Data theft and breaches are problems that individuals, organisations and governments around the world contend with daily.
Tackling it isn't cheap, especially for large companies. In 2018, Nigerian businesses spent about $270 million (₦105 billion) upgrading equipment and personnel to protect their information.
A year later, the National Information Technology Development Agency (NITDA), also came up with a law to guide businesses and organisations on their obligations towards storing information on Nigerians.
The law is called the Nigeria Data Protection Regulation (NDPR). It spells out the rights people have with their data, such as demanding that it be erased permanently, commonly referred to as the “right to be forgotten”.
Before its issuance, the situation with cyberattacks in Nigeria wasn't anything to write home about. As of 2016, the country ranked 16th as one of the most vulnerable countries in the world to cyber attacks.
There had also been reports of how 60% of Nigerian firms in 2018, recorded one form of information breach or the other.
A year after the new laws, the question is whether they have been able to improve the protection of information.
Implementation and compliance
So far, the NITDA has been overseeing the implementation of the regulations by receiving data audit reports from organisations and licensing companies to provide data protection services.
They also held training events and issued warnings to organisations, such as when the Lagos Internal Revenue Service’s website was found to have exposed user data.
However, as of December last year, NITDA announced that only 94 companies had complied with the NDPR. The agency also granted 200 firms an extension to submit their reports.
Ninety-four companies complying a year after the regulations were issued is a far cry from the 3.1 million registered organisations, announced by the Corporate Affairs Commission in March of 2019.
One could argue that not all registered organisations are obligated to submit reports by the NDPR. Such an argument would be valid, however, 94 is meagre. This is because the NDPR requires all businesses which process the data of more than 2000 people within 12 months, to submit reports.
At least there are 23,640 public and private hospitals in the country. We also have about 160 universities and 250 fintech organisations. Most of which will be dealing with more than 2,000 people a year.
Interestingly, there are no major announcements of penalties for organisations that fail to comply.
Probing low compliance
There are three possibilities to explain why we don't hear of penalties.
It can't be because organisations obey the law, they don't. Large telecommunication companies have been found to rank very low in upholding privacy and other digital rights, and other incidents like the LIRS data breach mentioned earlier.
Another possible explanation is that enforcement actions are being taken but they are not publicised. This is possible but would be a sign of lack of transparency which would be against the principles stated in the data protection regulations and thus, unlikely.
The third explanation, which is more likely, highlights the fact that unless more drastic enforcement action is taken, the NDPR will not serve its purpose as a deterrent to ensure that organisations respect Nigerians’ privacy rights.
No enforcement, no action.
NITDA fashioned the NDPR after the General Data Protection Regulations (GDPR), enacted by the European Union in 2016. The GDPR is the most comprehensive legislation on data protection worldwide.
In contrast to the NDPR, enforcement records for the GDPR show that it had one penalty imposed in 2018 (its first year of implementation), 31 in 2019 and 6 so far in 2020.
Room for improvement
Although the willingness of the organisations to comply and the will of the NITDA to enforce the regulations are major factors in how effective the NDPR has been, the contents of the NDPR itself are perhaps more important.
In some ways, the NDPR is an improvement on the GDPR. The NDPR provides licensing of data protection compliance organisations.
It provides this license to standardise the quality of data protection consulting services. This requires that organisations designate a data protection officer to monitor and ensure adherence to privacy best practices.
In many other ways, however, crucial aspects of the GDPR were left out, thus weakening the effectiveness of the regulations.
The obligation to report breaches is perhaps most important among these.
A framework to implement the law was released on 11 June 2019. It mandates organisations to report breaches to the NITDA but doesn’t require businesses to notify owners of the data.
This is unlike the GDPR and privacy Acts of the United Kingdom, Kenya, and other jurisdictions. In addition, the GDPR specifies categories of sensitive personal data which must not be processed except in specified circumstances such as for research, journalism or public interest.
By not restricting the collection and use of such information (except to stipulate that they should be processed with “higher security”) organisations can still legally make decisions based on sensitive and personal data, such as when hiring.
Way forward for data protection
Whether you believe that data is the new oil or not, what is certain is that companies, government and other stakeholders are currently placing an unprecedented reliance on data to make the right decisions.
As of 2018, a significant majority of executives indicated that their organisations were either using a large amount of data and advanced processing methods or planned to commence soon.
This use of information allows automated decision making, which is crucial for many businesses today. An example is the Applicant Tracking Systems in HR and advertising programs for sales.
There’s a clear economic imperative to allow data collection and processing to be as seamless as possible since many decisions can then be outsourced to Artificial Intelligence (AI) for efficiency.
Despite that, the right to privacy (as contained in the constitution and other laws) and strict data protection must be prioritised as well, for the simple reason that abuse of confidential information is likely to lead to a wide range of societal problems.
Those problems could range from election manipulation as in the Facebook + Cambridge-Analytica scandal to denial of healthcare based on race, racial profiling in the criminal justice system and even COVID-19 fraud.
To avoid those issues in Nigeria, the NITDA must review the NDPR to make it more secure and truly empower Nigerians with the rights they need to enforce their privacy and data protection rights.
Also, being more proactive in using its powers to sanction could provide a solid deterrent and increase the rate of compliance.
You might also be interested in: