Mandatory Data Privacy Compliance for Nigerian Companies - A Data Audit Offer

Monday, March 2, 2020 / 04:37PM / By Olubunmi Abayomi-Olukunle / Header ImageCredit: CPO Magazine

As you may alreadybe aware, Nigeria has now aligned herself with the global regulatory trendaround regulating the collection and processing of the Personal Data ofNigerian citizens.

On this basis, theNational Information Technology Development Agency (NITDA) has recentlypublished the Nigerian Data Privacy Regulations (Data Privacy Regulations). Wenow have some confirmation that the NITDA seeks to commence the issuance ofregulatory actions after March 31, 2020 up to 100 erring companies.

In summary, theapproach taken by NITDA in the Data Privacy Regulations is to placeadditional compliance obligations on all Nigerian companies/employers in regardto how they collect, use and process the Personal Data of employees andcustomers/users or prospects. Kindly note that by law, failure to comply withthese obligations may culminate in a fine of up to 2% of your company's AnnualGross Revenue.

Here are a fewquick points to note in the compliance walk.

1. Immediately Conductan Initial Data Audit:

The Data PrivacyRegulations require all employers/organisation to mandatorily conduct anInitial Data Privacy Audit. It is important to note that allemployers/organisations, regardless of the number of employees, are caught bythis requirement. Typically, A Data Audit will confirm whether there areany gaps within a company's Data Privacy Policy Compliance Framework. ThisFramework can differ depending on the kind of business which a company engagesin and the sector in which that company operates and would impact all PersonalData captured via CCTVs and standard HR applications. Where the results of theInitial Data Audit reveals that a company has processed the Personal Data ofmore than 1000 Data Subjects - i.e. Nigeria - in the last 6 months, that companywould be required to file a summary of the Initial Data Audit with theNITDA.

2. Annual Data Audits/Submission:

This requirement only applies to organisations/employers who haveprocessed the Personal Data of over 2000 Data Subjects in the last 12 months.The deadline for filing a summary of this Data Audit is March 15, ofevery year. Please note that these audits are to be conducted independently byexternal compliance professionals, technology-focused lawyers or other licenseddata privacy professionals. The Annual Data Audit submission to NITDA for thisyear is due in less than 3-weeks from now.

3. Provide Data Privacy Awareness & Training for allEmployees:

We generally advise that employers/organisations consider this pointbecause an employees are at the centre of all Data Privacy ComplianceFrameworks. A failure in an employee's judgement of data privacy issues canpresent a level of regulatory risk for an employer. At the very minimum, itwould be prudent for key designations like Chief Technical Officer, ChiefProduct Officer, Data Scientists, Database Manager & Engineers and theBoard of Directors/Management/Founders to have a clear and workingunderstanding of the requirements of the Data Privacy Regulations. We generallypay additional attention to deconstructing the Legal Standards pertainingto the definition of "Personal Data", "Data Controller","Data Processor", "Data", "Data Subject","Filing System", "Consent", "Sensitive PersonalData" etc and how Nigerian courts will interpret these LegalStandards in a dispute or regulatory action scenario.

4. HowAbout Institutional Private Equity, Venture Capital or StrategicInvestors/Accelerators?

Although there isno direct obligation under the Data Privacy Regulations in relation toportfolio companies, equity investments may suffer significantly where a fineis levied on a portfolio company by NITDA for failure to comply with the DataPrivacy Regulations. On this basis. it would be prudent for investors to nowseek confirmation from all their portfolio companies that such portfoliocompanies have complied with the mandatory requirements of the Data PrivacyRegulations. Also, non-resident investors who collect Personal Data on theirwebsites from founding teams in Nigeria, will need to comply with the relevantprovisions of the Data Privacy Regulations. Lastly, investors with a localentity for sourcing deals or fund manager entities registered locally, as thecase maybe, would also be caught by the provisions of the Data PrivacyRegulations.

5. ObtainData Processing Consent from all existing and prospective employees to processEmployee Data:

This canbe achieved by ensuring that all existing and prospective employees sign aData Consent Declaration.

6. TheHeadcount:

Please note thatfor purposes of determining the qualifying threshold of 1000 or 2000 DataSubjects as per thresholds stipulated by the Data Privacy Regulations, allemployees and customers/users are captured including part-time employees,contract staff, full time staff, and one-off or non-paying customers.

In the BusinessUpdate available via this link ,we share some additional insights from some of the Data Privacy Audits that wehave conducted recently.

Please feel free tolet us know if you require our support with regard to conducting a Data PrivacyAudit for your Company and making the necessary filings at the NITDA. Please note that the conduct of a Data Audit is a paidservice.

We generally provide free Employee Training andAwareness Program for all our retained clients or as a compliment for aData Audit engagement. Please feel free to reach out, to confirm and agree a suitable timing forthis Program, which we may conduct virtually or in-person, depending on thepeculiar circumstances of your company.

About Author

Olubunmi Abayomi-Olukunle is a partner and Lead Counsel at the PrivateEquity, Venture Capital & Emerging Companies sector-focused, specialistinvestment & finance law firm of Balogun Harold - www.balogunharold.com orvia e-mail: [email protected]