DATA SECURITY AND PRIVACY POLICY

By Zacheaus Akanni

Technology advances at a supersonic speed. This advancement has led to the generation, collection, processing, and transfer of gargantuan amount of data at an exponential rate. According to Forbes, by the year 2020, the accumulated digital universe of data would be around 44 zettabytes of data or 44 trillion gigabytes.


This exponential growth of data has raised a number of concerns including, but not limited to, cyberattack, hacking, cyberbullying, doxxing, phishing, identity theft, among other things. In its 2018 Global Risks Report, the World Economic Forum ranks the top 10 risks in the likelihood of their happenstance. Cyberattack ranks third while data fraud or theft ranks fourth. In terms of impact, cyberattack rank sixth.


In recent times, massive data breaches have diminished public confidence in major players in the tech world. The one that easily comes to mind is the harvest of personal information of more than 80 million Facebook users by Cambridge Analytica. The possibility of abuse, misappropriation and breach of personal data has led to the promulgation of laws and regulations geared towards the protection of personal data/information.


On 25 January 2019, the Nigerian National Information Technology Development Agency (NITDA) issued the Nigerian Data Protection Regulation (the 2019 Regulation). The Regulation applies to all residents of Nigeria, all citizens of Nigeria residing outside of Nigeria and all transactions for the processing of personal data of such individuals.For the sake of clarity, personal data refers to any information relating to an identified or identifiable person and it includes names, photo, identification number, address, email address, bank account details, any physiological or genetic feature, posts on any social media networking websites, among other things.


The regulation applies to all categories of personal information across all sectors and provides basic rights and protections to data subjects. It requires that organisations obtain consent before collecting personal information, disclose how the information is to be used, provide how consumers may request the deletion of their information.


DATA SECURITY

By the provisions of the 2019 Regulations, organisations and persons involved in collection, storage and processing shall develop such security measures necessary to minimise the security risks of keeping personal information.Such measures include and are not limited to, protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.


Personal information must be secured against all foreseeable hazards and breaches such as theft,cyber-attack, viral attack,dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.


Where an organisation is subcontracting its data security/processing obligations to another party, it must be governed by a written contract between the third party and the organisation, which shall ensure strict compliance with the Regulation.


DATA PRIVACY POLICY

Any organisation collecting personal information of persons must publish a privacy policy in a “simple and conspicuous” manner that the data subject can understand on the website, or other media through which the information are collected. The policy should contain, among other things:

a. The description of the personal information being collected;

b. the purpose of collection of the information;

c. the technical methods used to collect and store information, cookies, web tokens, etc;

d. access, if any, of third parties to personal information and the purpose of access;

e. available remedies in the event of violation of the privacy policy and the time frame for remedy.


THINGS TO CONSIDER

Here are a few key principles to consider before preparing your organisation’s data privacy policy.


• Identify the applicable law. Each legal system imposes different guidelines to regulate the collection and processing of personal information. The first step, therefore, is to identify the relevant laws which will apply to your website or other media of collection of information.


• Your policy should be sector-specific. There is no privacy policy that is a one-size-fits-all. Therefore, one of the first steps in preparing your website’s data privacy policy should be data mapping. This process will allow you to have comprehensive understanding of the information collected through the website, the uses to which the information is be put, the third parties with whom it could be shared, etc. Naturally, this process requires the involvement of several teams within the organisation such as the marketing team, legal department and the IT team.


• Clarity is key. Avoid legalese and complex jargon or you might have a hard time proving that your readers understand your privacy policy.


• Dispute resolution. A clause setting out the dispute resolution process is needed, should the need arise.


CONCLUSION

Usually, personal information is collected for diverse purposes. Data may be collected in order to access some commercial services (e-banking, e-commerce) or in exercise of a legal right (voters’ card) or pursuant to some statutory regulation (SIM registration). Whatever the purpose for which you collect personal data/user information of people, your organisation’s data security and privacy policy is not something to be taken with frivolity. In recent times, sanctions are being imposed on the biggest players in the tech industry for data breaches and careless handling of personal information. In Nigeria, sanctions for breach of the rights of any data subject are stipulated in the 2019 Regulation. It should be noted that no clause excluding or limiting liability for breach of the regulation shall have any effect. It is therefore important for organisations to develop comprehensive data security and privacy policy and implementation procedure to protect themselves and the personal data of their customers.