The Nigerian Information Technology Development Agency(NITDA) just released its new data protection guidelines to safeguard the rights of Nigerians to data privacy and ensure that Nigerian businesses remain competitive in international trade. It hopes to do this through safeguards afforded by a regulatory framework which is in tune with global best practices. These are things every Nigerian business should know.
- Every Nigerian company that collects data as part of its operations now has the obligation to use such data for the purpose it was collected and to protect the data for any other means either by the collecting company or by any other person. So Company X cannot collect data from customers to sell product Y to them and give a director access to the data to campaign for political office.
- No Company should collect data without the consent of the data subject. This means that company A cannot sell its email database to company B without the active consent of every single person whose data is being transferred.
- Directors, shareholders and CEOs of companies will be held accountable to NITDA for the handling of data within their control by third parties. This means that a company’s officers must ensure that proper due diligence is carried out on the manner in which third parties will use data before giving access to any such third party.
- Every company collecting and processing data must develop adequate security measures to protect such data.
- Companies that default will be liable to a fine of the greater between 2% of annual gross revenue of the previous year and 10 million Naira if they deal with more than 10,000 data subjects. If they deal with less than 10 million data subjects, they are liable to pay the greater between 1% of the Annual Gross revenue of the previous year and 2 million Naira
- Transfer of data to a foreign country for any purpose shall be done subject to the supervision of the Attorney General of the Federation
- Data subjects have the right to know how their data is being used and processed. They also have the right to request a transfer, or erasure of their data.
- Companies have three months to comply with the provisions of the regulation, publicize their data protection policies and appoint data protection officers.
For more information on how to get your organization complaint with the new NITDA guidelines, contact us at firstname.lastname@example.org