Lagos Chamber of Commerce and Industry (LCCI) and Johan Consults Limited are holding the first awareness and sensitivity workshop on the new European Union (EU) General Data Protection Regulation (GDPR) and how Nigerian companies can meet the compliance requirements. The workshop holds next month, Thursday, 5th April (9am-4pm) in Ikeja, Lagos and is drawing participants from the public and private sectors.
This is holding even as the CEO of Johan Consults Limited, Mr. Akin Oyegoke, a renowned IT professional and certified GDPR expert, is raising concerns over the absence of a comprehensive legal framework in Nigeria that ensures that citizens’ personal data as part of their fundamental human rights are fully protected in today’s evolving digital economy. Oyegoke also warns of the dangers of non-compliance by Nigerian companies with the new EU’s GDPR expected to go into effect in May, this year.
Data protection law defines or controls how a citizen’s personal information is used by organisations, businesses or the government.Within the confines of the law, a citizen holds the full right to decide on what his/ her personal information is used for and whether his/her personal data may be disclosed by institutions who have access to the information like agencies, banks, telecom companies and the rest.
“The EU’s new data law will impact significantly on Nigerian businesses and public sector MDAs. It is important stakeholders get sensitized on this and initiate the right steps for compliance to avoid penalties, said Oyegoke to IT Edge News.
Oyegoke said it was exigent for a comprehensive data protection law to be passed by the government as a lot of citizens are increasingly exposed to the risk of data disasters.
“The Nigerian government needs to formulate a law in this area. Nigeria does not have a data protection regulation as far as I know and the problem is, personally identifiable information (PII) of citizens’ in the country are so exposed. For example, anybody with a bit of ingenuity can commit ID fraud here,” said Oyegoke.
PII or personal data include citizen’s name, address, email, telephone, date of birth, emergency contact, sexual orientation, ethnicity,bank account, credit card details, NI, Tax reference.
Others are health information; Images/ voice recordings; ‘Know your customer’ or due diligence (specify- passport, tax reference, source of wealth etc); Passport/driving licence/national ID card details; IP address; Criminal convictions/ offenses; Biometrics – Fingerprint/ retinal scan/ DNA etc; Education & training; Employment details (specify – CV, references, annual appraisals, employment status, work permit, leave, sickness etc), for example – IP address, cookies, social security number etc.
Akin’s position has been severally reiterated by industry stakeholders who have warned that the absence of a defined data protection law poses a major impact on the privacy and security of Nigerians even as government agencies like the Nigerian Communications Commission (NCC), Independent National Electoral Commission (INEC), Nigerian Immigration Service (NIS), Central Bank of Nigeria (CBN), National Identity Management Commission (NIMC), Federal Road Safety Corps (FRSC), and other bodies continue to capture citizen’s biometric and other data.
The Executive Director of Paradigm Initiative, Gbenga Sesan in a recent statement said although Nigeria lacks a robust data management infrastructure, several government agencies and sector regulators still collect citizens’ private data with little respect for their rights.
“Nigeria’s constitutional promise of data protection is far from being fulfilled. This is especially true for transactions involving the transfer of personal data from individuals to governments and businesses. Despite the increasingly important role that data plays as the currency of the country’s emerging digital economy, Nigeria does not have a Data Privacy or Data Protection law,” Sesan said.
He added that “not only is the same data collected by different agencies, citizens have little control over what is collected, how it is used and have no clear course of action should their data be abused.”
Oyegoke called on the government to formulate and implement a data protection law as well as educate the citizen’s on their rights as regards their personal data to avoid risks associated with data misuse or unlawful transfer of same.
“I think the government must start to educate the masses as well. The National Information Development Agency (NITDA) must be empowered to carry this out. I think each organization must be made to appoint a C-level data protection officer to ensure compliance,” he said
In Nigeria, the NITDA is the regulatory authority responsible for making rules and guidelines pertaining to data protection and it also has the power under Section 43 of the Nigerian Constitutions to make regulations setting standards of conduct for service providers and vendors on such matters.