The GDPR and Nigeria

By /

The GDPR and Nigeria

Technology / July 10, 2018 

The General Data Protection Regulation (GDPR) which came into effect May 24, 2016 and was applied May 25, 2018, does not require additional government regulation or adoption to come into force. Simply put, it is a directive that requires no government input to come into force, with a global coverage.

Nigeria is the largest economy in Africa and plays a major business role on the continent. While Nigerian businesses may generally ‘appear’ immune to the GDPR, it is important to note that a number of businesses operating in Nigeria are directly affected by this regulation.

The GDPR provides regulations to protect European data subjects whereever they may be in the world, so while the GDPR is directly binding on all member European countries, a section within the regulation directly impacts on businesses with operations outside the European Union targeting or directly providing services to its citizens.

It is also important to note that not every business in Nigeria is required to comply with this regulation, only businesses that have direct and ‘intentional’ business dealings with European Union ‘data subjects’ are affected, especially if information classified as ‘private/personal’ is collected at any point of engagement. The regulation is clear about this; in clear terms if any Nigerian business matches the following criteria, it is mostly likely affected by it:

  1. Your business has a presence in any European country,
  2. If your business directly targets potential clients in any European country even if it has no presence there.

Example excepts from the European Commission’s website:

__________________________________________________

When the regulation applies

Your company is a small, tertiary education company operating online with an establishment based outside the EU. It targets mainly Spanish and Portuguese language universities in the EU. It offers free advice on a number of university courses and students require a username and a password to access your online material. Your company provides the said username and password once the students fill out an enrolment form.

When the regulation does not apply

Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.

__________________________________________________

Which Industry is most affected?

The most affected industry globally is expected to be the financial sector. For Nigeria it appears to be no different as a number of financial institutions have a presence in the UK. The Brexit which is currently in a transitional phase does not (as of now) exempt inclusion. The UK has also adopted the GDPR as part of the UK Data Protection Bill. “The Bill provides new data protection standards based on the GDPR to all general data, creating new rights for citizens and new modern rules for business.”* This means the impact of the regulations will still be relevant post Brexit.

While the regulation is targeted primarily at protecting the data rights of European subjects, it is not entirely a technology issue. Though technology plays a role in addressing parts of the requirements of the regulations, a key part of this is primarily driven by business policies and processes, directly involving CEOs and top management personnel.

With fines as much as over 8.4 billion Naira** (equivalent of 20 million Euros) or 4% of a defaulting business’ annual turnover (whichever is higher), it would be grave to ignore or set aside the requirements of this regulation. It is very important for every CEO and business owner to evaluate and ascertain with definite facts whether the GDPR applies to their business or not. Nigeria is a major hub for international business and it cannot be exempt from the GDPR regulations. The GDPR rules applicable to non-European countries definitely applies to Nigeria without exception.

Requirements for Compliance

While the GDPR requirements affect the use of information in the work place, information technology and information security is not its primary focus, rather data privacy is. On the surface it would appear that technology has a major role to play in meeting its requirements, however a deeper look reveals even more: this is more about organizational culture with regards its use and application of information, especially private/personal information.

The main areas to address are these: Governance, Processes, People and Technology.***

Governance: Top level management buy-in is required to effectively drive and meet the requirements of the GDPR. These include information security awareness and support for information security initiatives, compliance and an effective information security management framework embedded within the entire organization’s processes and systems.

Processes: All processes should be designed or redesigned to incorporate continuous security monitoring and regular assessments to prevent data leakage. Continuous data classification is required to remain proactive in protecting sensitive data. Response actions to data breaches/incidents should be clearly defined and simulated for efficiency as often as possible (at least once a year).

People: The most effective approach to data protection and information security is a highly trained and educated workforce. Continuous training and retraining should be top priority for organizations serious about protecting data. Staff should be trained on the organization’s security policies and should be able to identify and report data breaches.

Technology: Already established businesses would typically have security systems in place without having to invest in additional systems/infrastructure; these can be leveraged on and configured to meet the requirements for protecting data and detecting data breaches. The core areas for protection and detection would be: network security, email security, endpoint security, data security, database security and also very importantly, technology to monitor human behaviour and track all activity within the organization’s systems.

In summary, the General Data Protection Regulation requires continuous and consistent application with the direct involvement of top management. While it may take a period of time to fully comply with its directives, an expert assessment of existing policies, processes and infrastructure should identify areas requiring corrective measures, then defined set of actions can be established and followed through to success.

The full text of the General Data Protection Regulation (GDPR) can be downloaded here:

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

References

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/685631/2018-03-05_Factsheet02_General_processing.pdf *

https://iapp.org/media/pdf/resource_center/GODPO_GDPR_impact_UK_05-15.pdf

http://www.davidfroud.com/free-resource-the-gdpr-in-plain-english/

https://www.xe.com/currencyconverter/convert/?Amount=20000000&From=EUR&To=NGN(as at July 9, 2018) **

https://www.mcafee.com/enterprise/en-us/assets/guides/gd-gdpr.pdf ***

https://www.eugdpr.org/gdpr-faqs.html

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top