Though the company in its statement stated that it was not hacked, users data was evidently compromised.
The legal and regulatory framework for Companies in Data Protection General Constitution right to privacy then NDPR 2019 AND GDPR as it relates to Nigerian companies sector-specific regulations
1. The Constitution of the Federal Republic of Nigeria as amended:
1. The Constitution of the Federal Republic of Nigeria as amended:
The constitution guarantees the Fundamental Human Rights of its citizens in Chapter 4 and upholds the rights to privacy as sacrosanct.
Section 37 of the Constitution protects the rights of citizens to their privacy and the privacy of their homes, correspondence, telephone conversations and telegraphic communication.
2. Freedom of Information Act No. 4 of 2011: This Act guaranteed the right of any person to...
2. Freedom of Information Act No. 4 of 2011: This Act guaranteed the right of any person to...
access or request information, whether or not contained in any written form, which is in the custody or possession of any public official, agency or institution howsoever described.
Notwithstanding the above, the Act created certain exceptions wherein the information sought for by an applicant. Section 14 of the Freedom of Information Act provides that a public institution can deny an application for information that contains personal information unless...
the individual consents to the disclosure or where the information is publicly available. Section 16 of the Act also provides that a public institution may deny an application for information subject to the following privileges
a.legal practitioner-client privilege
b.health- work privilege
c.journalism confidentiality privileges
d.any other professional privilege conferred by an Act
b.health- work privilege
c.journalism confidentiality privileges
d.any other professional privilege conferred by an Act
3. The Child Rights Act 2003: the Act regulates the protection of children (persons under the age of 18 years). The Act limits access to information relating to children in certain circumstances.
4. The Consumer Code of Practice Regulations 2007: This regulation was issued by..
4. The Consumer Code of Practice Regulations 2007: This regulation was issued by..
the Nigerian Communication Commission (‘NCC’). The Regulation provides that all licensees must take reasonable steps to protect customer information against improper or accidental disclosure and must ensure that such information is securely stored and not kept longer than...
necessary. The Regulation also provides that customer information must not be transferred to any party except to the extent agreed with the Customer as permitted by the Nigerian Communication Commission or other applicable laws or regulations.
5. Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011: In 2011, the NCC issued the Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011.
Section 9 of the Regulation provides that subscribers information contained in the Central Database shall be held in strict confidentiality basis and no person or entity shall be allowed access to any subscriber’s information that is on the Central Database except as...
prescribed by the Regulation. “Central Database” is defined in the Regulation to mean subscriber information database, containing the biometric and other registration information of all Subscribers. Section 21 of the Regulation provides penal sanctions for violators.
6. The Cybercrimes (Prohibition, Prevention etc.) Act 2015: This Act provides a legal, regulatory and institutional framework for the prohibition, prevention, detection, prosecution and punishment of cybercrimes in Nigeria.
The Act provides for the retention and protection of Data by financial institutions, criminalizes the interception of electronic communications etc.
7. The National Identity Management Commission (NIMC) Act: create and operate a National Identity Database, issue unique National Identification Numbers to qualified citizens and legal residents.
Section 26 of the NIMC Act provides that no person or corporate body shall have access to data or information contained in the Database with respect to an individual registered entry without the authorization of the Commission.
The Commission is however empowered to provide another person with information recorded in the individual’s entry in the Database without the individual’s consent.
In this instance, the provision of such information is in the interest of National Security, necessary for purposes connected with the prevention or detection of crime or for any other purpose specified by the Commission in a regulation.
Globally, we have the General Data Protection Regulation: This Regulation applies without the need to be implemented explicitly into the national law of a country.
It generally refers to the processing of data by any organization within the European Union or organisations whose processing activities relate to offering goods and services and monitoring behaviour of data subjects residing in Europe.
This Regulation puts individuals back in control of their data and ensures that the use of the data is disclosed after which consent of the disclosing party must be obtained. This regulation creates new rights like the “right to be forgotten and the “right to data portability.
8. The Nigerian Data Protection Regulation 2019: This regulation was issued by the National Information Technology Development Agency ('NITDA') which is the national authority responsible for planning, developing and promoting the use of information technology in Nigeria.
The NDPR prescribe guidelines and imposes obligations on organisations (data controllers or processors) that obtain and process personal of Nigeria residents and citizens within and outside Nigeria for protecting such personal data.
This Regulation applies to federal, state and local government agencies and institutions as well as private sector organisations that own, use or deploy information systems within the Federal Republic of Nigeria.
The Regulation stipulates that the use of the personal data of the data subject must be disclosed and the data subject had given his consent.
PENALTIES
The legal framework provides for punishments for infringement
Notably, Paragraph 2.10 of the Nigerian Data Protection Regulation provides that ;
Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall...
The legal framework provides for punishments for infringement
Notably, Paragraph 2.10 of the Nigerian Data Protection Regulation provides that ;
Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall...
be liable in addition to any other criminal liability, the following:
a) in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira whichever is greater;
b) in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira whichever is greater.
