The National Information Technology Development Agency (NITDA), yesterday hinted that Nigerian businesses that collect, store and process personal data for European Union (EU) citizens for the provision of goods and services risk €20 million fine if they fail to comply with the new General Data Protection Regulation (GDPR). NITDA noted that this regulation might have huge impact on Nigerian businesses and/or individuals that use information technologies to collect, store, process and transact with EU citizens personal data in EU territory or elsewhere.
According to the Director General/Chief Executive Officer, NITDA, Dr. Isa Ali Ibrahim Pantami, it is in the utmost interest of the Agency to protect Nigerian businesses from unnecessary exposure to the risks of this regulation and/or any regulations that might have negative impact on their businesses as well as the rights of Nigerians that have dual citizenship of any EU member state.
Pantami said the regulation, which was adopted on April 27, 2016, will become enforceable from May 25, 2018, replacing the data protection directive of 1995.
“It applies whether the data controller – an organisation that collects data from EU residents or processor – an organization that processes data on behalf of data controller such as data centres or the data subject – the person whose personal data has been collected is based within or outside any EU member state, if they collect or process personal data of EU citizens and residents,” he stated.
NITDA therefore called on Nigerian organisations that are controllers and processors of personal data of EU nationals to note that companies that meet the following criteria must comply. They include those with offices in an EU member state; have no offices in any EU member state but processes personal data of EU nationals and residents; have more than 250 employees; and have fewer than 250 employees but its data processing impacts the rights and freedoms of data subjects or occasionally includes certain types of sensitive personal data.
According to NITDA, the regulation requires that data controllers and processors must seek consent from data subjects in an intelligible and easily accessible form, clearly specifying the purpose for the collection. It also stipulates that consent must be clear and distinguishable from other matters and presented in a clear and plain language.
“A breach of the regulation can attract a fine of up to four per cent of a company’s yearly global turnover or an equivalent of €20 million. Furthermore, companies can be fined up to two per cent for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment,” NITDA stated.
Speaking earlier on the issue, EY Nigeria Forensic/Fraud Investigation and Dispute Services Leader, Linus Okeke, said businesses in Nigeria needed to take over more than a passing interest in GDPR because of the significant impact of the legislation on businesses outside of the EU.Continuing, Pantami explained that the regulation also gives data subjects the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
“They also have the right to transmit data they had previously provided to another controller. Furthermore, they are entitled to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
“Therefore, NITDA is calling on Nigerian businesses, especially those carrying out online transactions and meet the GDPR compliance criteria to put in place appropriate measures to observe the provisions of this regulation to avoid being sanctioned for a liable breach. Organisations are also required to note the provisions of the NITDA Guidelines on Data Protection, issued in 2013 and currently being revised. In an effort to make the Agency’s rule making process transparent and industry-focused, the revised guideline will soon be presented for stakeholder consultation as stipulated in the Rulemaking Process Regulation of NITDA,” he stressed.
EY Global Fraud Investigation and Dispute Services Leader, Andrew Gordon, said “The pace of regulatory change continues to accelerate and the introduction of data protection and data privacy laws, such as GDPR, are major compliance challenges for global organizations. But businesses that adopt FDA technologies can achieve significant advantages, benefitting from more effective risk management and increased business transparency across all of their operations.”