Watch Webinar Below

Download presentation

QUESTIONS FROM THE NIGERIA DATA PROTECTION REGULATION: IMPLICATIONS ON THE NIGERIAN CAPITAL MARKET WEBINAR HELD ON TUESDAY, JULY 7, 2020 VIA ZOOM

 

 

S/N QUESTIONS ANSWERS
1.       Are DPCOs regulated by SEC or NITDA? They are regulated by NITDA
2.       How are CMOs expected to restrict access to clients’ data by their staff? Minimise data of client visible to all staff and grant access to trusted staff who really have a right to know
3.       Would a CMO require an approval from the SEC or NITDA to undergo a data migration project? NITDA requires that such be reported in the audit report or communicated if going to a country outside the white list of countries
4.       The DPCOs approved by NITDA are pushing for reduction in KYC data collected by CMOs. This contradicts the extant SEC AML/CFT Rules, as well as the MLPA and TPA.
How are CMOs expected to deal with these conflicting regulations and laws?
SEC and NITDA will work together to review the value of data sets being collected and to decide which forms would need to be updated. Until then, CMOs should ensure full compliance with extant rules and regulations.
5.       How long should disengaged clients’ data be retained for? NDPR does not provide a specific length of time, however the NDPR Implementation Framework provides guidance. The proposed Capital Market Data Protection Toolkit would address this concern.
6.       How does NITDA handle data breach incidents and are there any reported cases? The NDPR Implementation Framework outlines the process for breach handling. The process is in line with the constitutional requirements on fair hearing. Yes, there are reported cases.
7.       The NITDA Regulation is applicable to only natural persons.  What about corporate entities? Data Protection laws deal with natural persons. Other body of laws such as CAMA, Cybercrimes Act, 2015, Freedom of Information Act etc. deal with other forms of data sets
8.       Can the current Compliance Officer in a CMO be appointed as Data Protection Officer? Yes, however conflict of interest, efficiency and ability to retain the confidence of top management on the role must be considered.
9.       What is NITDA’s minimum requirement for the appointment of a designated DPO by a CMO? The Framework provides for this. CMOs should consider persons with legal or IT background with interest and skill in regulatory compliance
10.    Are DPOs required to register with NITDA? No. However, they may want to be placed on the DPO mailing list to get updates on events and developments from NITDA
11.    How does one get certified as a DPO? Take national or international certification courses eg.NDPR, GDPR etc.
12.    Can one Data Protection Officer serve companies in the same group? Yes
13.    What is the implication of not meeting the deadline for data protection audit? It constitutes a breach of the NDPR. Non filing also excludes entities from being listed on the list of NDPR compliant companies for the year
14.    Who is eligible to carry out Data Protection Compliance Audit? A Data Protection Compliance Organisation
15.    Will NITDA intervene as regards the outrageous fees DPCOs are charging? SEC may intervene on this. It is however a competitive market. There are currently 70 licensees.
16.    Is it mandatory to engage the service of DPCO when an organization has an expert who is certified in Data protection policy? Yes. DPCOs are required to verify audit reports before filing with NITDA.
17.    Are all organizations required to file audit report with the NITDA, regardless of the number of the data processed? Only organisations who process more than 2,000 data subjects in a year are required to file the report.
18.    Should a CMO perform data audit where it has more than 2000 data subjects but has handled less than 1000 of them within a given year? Yes. This is because ‘Storage’ constitutes processing according to Art. 1.3 of the NDPR.
19.    How should CMO’s interpret the keyword “processes” in subsection 3.1.6 of the Regulation? Does the word “processes” means the entire customer data in their database or only a sub-set of the database which has generated transactional activity within the period in question? Processing is defined in the NDPR.

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

20.    What specific steps must be undertaken to ensure compliance with the Regulation? Review the Regulation, its framework and get a DPCO for guidance
21.    The Regulation places too much emphasis on data collection and processing but does not adequately address the issue of data retention, why is this so? Data Retention is subject to varied laws and sectoral directives. The NDPR does not seek to supplant established, working principles, it rather seeks to fill the established voids in harmony with existing rules.
22.    If NITDA places on its premises that “by entering into this premises, you are complying to the use of your personal data” – does this fall under reasons for which personal data can be collected? Yes. It is intended to elicit consent. Because we use CCTV’s and other technologies which do automated processing of personal data, consent is essential for such processing activities.
23.    Please what is the scope of data protection compliance for a typical CMO?   Is the data protection obligation limited only to the clients that have been on-boarded and on a CMO’s database system or records? It includes the visitors to your website, office premises, attendees at your program that you collect their data in furtherance of your business. It is inexhaustive
24.    Does the NDPR apply to Ministries, State and Local Governments  and Government Establishments? Yes
25.    Would you consider the NDPR to also be applicable and enforceable by non-resident portfolio investors? Yes, if the ISA and NIPC regards them as investors, they are also eligible to enjoy the benefits of data protection law in Nigeria.
26.    Legitimate interests remains the most flexible legal basis for most data controllers. Under GDPR, public authorities are unable to rely on legitimate interests to legitimize data processing carried out in the discharge of their functions except they maintain a record of the assessment they have made. Does the NDPR allow data processed on the basis of legitimate interests be subject to a right to object where there are compelling reasons? The NDPR requires data processing to be done legitimately and legally, but does not expressly provide for legitimate interest of the controller as a legal basis.

