SlideShare a Scribd company logo

OVERVIEW OF DATA PROTECTION AND PRIVACY.pptx

Download as PPTX, PDF
U
UsmanMAmeer

This presentation highlights the data privacy and regulation in Nigeria

Data & Analytics
1 of 51
OVERVIEW OF PERSONAL DATA PROTECTION Joeson Consult Ltd. Presented by: Dr. Iyere Samuel Iheonkhan
Section 1: 10:00am to 11:00am Break: 11:00am - 12am Section 2: 12:00pm - 1:00pm Closing Program of Event
TRAINING OBJECTIVES By the end of this training, participants will be able to: - Identify the primary regulations, policies, and laws governing data protection in Nigeria. - Explain personal data and sensitive personal data. - Describe the principles for processing personal data within the Nigerian context. - Explain Data Subject Right - Explain the roles of DPO - Describe the Data protection documents and policies - Understand the requirements for compliance with the Nigerian Data Protection Act (NDPA) and the consequences of non-compliance.
- Introduction - Data Protection and Data Privacy - Data Privacy Legislation and Guideline in Nigeria - Personal Data, Sensitive Personal Data and Data Processing. - Exemption from Application of the ACT - Personal and sensitive - Data People - Key principles that apply to the processing of personal data - Data Subject Privacy Rights - Data Protection Officer - Documents/Information - NDPR Compliance Requirement - Liability for Non Compliance TABLE OF CONTENTS
Introduction In today's digitally driven world, data has become a quintessential asset, powering innovation, driving economic growth, and transforming various aspects of our lives. However, this surge in data usage has also brought forth significant concerns regarding privacy, security, and individual rights. As a response to these challenges, data protection regulations have emerged as a critical framework aimed at safeguarding personal information and fostering trust in the digital ecosystem. First and foremost, data protection regulations serve to uphold fundamental human rights, particularly the right to privacy. In an era where personal data is constantly collected, processed, and analyzed, individuals must have control over how their information is utilized. Data protection laws establish guidelines to ensure that personal data is processed lawfully, transparently, and with respect for individual privacy preferences. By empowering individuals with rights such as consent, access, and erasure, these regulations reinforce the notion that personal data belongs to the
Introduction… Moreover, data protection regulations play a pivotal role in fostering trust and confidence among consumers, businesses, and other stakeholders in the digital economy. By setting clear standards for data handling practices, these regulations mitigate the risks of data breaches, identity theft, and other forms of cybercrime. Organizations that comply with data protection laws demonstrate their commitment to ethical conduct and responsible stewardship of personal information, thereby enhancing their reputations and credibility in the marketplace. This trust is essential for promoting innovation, driving consumer engagement, and facilitating cross-border data flows in a globalized world. Furthermore, data protection regulations are essential for promoting fair competition and preventing monopolistic practices in the digital marketplace. In an environment where data is often referred to as the "new oil," it is imperative to prevent the abuse of dominant positions by certain players who may exploit personal data for anti-competitive purposes. By imposing obligations such as data minimization, purpose limitation, and data portability, these regulations level the playing field and promote a more open and competitive digital ecosystem where users have a choice over how their data is used and shared.
Introduction… Additionally, data protection regulations are crucial for ensuring accountability and fostering a culture of responsible data governance. By requiring organizations to implement privacy-by-design principles, conduct data protection impact assessments, and appoint data protection officers, these regulations promote proactive measures to identify and mitigate privacy risks throughout the data lifecycle. This proactive approach not only helps organizations comply with legal requirements but also cultivates a broader culture of data ethics and responsible innovation, thereby benefiting society as a whole.
