Expansion of globalization and advancement of technology has given birth to a modern challenge on the protection of privacy. Modern technology is increasing the generation, collection, processing, sharing and the use of personal data. These technologies allow private and public corporations to utilize personal data for their activities in record proportion. According to Forbes, by the year 2020, about 1.7 megabytes of new information will be created every second for every human being on earth. That is 44 zettabytes (44 trillion gigabytes).
The potential risk of abuse, breach, and misuse of personal data has ushered in increasing legislation on privacy and protection of personal data globally. The European Union General Data Protection Regulation replaces the European Directive (Directive 95/46/EC) and will come into force on 25th May 2018. The GDPR will harmonize data protection legal framework of European Union member states.
Brief Overview of GDPR
The regulation applies to all entities collecting and processing personal data by offering goods and services to EU residents, monitoring the behaviour of EU residents and processing of personal data even though not established in the union. The GDPR expands the rights of individuals and imposes stricter obligations on data controllers and data processors.
The regulation further seeks to protect the use, processing, collection and disclosure of personal data. The regulation raises the standard to ensure the security of data subjects in a world with increasing cyber risk. The regulation imposes a stricter penalty for non-compliance (as high as 4% of global annual turnover).
Why is it So Important?
The snowballing drive towards a digital world implies more personal data are generated and moved across borders with a divergent legal framework for protection. Personal data fuels the commercial activity of our digital world. The privacy and safety of personal data are vital for the actualization of a digital economy. Globally, privacy laws are evolving and cybersecurity is becoming more complex. The year 2017 witnessed a massive proportion of cyber-attacks and threats. Cybersecurity and data protection will form the pivotal conduit for business enabling and barrier in the digital economy.
A data breach “can result into physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”
The penalty for breach of the GDPR is huge and can be as high as 4% of global annual turnover.
How will the GDPR affect a Nigerian Company with foreign participation?
The GDPR has extraterritorial applicability. A Nigerian company collecting and processing personal data of EU residents has to comply with the regulation. Largely, multinational companies, financial services and e-commerce platforms process large personal data of data subjects spread across the globe including the EU.
Nigeria currently lacks a general data protection statute. The provision of Section 37 of 1999 constitution guarantees right to privacy. The Credit Reporting Act is currently the most advanced legislation on data protection. However, the application of the Act is sector specific, hence, lacking general application. Though, there are currently several legislative efforts at enacting data protection law. The lack of Data Protection framework brings Nigeria within countries without adequate protection under the GDPR.
Technological innovation is birthing new business models. Digital economy and connected information space has made protection of privacy incidental to economic growth and affects international trade.According to UNCTAD, “data protection is directly related to trade in goods and services in the digital economy. Insufficient protection can create negative market effects by reducing consumer confidence, and overly stringent protection can duly restrict business, with adverse economic effects as a result.”
Nigeria is a big economic hub with burgeoning financial services and e-commerce sector. According to Thisday, Nigeria e-commerce value is currently estimated at $13 billion and expected to hit over $50 billion by the year 2027. In 2016, Nigeria ranked 6th in global diaspora remittance hovering over $18 billion. The buoying Fintech space is witnessing increasing trade volume. The stats did not mention the quantum of transaction originating from EU but it is characteristic of Nigerians in the diaspora to send money to loved ones at home. Nigerians based in EU are utilizing this space; which brings money transfer platforms within the scope of compliance with the GDPR.
The Nigerian government drive for increasing e-governance implies Nigerians outside the country can remit taxes, pay statutory fees, stamp duty from outside the country utilizing e-payment platforms. Financial institutions and fintech platforms processing EU data must ensure the security of the personal data of data subject and comply with the GDPR by ensuring safeguard and reducing risk to data subjects.
In the absence of a Nigerian general data protection law, companies can build strong privacy and data protection culture to safeguard global competitive advantage.
