By John Ikani
The Nigerian Data Protection Commission (NPDC) on Tuesday at the Nigerian Content Tower (NCT), corporate headquarters of the Nigerian Content Development and Monitoring Board (NCDMB), Yenagoa, tasked organisations in the country to treat personal data as highly sensitive information by instituting appropriate measures to minimise data breaches.
Speaking at a one-day Data Protection and Privacy Induction Training for staff of the Board, facilitators drew attention to the Nigerian Data Protection Act (NDPA), 2023, which aims “to safeguard the rights of individuals regarding their personal data and establish guidelines for organisations handling such data,” while highlighting multiple vulnerabilities in current data management systems.
In the lead presentation, Ms Adaobi Fatima Sanni said data protection is primarily concerned with measures and mechanisms to safeguard data against unauthorised access, and breaches or loss, pointing out that under Section 37 of The Constitution of the Federal Republic of Nigeria,1999 (as Amended), “The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications” is “guaranteed and protected.”
‘Principles of Processing Personal Data,’ as highlighted by the presenter, include Data Minimization, which demands that “Data should be adequate, relevant and limited to what is necessary in relation to the purpose for which they were collected,” “Accuracy” and “Storage Limitation.” Under the latter, she emphasized that “Personal data should be kept only for the period necessary for the purposes…. Once data is no longer needed they should be deleted or rendered anonymous.”
To ensure compliance with the NPD Act, she urged organisations to develop a data privacy policy, process data in line with the principles of the NDPA, designate a senior officer as a data protection officer, register as a data controller/processor of major importance with the Commission, engage a DPCO to file data protection audit, and to direct contractors, vendors to comply with the Act.
In the second major presentation titled “Technical and Organizational Measures for Data Protection,” the facilitator, Mr Victor Danladi Barde, said Section 40 of the NDPA sets out strict requirements for data controllers/processors to take appropriate action within 72 hours of becoming aware of a personal data breach.
On cybersecurity, relating to the protection of networks, computers and other electronic devices against unauthorised access to or interception of data stored on them, he listed necessary proactive and reactive measures. Proactive
security practices include data loss prevention (DLP), penetration testing, nurturing cybersecurity culture, and attack surface management. These security measures, he emphasised, help organisations “not only identify the vulnerabilities beforehand but also get to rectify them to avoid any future issues.
Reactive security measures include vulnerability assessment, disaster recovery plan, endpoint detection and response (EDR), and incident response. According to him, “Responding to security incidents quickly, efficiently and in an organized manner will help organizations minimize damages, mitigate threats, restore operations, services and processes.”
In another presentation, Mrs Adama Isamade dwelt on why organisations have to take the issue of data protection and the rights of data subjects seriously, highlighting practical experiences of organisations in regard to compliance and non-compliance. She recalled the case of a breach that resulted in litigation against a major financial institution that ended in the latter having to pay over N580 million.
Earlier in a welcome address the Acting General Manager, Planning Research and Statistics (PRS) of the NCDMB, Mr Ene Ette, expressed appreciation to the NDPC for the training provided to staff at no cost to the Board. He assured that the knowledge obtained would be put into practice to enhance better data management practices in the organisation.
In a vote of thanks at the conclusion of the training, Mr Akinlade Abisoye, a supervisor in PRS, thanked the facilitators for the initiative, stating that the enlightenment was profound.