The Huge Prospects of Nigeria’s Data Protection Regulation 2019, By Isa Ali Ibrahim Pantami
One of my greatest sources of joy on the Regulation is its job creation potential. Over 1.5 million businesses and non-governmental organisations would need to file Data Audit Reports on or before March 15 every year. Each of these reports must bear a Verification Statement, sign and seal of a Licensed DPCO. If each DPCO provides service for an average of 50 Data Controllers, we would need over 300,000 professionals to meet this need.
When I left the comfort and security of an academic environment to become a public servant in a sector that the president is so passionate about, I was never under the illusion that it would be a smooth sail. Indeed, Nigeria’s success in information technology development and regulation holds the key to her sustainable development; it can be no other way. This is because the nation is blessed with a young and vibrant population of digital natives. So, on my appointment, I went into a deep and intensive study of National Information Technology Development Agency (NITDA)’s mandate, stakeholders and vision. My study made me realise that to assume we could execute all the mandate is absolutely impossible in one lifetime. This made the crafting of an actionable plan a priority on my assumption of office. This plan, we believe, is germane for our national development. We agreed to focus on: IT Regulation; Local Content Development; Digital Jobs Creation; Digital Inclusion; Cybersecurity; Government Digital Services Promotion and Development, and Capacity building.
Initial steps on IT regulation was met with resistance by internal and external stakeholders. People assumed regulation always meant obstruction and restriction on innovation. It took a while for people to realise our regulatory paradigm was developmental regulation. I would share a story to illustrate this concept. Our ‘Local Content in ICT Guidelines’ was issued in 2013 with the aim of growing local content in ICT products and services provision. A multinational which had sold software in the country for over 20 years and made millions of dollars in licensing fees, suddenly had an issue with its local support partner and therefore appointed a foreign support partner for its Nigerian clients. NITDA moved in, investigated and ensured other Nigerian companies were evaluated and one was eventually picked to continue the service. This move made the Nigerian clients happy and retained over 200 jobs for Nigeria. This was regulatory enforcement leading to more jobs and keeping more Nigerians happy.
I am happy to report that our modest efforts at NITDA have started yielding bounteous dividends for the nation. Through the active support of Nigerians, NITDA has catalysed the purchase of indigenous brands of ICT devices, and there has been a sales increase by over 400 per cent, while local hosting of data has doubled in value and local software consumption has significantly improved. The cumulative effect of these is that ICT’s contribution to the GDP in nominal terms reached an unprecedented mark of 13.63 per cent in the fourth quarter (Q4) of 2018. This for us is a tip of the iceberg, considering the initiatives which are still in the works. One such initiative I am so proud of is the Nigeria Data Protection Regulation 2019.
The coming into force of the European Union General Data Protection Regulation (EU GDPR) in May 2018 threw the global community into a frenzy of sorts. The GDPR mandates controllers of European citizens’ data to comply with certain detailed rules and principles or risk incurring a fine of up to 4 per cent of the defaulter’s global turn-over. This situation made many small and medium scale service providers to lose their share of the European market. More importantly, the rate of wanton abuse of the privacy of Nigerian citizens’ data needed an urgent national response. I therefore constituted a team of young professionals in the Agency, and challenged them to proffer a solution to this problem. This team worked hard and eventually came up with a unique regulation that has become the cynosure of discerning minds.
Here is a quick glance at the core principles of the NDPR.
(a) Lawfulness and Legitimacy: Article 2.1(1a) provides that Personal Data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject.
(b) Specific Purpose: In addition to Article 2.1(1a) cited above, Article 3.1(7c) mandates the Data Controller to expressly inform the Data Subject of the purpose(s) of the processing for which the Personal Data are intended, as well as the legal basis for the processing. This has hitherto been observed in the breach. This, we believe would change as government is poised to stem the tide of the brazen breach of people’s right to privacy.
(c) Data Minimisation: Data Controllers are expected to collect the minimum required data and avoid unnecessary surplusage. Data that is not useful for the Controller ought not to be collected. No data shall be obtained except the specific purpose of collection is made known to the Data Subject. This principle relates also to the principle on purpose of collection. By insisting that the purpose for collecting or further processing of a data set must be communicated to the Data Subject, the regulation has closed the door to a multitude of potential abuses.
(d) Accuracy: The NDPR provides that collected and processed Personal Data shall be adequate, accurate and without prejudice to the dignity of human person (Art. 2.1(b)). The NDPR prohibits the abuse or inaccurate representation of personally identifiable data, even if such data where given with due consent. Data Controllers and Processors are required to ensure regular update of personal data in their custody to achieve this.
(e) Storage and Security: Data Controllers are required to store data only for the period they are reasonably required to so do. The Regulation does not explicitly provide for a time period because that detail, we believe should be left to contract agreements. However, where such is not specified, the dispute redress mechanisms can specify what would constitute sufficient storage period. The Regulation also places the onus of security on the Data Controller and Processor. Art. 2.1(d) provides that personal data shall be secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
(f) Confidentiality, Integrity and Availability: Article 3 generally enumerates the rights of the data subject. One of the underpinning principles of the NDPR is that data control must comply with basic minimum standards of information security management. The Regulation specifies the role of the Controller and the Data Subject in such case.
(g) Compliance and Enforcement: One of the novelties of the NDPR is its compliance structure. The Regulation creates a nouveau class of professionals – Data Protection Compliance Organisations (DPCO). A DPCO is any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with this Regulation or any foreign Data Protection Law or Regulation having effect in Nigeria (See Article 1.3 (xiii)). These professional firms would provide requisite training, services and other support to Data Controllers to aid their compliance with the NDPR. I hope to come back to the immense potentials of this arrangement shortly.
On enforcement, the NDPR classified Controllers into large and small categories. Those who process data of more than 10,000 Data Subjects are liable to forfeit 2 per cent of their Annual Gross Revenue (AGR), while those handling less than 10,000, would lose up to 1 per cent of their AGR. The NDPR would both bark and it would bite errant Data Controllers.
One of my greatest sources of joy on the Regulation is its job creation potential. Over 1.5 million businesses and non-governmental organisations would need to file Data Audit Reports on or before March 15 every year. Each of these reports must bear a Verification Statement, sign and seal of a Licensed DPCO. If each DPCO provides service for an average of 50 Data Controllers, we would need over 300,000 professionals to meet this need. Imagine the jobs our young people can generate and sustain through this service alone. Because this is not public procurement, we have made the entry barrier high enough to admit only serious-minded people and low enough to allow start-ups to engage without undue intimidation.
This, for us, is the beginning of a new era and we crave the support of all Nigerians to support and sustain this effort. We also look forward to receiving constructive comments, opinions and technical observation to ensure that this Regulation is optimally implemented for the betterment of our dear nation and people.
Isa Ali Ibrahim Pantami is director general/CEO of the National Information Technology Development Agency (NITDA).