• Data Protection is about Data Security • It ensures that personal data is safeguarded from unlawful access by unauthorized parties • It protects organizational assets by “keeping threats out” • Data Protection is a Governance issue • If you collect personal data, then you have the responsibility of protecting it from unauthorized access DATA PROTECTION • Data Privacy is contained in Section 37 CFRN as “citizen’s right to Privacy in their homes, correspondence, telephone conversations and telegraphic communications guaranteed” • Every Nigerian therefore has a right to data privacy • This dictates the rights of Nigerians over their personal data • If you collect personal data then you must respect privacy rights DATA PRIVACY
DATA PRIVACY LEGISLATIONS AND GUIDELINES IN NIGERIA The principal data protection legislation in Nigeria is the Nigeria Data Protection Act 2023 (“NDPA”) which was signed into law by President Bola Ahmed Tinubu on 14 June 2023. The Nigeria Data Protection Commission (“NDPC”) is the primary data protection authority and is responsible for enforcing the NDPA in Nigeria. The NDPA establishes the NDPC. The NDPC is the agency responsible for enforcing the provisions of the NDPA and the administration of all data protection matters in Nigeria. The NDPA retained and did not repeal the existing NDPR and its Implementation Framework. These documents are now to be read in conjunction with the NDPA; however, where there is any conflict in their provisions, the provisions of the NDPA are to prevail.
DATA PRIVACY LEGISLATIONS AND GUIDELINES IN NIGERIA The following laws and regulations impact data protection in Nigeria: a. The Constitution of the Federal Republic of Nigeria 1999 (as amended). b. The Nigeria Data Protection Regulation 2019 (“NDPR”). c. The NDPR Implementation Framework 2020, issued by the National Information Technology Development Agency (“NDPR Implementation Framework”). d. The Child Rights Act 2003. e. The Cybercrimes (Prohibition, Prevention, etc.) Act, 2015. f. The Freedom of Information Act, 2011. g. The National Health Act, 2014. h. The HIV and AIDS (Anti-Discrimination) Act, 2014.
DATA PRIVACY LEGISLATIONS AND GUIDELINES IN NIGERIA The following sector-specific laws, regulations and guidelines have an impact on data protection in Nigeria: a. The Consumer Code of Practice Regulations 2007 (“NCC Regulations, 2007”) published by the Nigerian Communications Commission (“NCC”). b. The Registration of Telephone Subscribers Regulations 2011, published by the NCC. c. The Consumer Protection Regulations 2020, issued by the Central Bank of Nigeria (“CBN”), Nigeria’s apex bank. d. The Lawful Interception of Communications Regulations, 2019 which was issued by the NCC. e. The Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020, issued by the NITDA. f. The Official Secrets Act 1962. g. The CBN Guidelines on Point of Sale Card Acceptance Services 2011. h. The CBN Regulatory Framework for Bank Verification Number Operations and Watch-List for The Nigerian Banking Industry 2017. i. The NITDA Guidelines for Nigerian Content Development in Information and Communication Technology 2019 (as amended).
● The NDPA will not apply “to the processing of personal data carried out by one or more persons solely for personal or household purposes” as long as such processing does not violate the fundamental right to privacy of a data subject. ● processing activities by law enforcement during the prevention, investigation, detection, or prosecution of a crime, ● processing for the prevention or control of a national public health emergency, national security or public interest purposes, and as necessary for the establishment, exercise, or defense of legal claims are exempt from most of the obligations under Part V of the Act Exemption from Application of the Act
Accordingly, the NDPA will not apply to a data controller or data processor if the processing of personal data is carried out by a competent authority for any of the following purposes: ● the prevention, investigation, detection, prosecution, or adjudication of a criminal offense or to execute a criminal penalty in accordance with any applicable law; ● to prevent or control a national public health emergency; ● as is necessary for national security; ● in respect of publication in the public interest, for journalism, educational, artistic and literary purposes to the extent that such obligations and rights are incompatible with such purposes; or ● necessary to establish, exercise, or defend legal claims, whether in court proceedings, or in an administrative or out-of-court procedure. Exemption from Application of the Act
Section 30 of the Act defines personal data as “any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.” PERSONAL AND SENSITIVE PERSONAL DATA
It further defines sensitive personal data as personal data relating to an individual’s: ● genetic and biometric data, for the purpose of uniquely identifying a natural person; ● race or ethnic origin; ● religious or similar beliefs, such as those reflecting conscience or philosophy; ● health status; ● sex life; ● political opinions or affiliations; and ● trade union memberships. PERSONAL AND SENSITIVE PERSONAL DATA
Core Values WHAT IS DATA PROCESSING? Article 65 of Nigerian Data Protection Act defines “Processing” as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction and does not include the mere transit of data originating outside Nigeria
THE DATA PEOPLE DATA SUBJECT DATA PROCESSOR (ADMIN) DATA CONTROLLER DATA PROTECTION OFFICER DATA PROTECTION COMPLIANCE OFFICER An individual to whom personal data relates An individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor An individual, private entity, public Commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data ; An individual who ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. NITDA Licensed Organizations Who provide Data Protection services
· Data Controller or Data Processor of Major Importance According to the NDPA, a “Data Controller or Data Processor of Major Importance” is a Data Controller or Data Processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the NDPC may prescribe, or such other class of Data Controller or Data Processor that is processing Personal Data of particular value or significance to the economy, society or security of Nigeria as the NDPC may designate.