Penalties under the GDPR
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment.
It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.
Companies face major challenges in protecting data. A few of those challenges include:
1.Rapid data growth and security threats- Accelerated growth and technological advancement which are outside the scope of the current legislation.
1.Rapid data growth and security threats- Accelerated growth and technological advancement which are outside the scope of the current legislation.
Unethical computer users: Some users have posed threats to data protection by unscrupulous online activities.
4. Power blackouts and failures: Incessant blackouts and power failure also affect the functionality and efficiency of software and hardware like processors & servers.
4. Power blackouts and failures: Incessant blackouts and power failure also affect the functionality and efficiency of software and hardware like processors & servers.
5. High Cost: A number of SMEs may not be able to afford the technological expertise and infrastructure to fulfil the obligations reposed on them by the various data protection regulations.
6. Third-party breach and employee breach: Activities of the third party or data processors may expose the data controller to breaches. Employees of the data subject who have legitimate access credentials to the system are responsible for 52% of recorded security breaches.
IBM’s 2014 Cyber Security Intelligence Index highlights that 95% of breaches caused by employees have the potential to expose sensitive company data.
The report lays blame at some common, but highly preventable behaviours, including using simplistic passwords, failing to recognize a phishing attack, and misplacing laptops and external hard drives.
These problems while complex can be combatted with a proactive strategy for the protection of Data. At times it seems protecting customer privacy is difficult on the company. It however has its rewards because when data is handled properly
it can create customer goodwill and even lift sales while reducing business and legal risks. Often times such a strategy involves more than securing a network from hackers and posting a boilerplate privacy policy. To this end, we suggest the following to companies that are eager
to respect their client's data:
1. Conduct a Detailed data privacy audit- This entails understanding one's business needs, what data it's collecting, and how that data is being stored and secured. It is also crucial to consider the legal obligations arising from handling medical, financial or minors' data.
Businesses often collect more data than they realise because they've used third-party software code that does so automatically or because a partner, such as an advertising network or analytics company, is pulling data. All that unnecessary information can be disposed of properly
To ensure this does not happen one can obtain the services of a full-fledged chief privacy officer or simply the marketing director to constantly monitor the data being collected.
2. Minimise data collection and retention- Flowing from the above we submit that What you don't have can't hurt you. Privacy advocates recommend that companies collect and store only data they need to deliver their product or service.
Sometimes businesses gather extra information because they think they might need it in the future. But doing so increases risk. Data can be lost or stolen by hackers, and customers can mutiny if they feel you're asking unnecessarily intrusive questions.
3. Secure the data you keep- Even if you don't take debit card numbers, other personal data you keep could be valuable to identity fraudsters. It's embarrassing, not to mention costly and damaging, to tell customers their personal information has been compromised in a hack.
Such disclosure is legally required under the NDPR and GDPR.
4. Post a privacy policy-Commercial website owners are required under the GDPR to post a privacy policy. Most app platforms also require one if your app transmits data.
4. Post a privacy policy-Commercial website owners are required under the GDPR to post a privacy policy. Most app platforms also require one if your app transmits data.
It isn't enough to cut and paste a "regular degular" boilerplate policy. Regulators consider privacy policies legally binding agreements between a business and its customers. Businesses are advised to describe their current business practices fully and accurately.
5. Communicate with customers- A privacy policy is a legal document that most customers rarely read. But they do expect simple and clear descriptions of company data practices at key moments, such as when they're asked to provide data and when you add new features to a product..
.or service or make policy changes.
Privacy advocates and industry groups recommend direct and upfront communication with customers about data businesses collect and the intended plans for the data.
Privacy advocates and industry groups recommend direct and upfront communication with customers about data businesses collect and the intended plans for the data.
This is especially important for SME's without recognised brands that people know and trust. Most consumers will happily supply personal data necessary for a service they want.
For instance, Jumia keeps purchase data and uses it to deliver product recommendations that millions of customers embrace.
6. Give consumers a choice- Recent research suggests customers expect settings...
6. Give consumers a choice- Recent research suggests customers expect settings...
and features that let them choose whether to share data, not eloquent flattery about the businesses respect for their privacy. They want to see signs that businesses are "serving" them, not "selling" them after all if they are not the customer, they are the product.
7. Provide a forum for complaints- Businesses can give customers an online form or email address for communicating their privacy problems or concerns. Such two-way communication can help build trust and loyalty as well as help avoid potential privacy crises.
Taking all the above steps will go a long way to handling issues of data protection as well as build rapport between a business and its customers.
On that note, we conclude that data protection is the complex legal issue of our time. Businesses that wish to exploit from the many benefits of data collection must be prepared to protect all the data they acquire. As Uncle Ben said, "With great power comes great responsibility"
Thank you for tuning in to today's discussion. We will be back in a fortnight to discuss what poses to be another intriguing topic.
@threadreaderapp enroll please