What the Nigeria Company Should Look Out For
The GDPR introduced increased standards, obligations and liabilities on the path of data processors and controllers; and wider rights for data subjects. They are highlighted below:
The GDPR elevated the threshold of consent for the processing of personal data of subjects. Consent under the GDPR forms a legal basis for processing of personal data. Consent must be “freely given, specific, informed and unambiguous”. The collection of personal data and consent must be made by a clear affirmative action. The requirements for obtaining consent under the GDPR are more restrictive. Consent must be freely given and withdrawn. Consent extends to children.
Detailed Privacy Notice
A data controller is required to disclose to the data subject at the point of collecting personal data, the use of such data, duration of storage, purpose, whether it will be transferred to other country or third parties. Furthermore, the data subject must be informed of the right to make an access request; and information on the right to have personal data deleted or rectified in certain instances.
There is an obligation on the company to provide comprehensive, clear and transparent privacy policies. A company must maintain additional internal records of its processing activities.
Rights of Individuals
The GDPR expanded the scope of rights of data subjects. The rights allow EU data subjects to pursue a legal remedy when breached. Rights to access to information about the purpose of processing, storage, duration and disclosure. The rights to object give the data subject rights to object to the processing of their personal data falling outside the legitimate purpose or allowable exceptions. The rights to the restriction of processing limits the processing of personal data where the accuracy of such data is contested, where the processing is unlawful, or no longer needed by the controller.
The rights of Erasure give a data subject the right to request a company to erase personal data concerning them if they are not necessary anymore in relation to purposes of which they are collected. The rights to data portability give the data subject the right to receive personal data concerning them and transmit these data seamlessly to another company. This is similar to mobile sim portability in the telecommunication sector in Nigeria.
The data subject has rights to lodge complaints with a supervisory authority when there is an infringement of any of their rights guaranteed under GDPR in member states where they live, work and place of the alleged infraction. Other rights include rights to Judicial remedy, rights of rectification, rights not to be subjected to automated decision making, rights to a representation to lodge complaints on their behalf and rights to compensation.
Increased obligation to ensure security safeguard
The GDPR mandates company to take technical and organizational measures to achieve a level of security appropriate to the imminent risk. This has become more urgent in wake of increasing cybersecurity threat to organisations. The Regulation advocates pseudonymisation,
tokenisation, anonymisation encryption of data, constant assurance of confidentiality, integrity, availability, and resilience of processing system and services.
The GDPR also advocates privacy by design and privacy by default. Privacy by design emphasises that privacy should be embedded in the company’s design throughout its lifecycle. Privacy by default advocates that default setting of technology should favour privacy.
Financial services in Nigeria is constantly faced with cybersecurity risk. Credit card theft is a scourge. Platforms accepting credit details of users will have to ensure the security of such personal data. Companies will have to invest in cybersecurity and train employees on security procedure like fire drills.
Prompt notification in case of accident or breach.
The GDPR introduces mandatory security breach notification and requires administrative and technical safeguards for personal data to reduce identified risks and to prevent data breaches. The GDPR mandates a company to inform the supervisory authority of data breach incident within 72 (Seventy-two) hours of discovery. The data subject is required to be notified without undue delay if the breach portends high risk to his rights and freedoms. Notification can be dispensed with if the data breach is unlikely to result in any risk to the data subject.
In addition, the company should prepare an incidence response plan and train its employee on how to respond. In the absence of supervisory authority in Nigeria, a company who has suffered data breach will have to notify the data subject promptly.
Protection Impact Assessment
DPIA is conducted where there is high risk to the rights and freedoms of a data subject to evaluate the severity of the risk. It is the duty of the company to conduct DPIA. Where the DPIA reveals high risk, the company should ensure appropriate safeguards before going ahead with processing.
DPIA should describe the nature of the risk, take into account the nature, scope, context, purpose of processing and the sources of the risk. DPIA should include safeguards and mechanism for mitigating the risk, ensuring the protection of data and demonstrating compliance with GDPR.