These principles are designed to protect individuals' rights and ensure their data is handled responsibly. ● Lawfulness, Fairness and Transparency ● Purpose Limitation ● Data Minimization ● Accuracy ● Storage Limitation ● Integrity and Confidentiality Key principles that apply to the processing of personal data
Section 24(1) of the NDPA provides that Personal Data shall be processed in a fair, lawful and transparent manner. It also provides that Personal Data is to be collected for specified, explicit, and legitimate purposes and is not to be further processed in a way incompatible with these purposes. Example: In case the personal is collected from an online bookshop prior to downloading an e-book, the data subject must be informed about the purpose of the data collection and must be asked to give their consent. However, if the bookshop wants to add this person to its emailing list, the data subject must knowingly agree to it by opting in. DATA PROTECTION PRINCIPLES Lawfulness, Fairness and Transparency
LEGAL BASES FOR PROCESSING PERSONAL DATA CONSENT VITAL INTEREST OF DATA SUBJECT PUBLIC INTEREST LEGITIMAT E INTEREST CONTRACT LEGAL COMPLIANCE
LEGAL BASES FOR PROCESSING PERSONAL DATA Lawful basis for processing: Section 25 of the NDPA provides six lawful bases for the processing of Personal Data: A. where the Data Subject has given and not withdrawn consent for the specific purpose or purposes for which Personal Data is to be processed; B. where processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; C. where processing is necessary for compliance with a legal obligation to which the Data Controller or Data Processor is subject; D.where processing is necessary in order to protect the vital interests of the Data Subject or of another natural person; E. where processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the Data Controller; or F. where processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or Data Processor, or by a third party to whom the data is disclosed.
Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Example: Many online stores collect personal data so that they can provide customers with target offers that match their spending habits. However, the principle of purpose limitation would be breached if those supermarkets then handed such data to a travel agency, as this is beyond the scope of the data collection DATA PROTECTION PRINCIPLES Purpose Limitation
Data controllers should only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. Organizations should avoid collecting unnecessary or excessive amounts of personal data. Example: A recruitment agency helps an employer to find qualified candidates for a job opening. The agency asks candidates to fill out a general questionnaire that contains specific health-related questions that are only applicable to specific jobs. Obtaining such data from a person who applied for an office job would be unnecessary. DATA PROTECTION PRINCIPLES Data Minimization
Personal data should be accurate and, where necessary, kept up to date. Data controllers are responsible for taking reasonable steps to ensure that inaccurate personal data is rectified or erased without delay. Example: If a person decides to move home from Europe to Canada, documenting that they currently live in Europe would be incorrect. Nevertheless, a record indicating that they once lived in Europe remains true, even though they do not live there DATA PROTECTION PRINCIPLES Accuracy
Section 24(1)(d) of the NDPA provides that a Data Controller or Data Processor shall ensure that Personal Data is retained for not longer than is necessary to achieve the lawful bases for which the Personal Data was collected or further processed. Example: An organization has collected and used the personal data of its customers to better understand their needs before launching a particular product. The principle of storage limitation would be breached if the organization would not dispose of such data after the product is launched. DATA PROTECTION PRINCIPLES Storage Limitation
Section 8.2 of the NDPR Implementation Framework specifies the statutory retention periods for storing Personal Data which will be applicable where no specific duration is agreed between parties or is stated in any applicable law. The retention period stipulated in section 8.2 of the NDPR Implementation Framework are as follows: A. three years after the last active use of a digital platform; B. six years after the last transaction in a contractual agreement; C. upon the presentation of evidence of death by a deceased’s relative, the Data Controller and/or Processor must immediately delete the Personal Data of the deceased Data Subject unless there is a legal obligation imposed on the Data Controller to continue to store the Personal Data; D. immediately upon a request by the Data Subject or his/her legal guardian where: I. no statutory provision provides otherwise; and II. the Data Subject is not the subject of an investigation or suit that may require the Personal Data sought to be deleted. The NDPR Implementation Framework further requires that Personal Data which is no longer in use or which has been retained beyond the requisite statutorily required retention period Storage Limitation
Personal data should be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Controller and Data Processor to implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of Personal Data in its possession. Example: For remote work, an organization offers laptops to its staff with secure storage lockers for home use and locking system for outside use. However, the risk of theft and loss of equipment still persists. The principle of integrity and confidentiality would be breached if the organization would not encrypt all of the data stored on the laptops. The encryption of the data would reduce the improper and unauthorized use of DATA PROTECTION PRINCIPLES Data Security
● Obtain information regarding the personal data held by a controller or processor about the requestor, in a commonly used electronic format; ● Know the source of information where the data has been collected from a source other than the data subject; ● Lodge a complaint with the Commission; ● Know the existence of automated decision-making (ADM) and not to be subject to a decision that is solely based on automated processing of personal data ● Correct, and where it is not feasible or suitable, ● delete inaccurate, out-of-date, incomplete, or misleading information; ● Request erasure where the personal data is no longer required in relation to the purpose for which it was collected; ● Request the restriction of processing personal data; ● Object to the processing of personal data; ● Data portability. The Act makes it possible for a data subject to receive personal data concerning them from a data controller and transmit it to another controller, or for the data to be directly transferred from one controller to another. ● Withdraw consent to the processing of personal data at any time. DATA SUBJECT PRIVACY RIGHTS
Data Protection Officer (DPO)... The role of a Data Protection Officer (DPO) is crucial in ensuring that an organization complies with data protection regulations and effectively manages the privacy and security of personal data. The responsibilities of a DPO typically include: Monitoring Compliance: The DPO is responsible for ensuring that the organization complies with relevant data protection laws and regulations, such as the GDPR or CCPA. This involves staying up-to-date with changes in legislation and assessing the organization's data processing activities for compliance. Advising on Data Protection Matters: The DPO provides guidance and advice to the organization, its employees, and third parties on data protection obligations, policies, and procedures. They may assist in conducting data protection impact assessments (DPIAs) and addressing privacy concerns or inquiries
Data Protection Officer (DPO)... Data Protection Policies and Procedures: The DPO helps develop, implement, and maintain data protection policies, procedures, and documentation within the organization. This includes privacy notices, data processing agreements, data retention policies, and incident response plans. Training and Awareness: The DPO ensures that employees are trained on data protection requirements and best practices. They may conduct training sessions, develop educational materials, and raise awareness about the importance of data protection across the organization. Data Subject Rights: The DPO oversees the organization's processes for handling data subject requests, such as access requests, rectification requests, and requests for erasure (right to be forgotten). They ensure that requests are handled promptly and in accordance with applicable laws.
