The National Information Technology Development Agency (NITDA) has urged businesses in the country to be prepared for the new realities of data protection practices that would be ushered in by the Data Protection Bill 2020 once passed into law.
The Director-General of NITDA, Mr. Kashifu Inuwa, gave this hint during a virtual workshop organised for Data Protection Officers (DPOs) of various organisations in the country. According to him, while the Nigeria Data Protection Regulation (NDPR) is currently being enforced, the Data Protection Bill 2020, which is passing through consultation, would impose more obligations on companies handling data when it becomes law. While noting that the workshop was organised as part of NITDA’s strategic engagement to deepen the implementation of the NDPR and the Nigeria Data Protection Bill, he said: “Our goal is to make you have a grasp of what the Bill entails and how you can start preparing your organisation for the coming realities.” The bill, which is also seeking to establish a data protection commission, is to give legal backing to the NDPR being enforced by NITDA.
The DG recalled that the current Minister of Communications and Digital Economy, Dr. Isa Pantami, as the then Director- General of NITDA, issued the NDPR on January 25, 2019, pursuant to Section 6(a, c) of the NITDA Act, 2007. “This visionary move has become a game-changer for the digital economic aspirations of Nigeria. Data Protection falls under Developmental Regulation – the first pillar of the National Digital Economy Policy and Strategy (NDEPS: 2019).
“This shows the critical place it holds in our desire for a brand new economic paradigm that works for the innovative and hardworking mass of Nigerians,” he said. Presenting a keynote address at the workshop on the roles of Data Protection Officers (DPOs) under the data protection law regime, the Executive Director, Data Protection and Privacy, Mr. Franklin Akinsuyi, said the DPOs in every organisation must understand how to build, implement, and manage data protection programmes.
“The more complex or highrisk the data processing activities are, the greater the expertise the DPO will need. They must have in-depth knowledge of the NDPR and they must also have a reasonable understanding of the organisation’s technical and organisational structure and be familiar with information technologies and data security,” he said. Meanwhile, the Data Protection Bill 2020 spells out heavy sanctions against any organisation or individual that misuse the data of others.
The bill states: “A person who knowingly or recklessly — (a) obtains, or discloses personal data to a third party, without the consent of the data controller, (b) after obtaining personal data, retains it without the consent of the data controller commits an offence and is liable on conviction to a fine of not less than N5,000,000.00 (Five Million Naira) or imprisonment for a term not less than one year or both.”
It, however, added that “it is a defense for a person charged with an offence under subsection (1) of this section to prove that the act — (a) was carried out for a legitimate purpose and the purpose of this section (b) was required or authorised by an enactment, law or by an order of a Court or Tribunal; or (c) was justified as being in the public interest or national security.” Sub-section 3 of the bill states that “a person who sells personal data, obtained under circumstances described under subsection (1) of this Section, commits an offence and is liable on conviction to a fine of not less than N1,000,000.00 per record or to imprisonment for a term not less than five years concurrently or both.” Sub-section 4 provides that “a person who advertises personal data in a manner that indicates that it was obtained in circumstances described under subsection (1) of this section, commits an offence and is liable on conviction to a fine of not less than N500, 000.00 (Five Hundred Thousand Naira) per record or to imprisonment for a term of not less than five years concurrently or both.”