Akin Oyegoke, a highly renowned and experienced IT professional with over two decades of direct industry experience is the CEO of Johan Consults Limited. Oyegoke, a certified Business and Software Analyst, is also a Certified GDPR and Information Security consultant. With extensive experience in delivering high value, mission-critical IT services to major public and private corporations, Oyegoke shares with Oluwatobi Opusunju, IT Edge News, on implications of the GDPR on Nigerian businesses and public sector MDAs; and how NITDA can leverage the implementation of the GDPR to provide guidelines and regulations data protection to improve business processes and make Nigerian companies much more competitive on the global stage.
What is General Data Protection Regulation (GDPR) and how does it relate to companies in and out of the EU territory? Why do companies outside of the EU territory need to pay attention to the GDPR?
The General Data Protection Regulation is an EU-led initiative that mandates protection of personally identifiable information of an EU data subject. Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII. The following list shows an example of personal data that must be protected:
Personal details – (specify- name, address, email, telephone, date of birth, emergency contact, sexual orientation, ethnicity, etc.)
Financial details- (specify – bank account, credit card details, NI, Tax reference etc); Health information; Images/ voice recordings; ‘Know your customer’ or due diligence (specify- passport, tax reference, source of wealth etc); Passport/driving licence/national ID card details; IP address; Criminal convictions/ offenses; Biometrics – Fingerprint/ retinal scan/ DNA etc; Education & training; Employment details (specify – CV, references, annual appraisals, employment status, work permit, leave, sickness etc), for example – IP address, cookies, social security number,
How it relates to companies in and out of the EU?
Because of its global reach, it affects every organization who collects, processes and monitors EU data subject so online businesses in Nigeria targeting EU citizens will need to implement controls, systems, and procedures to ensure compliance. If an organization in Nigeria chooses to ignore GDPR, apart from the fines by the EU and claims by the EU data subject, their business will still be hurt because no foreign company will like to do business with them. Compliance is generally a good practice.
Let me cite an extract from the articles is below:
“Even if an organization is able to prove that it is not established within the EU, it will still be caught by GDPR if it processes personal data of data subjects who are in the EU where the processing activities are related “to the offering of goods or services” (Art 3(2)(a)) (no payment is required) to such data subjects in the EU or “the monitoring of their behaviour” (Art 3(2)(b)) as far as their behaviour takes place within the EU. Internet use profiling (Recital 24) is expressly referred to as an example of monitoring.”
“NITDA ideally will issue guidelines for and proffer audits to verify compliance. Implementation of GDPR is a positive opportunity to upgrade systems and improve business processes and make Nigerian companies much more competitive on the global stage.”
Can you give us the general overview of the regulations and penalty (ies) for non-compliance?
A warning in writing in cases of first and non-intentional non-compliance. Regular periodic data protection audits. A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. A fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. Essentially, a company can get fined up to 20 million Euros if found to be in breach of data subjects’ rights and up to 10 million Euro if it has no governance and accountability in place. Also, note that for group companies, this is the worldwide turnover that is likely to be impacted. To me, most companies in Nigeria will be wiped off if they were to be affected, hence why people need to pay attention.
What can the Nigerian government or regulatory authorities do in Nigeria to ensure compliance and are there steps taking by other non-EU countries in line with compliance?
The Nigerian government needs to formulate a law in this area. Nigeria does not have a data protection regulation as far as I know and the problem is, PII of citizens’ here are so exposed. For example, anybody with a bit of ingenuity can commit ID fraud here. Until BVN came, it was a no-brainer. I think the government must start to educate the masses as well. NITDA must be empowered to carry this out. I think each organization must be made to appoint a C-level data protection officer to ensure compliance. Also, guidelines and policies relating to Data Protection and Privacy emanating from Government, Legal, Technical and Financial bodies must be made to be adequate and workable such that they can be adopted with confidence by the target audience.
“Non-EU established organizations will be subject to the GDPR where they process personal data about EU data subjects in connection with: the “offering of goods or services” (payment is not required); or “monitoring” their behavior within the EU”
The GDPR affects any company who controls, stores and processes personal data of EU-member citizens, even while the company is not primarily based in the EU. How can we create awareness to make Nigerian companies that affect EU territory or citizens know about these regulations? What can they do as per compliance and when can they begin to take steps for adherence?
Everybody must know that data is a trillion-dollar business in Nigeria. Actually – if we get this right, it will start the beginning of digital immersion as a country. We must run jingles and campaigns in this area. We must run workshops and get the business people to see the value here and why this needs to be done. A laissez-faire attitude will not work here. If we want to be taken seriously or rank among the advanced countries as a place where our citizens’ data cannot be exploited, the government must help us. Without government support, it will be difficult to make this a mainstream issue. Johan Consulting is seeking partnership with business bodies, community leaders etc. to ensure we can create a safe data haven for the nation.
Is non-compliance also capable of affecting the rights of Nigerians who have dual citizenship of any EU member state?
No – I don’t think so. Data protection law is about protecting the rights and freedom of data subjects. Dual citizenship is about naturalisation so they are not related.