Under GDPR legitimate interest can be a basis on one of 3 reasons- prevention of fraud, information security and investigation or prevention of criminal acts or threats.

Legitimate interest is therefore not a free-pass for Data Controllers to do any and everything

27.    Does the regulation permit the collection of sensitive personal data? Yes
28.    How does NITDA deal with data breaches that occur through deploying application/server on cloud which resides in a data center in a region that doesn’t fully comply with EU-GDPR or NDPR? The Regulation would take effect. Local accomplices would be held liable till international legal processes are completed
29.    Does the placement of data in cloud outside the Nigerian space amount to transfer of data to a foreign jurisdiction? Yes. The law recognises this and makes adequate allowance to ensure cloud services are not inhibited
30.    Are unsolicited SMS for advertisement purposes received from mobile operators a breach of the NDPR? Yes. But you need to be sure you have not given consent at any point in time
31.    Where can the guidelines on NDPR be found? www.nitda.gov.ng go to Regulations
32.    Would NITDA create some sort of register like the ICO containing lists of organizations who have complied with the audit exercise? This will help with the obligation to ensure companies are compliant before sharing data. Yes. It would be published by August, 2020
33.    Does NITDA regulate data processors?

How does a CMO know the processor it is using has excellent data processing and protection antecedents?

Yes. Ask to know its state of compliance
34.    In a securities offering (bond or equity etc.), is the data protection impact assessment conducted on the CMO or on the prospective subscribers? On the Issuer, the CMOs (parties to the offer) and any other critical data component of the offering
35.    Is client consent required for CMOs internally deploying Artificial Intelligence in profiling clients and predicting their needs? Yes. Consent is the only acceptable basis for automated profiling
36.    Where a CMO utilizes agents to market its products, would the agents also be audited since they are exposed to clients’ data? The CMO is expected to enter into Data Processing Agreement, to ensure they comply with the NDPR. The CMO may still be vicariously liable for their breach
37.    How can we as a country safely tie IP address to their originating source for ease of tracking and audit trail? The technology is available and growing
38.    Can the NITDA provide a template/ framework to be adopted for data compliance audit reports to be filed by persons subject to the NDPR? YES. We have provided it in the Framework
39.    How are the audit reports to be filed by CMOs? To be filed through a DPCO
40.    Would NITDA provide technical support to CMOs on data protection to ensure uniformity in data handling? We work in partnership with sectoral regulators like SEC and we expect CMOs to get DPCOs to support their implementation
41.    Where can the list of approved DPCOs be obtained? https://nitda.gov.ng/wp-content/uploads/2020/06/DPCO-LIST-V4.418.6.20.pdf
42.    What is NITDA doing to prevent all online hacking and theft? Advisory, awareness, information sharing with public and private stakeholders etc.
43.    Is an employer vicariously liable for unauthorized disclosure of clients’ data by staff of that organization? Yes
44.    Does NITDA have any plans to promote data minimization? We are already doing so
45.    For a CMO that only provides advisory service to the Group’s clients, hence, relies on the Group’s clients and Group’s privacy and data protection practice, is it still required to conduct an audit of the same privacy and data protection practice if the Group has already done so? In this scenario the Group and the CMO have separate Company names. If the Group report specifically and exhaustively highlight the processing activities of the subsidiary and their relationship, YES. If not, then its best for the subsidiary to conduct its audit. This position is still being studied and the Agency would come to a definitive position after consultation with relevant stakeholders
46.    Is NITDA engaging GSM Operators to ensure safety of personal data in their custody? Yes
47.    What’s the status of the draft implementation framework? When will it be operational? Upon approval by the Hon. Minister for Communications and Digital Economy
48.    Can the personal data of individuals/organizations be used to trace the participants of fraudulent activities for disciplinary actions? Yes. On the basis of Public and Legal interest
49.    With regards to Art 3.1(7c) of the NDPR concerning specific purpose, what are the steps taken so far by NITDA in mitigating a diversion of information originally obtained for a particular purpose? NITDA has issued the law, we are creating awareness, providing support and working on enforcement. We need all stakeholders to key into this because it is not about NITDA but our economic and social perception by investors and other stakeholders
50.    Would the consent of a data subject be required for collaboration across the African Union for data sharing? Yes, going by the Malabo Convention
51.    Where a CMO has taken standard precautions in respect of cyber security and internal capacity, are they exonerated if the company still gets hacked and clients’ personal details are stolen or is it a strict liability offence? Data breach is a ‘strict liability’ incidence, however actions taken by the entity would weigh on administrative and judicial bodies when deciding on sanctions.
52.    Can an individual qualify as a Data Controller? Yes, especially if the processing activity is done pursuant to a commercial objective.