of personal data conducted in respect of Nigerian citizens and residents and it covers transactions intended for the processing of personal data and to the actual processing of personal data and person(s) residing in Nigeria or residing outside Nigeria but of Nigerian nationality.
“Unlike the EU’s General Data Protection Regulation (the GDPR), NDPR is not enforced on persons and organisations outside Nigeria that collect, store, or process data of Nigerians,” Ake said.
“The maximum penalty for breaches of data privacy rights on international transfers can be up to N10M or two percent of annual gross revenue of the preceding year, whichever is higher and based on the number of data subjects dealt with. Other massive losses that non-compliance could cause are reputational damage and prosecution of principal officers in the event of a severe data breach”, he reminded organisations.
Ake also affirmed ESET’s readiness to assist organisations on NDPR compliance.
“To ensure 100 percent compliance, organisations should ensure the following solutions are deployed and proactively used.
“Organisations are keenly advised to get a Data Loss Prevention (DLP) solution to ensure that sensitive data is not lost, misused, or accessed by unauthorised users. Most importantly the likes of ‘Safetica’ that classify regulated, confidential and business-critical data and identifies violations of policies defined by organisations or within a predefined policy pack, typically driven by regulatory compliance such as HIPAA, PCI-DSS, or NDPR.
“Multi-factor Authentication will serve as an additional layer of protection of data from unauthorised users. This tool will help data controllers in securing all logins to database and networks (on-premise and cloud) by generating a one-time password that is not known to anyone but unique to a particular user and per login. An excellent example of such a solution is ESET Secure Authentication,” Ake said.
Finally, the security expert advises that organisations should also deploy data encryption technologies, develop organisational policy for handling personal data (and other sensitive or confidential data), protect emailing systems and ensure continuous capacity building for staff. This is because report has shown that most organisations in Nigeria seek the above solutions to meet up with the compliance requirements of NDPR on data security.