Are there any major changes companies need be prepared for once the GDPR takes effect on the 25th of May? And will there be a major difference in how data are being stored?
Companies need to carry out a DPIA to understand areas of risk then they need to first send their staff for training. Our approach in Johan consulting is to advise the following:
- Attenda GDPR awareness training for executives and staff of the organization: This training explains in details GDPR requirements and why it is important to comply.
- Create a sense of urgency for compliance among C-Level execs and public officers by involving key stakeholders: IT alone is ill-prepared to meet GDPR requirements. Start a task force that includes marketing, finance, sales, operations—any group within the organization that collects, analyses, or otherwise makes use of customers’ PII. With representation on a GDPR task force, they can better share information that will be useful to those implementing the technical and procedural changes needed, and they will be better prepared to deal with any impact on their teams.
- Hire or appoint a Chief Data Officer:The GDPR does not say whether the DPO needs to be a discrete position, so presumably, a company may name someone who already has a similar role to the position as long as that person can ensure the protection of PII with no conflict of interest. Otherwise, you will need to hire a DPO. Depending on the organization, that DPO might not need to be full-time. In that case, a virtual DPO is an option. GDPR rules allow a DPO to work for multiple organizations, so a virtual DPO would be a consultant who works as needed.
- Create a Data Protection Plan: This plan will ensure a holistic view on data and specifically ensures alignment with GDPR
- Conduct a Risk Assessment: You want to know what data you store and process on EU citizens and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate that risk. A key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII.
- Implement measures to mitigate risk: Once you’ve identified the risks and how to mitigate them, you must put those measures into place. For most companies, that means revising existing risk mitigation measures.
- Test incident response plans: The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize the damage will directly affect the company’s risk of fines for the breach. Make sure you are able to adequately report and respond within the time period.
- Set up a process for ongoing assessment: You want to ensure that you remain in compliance, and that will require monitoring and continuous improvement.
“The Nigerian government needs to formulate a law in this area. Nigeria does not have a data protection regulation …. Guidelines and policies relating to Data Protection and Privacy emanating from Government, Legal, Technical and Financial bodies must be made to be adequate and workable such that they can be adopted with confidence by the target audience.”
How does this affect public sector ministries, departments and agencies (MDAs) of government?
GDPR places a lot of demands on public bodies to comply. Where do we get confidence that our data is being used properly first if not from the agencies? There is a wide ecosystem of change that needs to happen here. I don’t see a quick win here but we must start now to instill confidence in our citizen and also those who want to do business with us.
The regulation gives data subjects the right to transmit data they had previously provided to another controller, how does this impact on individual privacy rights or issues of security?
GDPR gives the rights and freedom to the data subject on how their data is handled – so since it is their data they have the right to transfer to wherever they want. Article 20 of GDPR allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. The aim of this right is to support user choice, user control and consumer empowerment. It will have a big impact on all Data Controllers but particularly data driven organisations such as banks, cloud storage providers, insurance companies and social networking websites. These organisations may find that customers are encouraged to move suppliers, as they will be armed with much more information than they previously had access to.
“NITDA needs to effectively issue guidelines and regulations. The EU GDPR will impact the way businesses and organization handle data privacy in many significant ways…. NITDA would advisedly provide knowledge expertise and guidelines such as: Implications of the accountability principle for all businesses; Assessment of current data privacy practices; Creation of a data privacy governance structure”
In a setting where one carries out an online transaction with an EU member citizen on social media, does this regulation apply too? When do breaches occur and how are sanctions applied?
GDPR applies through any portal/channels of trade – from paper form to online kiosk. Breach will be found either through:
1) An attack on your system – cyber attack
2) Random assessment by regulatory body
3) Claims made by data subject when their data – photo, email etc. are used without consent
What are the parameters for considering the regulation in any non-EU entity and what can regulators like NITDA do to ensure compliance with the EU being the largest political and economic bloc in the world?
Non-EU established organizations will be subject to the GDPR where they process personal data about EU data subjects in connection with: the “offering of goods or services” (payment is not required); or “monitoring” their behavior within the EU. For the offering of goods and services (but not monitoring), mere accessibility of a site from within the EU is not sufficient. It must be apparent that the organization “envisages” that activities will be directed to EU data subjects. Contact addresses accessible from the EU and the use of a language used in the controller’s own country are also not sufficient. However, the use of an EU language/currency, the ability to place orders in that other language and references to EU users or customers will be relevant.
NITDA needs to effectively issue guidelines and regulations.
The EU GDPR will impact the way businesses and organization handle data privacy in many significant ways, however, like any other standardized regulation, there are processes that need to be carefully deployed to ensure compliance. NITDA would advisedly provide knowledge expertise and guidelines such as;
- Implications of the accountability principle for all businesses.
- Assessment of current data privacy practices
- Creation of a data privacy governance structure
- Personal data inventory
5.Creating information notices and handling consent
- Data Protection Impact Assessments
- Reporting data breaches
These are processes that NITDA ideally will issue guidelines for and proffer audits to verify compliance. Implementation of GDPR is a positive opportunity to upgrade systems and improve business processes and make Nigerian companies much more competitive on the global stage.