Data Protection Officer (DPO)... Monitoring Data Security: The DPO monitors the organization's data security measures to protect against unauthorized access, loss, or misuse of personal data. They may conduct regular audits, risk assessments, and security reviews to identify vulnerabilities and ensure appropriate safeguards are in place. Incident Management and Response: In the event of a data breach or security incident, the DPO leads the organization's response efforts. This includes investigating the incident, assessing its impact, notifying affected individuals and authorities as required, and implementing corrective actions to prevent future incidents. Liaison with Supervisory Authorities: The DPO serves as the point of contact for supervisory authorities (such as the Information Commissioner's Office in the UK or the Data Protection Authority in other jurisdictions) on data protection matters. They may handle communications, inquiries, and notifications to regulators as required by law. Vendor Management: The DPO evaluates the data protection practices of third-party vendors and partners that process personal data on behalf of the organization. They may review contracts, assess vendor compliance, and ensure appropriate safeguards are in place to protect data.
CHILDREN’S PRIVACY The Act expands the protections accorded to children and persons lacking legal capacity. under which a data subject is considered a “child” to 18 years, in alignment with the Nigeria Child Rights Act. The Act also includes specific consent requirements for children and persons lacking the legal capacity to consent. To effect this, the Act requires controllers and processors to adopt consent verification mechanisms. To guarantee stronger privacy protections for children, the Commission will create Regulations to guide the personal data processing of a child of 13 years and above in the course of their usage of online products and services. However, there are instances where a controller or processor may process the personal data of children and persons lacking legal capacity without the consent of a parent or legal guardian, such as: ● Where the processing is necessary to protect the vital interests of the child or person lacking the legal capacity to consent; ● Where the processing is carried out for purposes of education, medical, or social care, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality; or ● Where the processing is necessary for proceedings before a court relating to the individual.
Documents/Information ● Data protection policy ● Privacy policy ● Data subject consent form ● Internal breach register ● Data subject access request procedure and form ● Subject access request record ● Data breach notification procedure ● etc
Data protection policy A data protection policy outlines an organization's approach to handling and protecting sensitive information. It typically includes guidelines, procedures, and responsibilities related to collecting, storing, processing, and sharing data to ensure compliance with relevant laws and regulations. Content 1. Purpose The purpose of this policy is to establish guidelines and procedures for the protection of sensitive information collected, processed, stored, and shared by us. 2. Scope This policy applies to all employees, contractors, partners, and third parties who
Data protection policy 3. Data Protection Principles Weis committed to upholding the following data protection principles: ● Lawfulness, fairness, and transparency: Data will be processed lawfully, fairly, and transparently in accordance with applicable data protection laws and regulations. ● Purpose limitation: Data will be collected for specified, explicit, and legitimate purposes and will not be further processed in a manner incompatible with those purposes. ● Data minimization: Only necessary data will be collected and processed for the intended purposes. ● Accuracy: Reasonable steps will be taken to ensure that personal data is accurate and up-to-date. ● Storage limitation: Data will be retained only for as long as necessary to fulfill the purposes for which it was collected. ● Integrity and confidentiality: Appropriate technical and organizational measures will be implemented to ensure the security, integrity, and confidentiality of personal data.
Data protection policy 4. Data Handling Procedures ● Data Collection: Only collect personal data necessary for specified purposes with the consent of the data subject whenever required. ● Data Processing: Process personal data in accordance with applicable laws and regulations and ensure appropriate security measures are in place. ● Data Storage: Store personal data securely and ensure access is restricted to authorized personnel only. ● Data Sharing: Share personal data with third parties only when necessary and with appropriate safeguards in place. 5. Data Subject Rights We recognizes the rights of data subjects under applicable data protection laws, including the rights to access, rectification, erasure, restriction of processing, data
Data protection policy 6. Data Security We will implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction. 7. Data Breach Response In the event of a data breach, We will promptly assess the breach, take necessary steps to mitigate any adverse effects, and notify affected individuals and relevant authorities as required by law. 8. Training and Awareness We will provide training and awareness programs to all employees and relevant stakeholders to ensure compliance with this policy and data protection laws.
