The National Information Technology Development Agency (NITDA) has brought to the attention of Nigerian businesses, the implications of the new EU General Data Protection Regulation (GDPR).
This alert is especially meant for those that collect, store and process personal data of European Union (EU) citizens for the provision of goods and services, and the general public.
The regulation which was adopted on 27 April 2016 and becomes enforceable from 25 May 2018 is replacing the data protection directive of 1995.
The Agency has realized that this regulation might have huge impact on Nigerian businesses and/or individuals that use Information Technologies to collect, store, process and transact on EU citizens personal data in EU territory or elsewhere.
It is in line with this that the Agency is protecting the Nigerian businesses from unnecessary exposure to the risks of this regulation and/or any regulations that might have negative impact on their businesses as well as the rights of Nigerians that have dual citizenship of any EU member state.
NITDA has therefore called on Nigerian organisations that are controllers and processors of personal data of EU nationals to note that companies that meets the following criteria must comply with the following; have offices in an EU member state no offices in any EU member state but processes personal data of EU nationals and residents, have more than 250 employees and have fewer than 250 employees but its data processing impacts the rights and freedoms of data subjects or occasionally includes certain types of sensitive personal data.
The regulation requires that data controllers and processors must seek consent from data subjects in an intelligible and easily accessible form, clearly specifying the purpose for the collection. It also stipulates that consent must be clear and distinguishable from other matters and presented in a clear and plain language.
A breach of the regulation can attract a fine of up to 4% of a company’s annual global turnover or an equivalent of twenty million euros (€20 million). Furthermore, companies can be fined up to 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
Therefore, NITDA urge Nigerian businesses, especially those carrying out online transactions to meet the GDPR compliance criteria to put in place appropriate measures to observe the provisions of this regulation to avoid being sanctioned for a liable breach.
Organisations are also required to note the provisions of the NITDA Guidelines on Data Protection, issued in 2013 and currently being revised.