Cross-border data transfer
The “flow of personal data from countries outside the EU and International organisations are necessary for the expansion of international trade and cooperation.” This is more apposite for multinational companies with operations in Nigeria and the EU. Multinational companies transfer personal data of employees across jurisdictions they operate to manage their global workforce and ease operations. Multinational companies and their EU subsidiaries commonly share the personal data of EU and non-EU data subjects with a wide range of service providers and the processing is often outsourced.
The GDPR prohibits the transfer of personal data of EU data subjects outside the EU to states lacking adequate protection. The foregoing will become one of the most important issues for multinational companies operating in Nigeria. Transfers of personal data to countries outside the EU may take place if these countries are deemed to ensure an adequate level of data protection. The test of adequacy is assessed by the European Commission. An example of adequacy is the EU-US privacy shield. A country like Nigeria without a general data protection legal framework will be deemed inadequate. However, there are some exceptions that allow personal data to be transferred to a third country even in the absence of an adequacy decision.
Personal data can be transferred if the controller or processor exporting the data has himself provided for appropriate safeguards, if there is effective legal remedy available in the given country, if the data subject consents to it, if the transfer is necessary for the performance and conclusion of a contract between the data subject and the controller, if it is in the public interest or establishment, exercise or defence of legal claims.
The appropriate safeguards can be laid down in the following most relevant instruments:
- Binding corporate rules are internal codes of conduct adopted by multinational groups of companies. It allows transfer of data between different units of the group. Binding corporate rules are a solution for multinational companies which export personal data from the territory of the EU to other companies within the same group located in third countries which do not ensure an adequate level of protection.;
- Standard contractual clauses are model contracts adopted by the European Commission or by a national supervisory authority and approved by the European Commission;
- In addition, Data can be transferred to Nigeria by virtue of been part of any mutual legal assistance treaty with any EU member states.
Steps by Nigerian Companies processing EU personal data to comply with GDPR
- Ensure consent is freely given and data subjects must “opt-in” rather than “opt-out” of data collection schemes. Data controllers should utilise personal data strictly for the purpose of collection and keep it only as long as needed.
- Ensure security of personal data at rest and in transit with strong encryption. Pseudonymisation, anonymisation and tokenisation can be adopted to ensure safeguard.
- Develop a data security breach response scheme and comprehensive incidence response plan. The company should train employees on how to identify a breach in real-time and spot potential threat. The notification and report should be prompt.
- The company should review and regularly update their privacy notices, policies, and other documentation and communications. Information provided in privacy notices must be easy for data subjects to comprehend.
- Conduct privacy and data security audit. Carefully evaluate the existing data subjects’ data and processing activities and detect potential inconsistency with the GDPR.
- Ascertain the legal grounds for processing personal data and use for strictly lawful purpose.
- Embedding privacy from the design stage will help Nigerian tech start-ups. Existing entities should regularly run compliance test before implementing a new technology. Eset has a platform to run compliance check.
- Ensure Cross-border data transfer policy complies with the GDPR by implementing the standard model contract or binding corporate rules for multinational companies.
The GDPR increases the liabilities of companies. The Regulation expands data subjects’ rights. Data controllers and processors can be sued in the country where the individual has his or her habitual residence, even if their company or organisation does not have any establishment in that country.
Nigerian companies should adopt a more global data privacy and cybersecurity approach in ensuring regulatory and legal compliance as well as securing their global competitive advantage. A company who fails to comply with the GDPR risks heavy fine (as high as 4% of their global annual turnover), injunction, a criminal investigation by the government and civil liability. Importantly, companies that neglect or negligent with privacy and cybersecurity standards risk negative media attention and blow to their public image with attendant cost. In addition, there is also the incalculable damage to loss of public trust and confidence.
It is left to see how the EU will implement compliance with the regulation and punish non-compliance. Conducting a global investigation, auditing, monitoring and prosecution of non-compliance will be expensive and exhausting. The penalties are strict and better for Nigerian companies collecting and processing EU personal data to reposition for global competitive advantage. Can the EU investigate and punish every instance of non-compliance or substantiality of non-compliance will be the factor?
Dayo Adu – firstname.lastname@example.org
Ridwan Oloyede – Ridwan.oloyede@email@example.com