The National Information Communication Technology Agency (NITDA) on Monday warned Nigerians using European Union General Data Protection Regulation (GDPR) to beware of possible negative impacts.
Dr Isa Pantami, Director-General of NITDA said this in a statement made available to newsmen in Abuja.
The EU’s GDPR is the result of four years of work by the EU to bring data protection legislation into line with new and previously unforeseen ways of data usage.
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation.
The new legislation introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data and it also makes data protection rules more or less identical throughout the EU.
The GDPR will apply in all EU member states from May 25, because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation – instead, it will apply automatically.
The GDPR applies to controllers and processors of data. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data.
The controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
“NITDA will like to bring to the attention of Nigerian businesses, especially those that collect, store and process personal data of EU citizens for the provision of goods and services, and the general public, the implications of the new EU GDPR.
“The regulation, which was adopted on April 27, 2016 and becomes enforceable from May 25, is replacing the data protection directive of 1995.
“It applies to the data controller or an organisation that collects data from EU residents or processor.
“An organisation that processes data on behalf of data controller such as data centres or the data subject.
“The person whose personal data has been collected is based within or outside any EU member state, if they collect or process personal data of EU citizens and residents.
“The agency has realised that this regulation may have huge impact on Nigerian businesses or individuals that use information technologies to collect, store, process and transact on EU citizens personal data in EU territory or elsewhere.
“It is in the utmost interest of the agency to protect Nigerian businesses from unnecessary exposure to the risks of this regulation and any regulations that might have negative impact on their businesses.
“This can also affect the rights of Nigerians that have dual citizenship of any EU member state,” Pantami said.
“NITDA calls on Nigerian organisations that are controllers and processors of personal data of EU nationals to note that companies must not have offices in an EU member state.
“Those organisations should have more than 250 employees and have fewer than 250 employees, where its data processing impacts the rights and freedoms of data subjects,” he said.
Pantami said the regulation required that data controllers and processors must seek consent from data subjects in an intelligible and easily accessible form.
According to him, the consent should clearly specify the purpose for the collection and stipulate distinguishable format from other matters and presented in clear language.
Pantami said a breach of the regulation could attract a fine of up to four per cent of a company’s annual global turnover or an equivalent of 20 million Euros.
“Companies can be fined up to two per cent for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
“The regulation also gives data subjects the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed.
“They also have the right to transmit data they had previously provided to another controller.
“Furthermore, they are entitled to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data,” he said.
According to Pantami, Nigerian businesses carrying out online transactions and meet the GDPR compliance criteria should put in place appropriate measures to observe the provisions of the regulation.
He said organisations were also required to note the provisions of the NITDA Guidelines on Data Protection, issued in 2013 and currently being revised.
He added that the revised guideline would soon be presented for stakeholder consultation as stipulated in the Rulemaking Process Regulation of NITDA.