Data protection policy 9. Compliance Monitoring and Review This policy will be regularly reviewed and updated to ensure compliance with evolving data protection laws and best practices. Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contractual relationship. 10. Contact Information For questions or concerns regarding this policy or data protection practices, please contact Designated Data Protection Officer or Department. 11. Policy Acknowledgment All employees, contractors, partners, and third parties must acknowledge receipt and understanding of this policy and agree to comply with its provisions.
Privacy policy A privacy policy is a legal document that outlines how an organization collects, uses, stores, and protects personal data collected from individuals. It informs users about their rights regarding their personal information and provides transparency about the organization's data practices. Below is a general template for a privacy policy: 1. Introduction XYZ is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and protect the personal information we collect from you when you use our [website/application/service].
Privacy policy 2. Information We Collect ● Personal Information: We may collect personal information such as your name, email address, postal address, phone number, and other contact information when you interact with us. ● Usage Information: We may automatically collect information about your usage of our [website/application/service], including your IP address, device information, browser type, and operating system. ● Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect information about your interactions with our [website/application/service]. 3. How We Use Your Information We may use the information we collect for the following purposes: ● To provide and maintain our [website/application/service]. ● To personalize your experience and provide tailored content. ● To communicate with you about our products, services, and promotions. ● To analyze usage trends and improve our [website/application/service]. ● To comply with legal and regulatory requirements.
Privacy policy 4. How We Share Your Information We may share your personal information with third parties for the following purposes: ● With service providers who assist us in providing our [website/application/service]. ● With our affiliates and business partners for marketing and promotional purposes. ● In response to a legal request or to comply with applicable laws and regulations. ● In connection with a merger, acquisition, or sale of assets. 5. Your Choices ● Opt-Out: You may opt-out of receiving marketing communications from us by following the instructions provided in the communication. ● Cookies: You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our [website/application/service] may become inaccessible or not function properly.
Privacy policy 6. Data Security We take reasonable measures to protect the security of your personal information from unauthorized access, use, or disclosure. 7. Children's Privacy Our [website/application/service] is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children under 18. 8. Changes to this Privacy Policy We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated effective date. 9. Contact Us If you have any questions or concerns about our Privacy Policy or our data
Why should we comply? A- Attraction of reputable investors B- Brand Image Enhancement C- Customer/Citizen Loyalty D- Data Process Maturity E- Earning Power F- Focus for your organization. Reduce distractions G- Goodwill with Government, Citizens and Businesses
NDPR Compliance Requirements Designate a Data Protection Officer (DPO) who will be responsible for driving NDPR compliance initiatives within the organization Document and publish a data protection policy in line with the requirements of the Data Protection Regulation – within six months of the issuance Ensure continuous capacity building and training for Data Protection Officer and other personnel involved in processing personal data Engage a licensed Data Protection Compliance Organization (DPCO) to perform a Data Protection Audit and file a report with NITDA within the stipulated timeline – within six months of the issuance + 3 months
NDPR Compliance Requirements If a Data Controller processes the personal data of more than 2000 Data Subjects in a period of 12 months, it shall submit a summary of its data protection audit to the Agency If an organisation is a data controller and it processes personal data of more than 2000 people in a year, it must submit an audit to NITDA on the 15th of March 2020 and the 15th March of every subsequent year. If a Data Controller processes the personal data of more than 1000 data subjects in a period of 6 months, it shall submit a soft copy of the summary of the audit to the Agency
LIABILITY FOR NON-COMPLIANCE WITH THE ACT
The Act provides a data subject who has suffered injury, loss, or harm, Where a controller or processor violates the provisions of the Act or subsidiary legislation, the Commission may issue a compliance order requiring them to take specific measures to remedy the situation within a specified period as well as inform them of their right to a judicial review. The Commission may also impose an enforcement order or a sanction. In issuing an enforcement order or a sanction, the Commission may: ● Require the data controller or processor to remedy the violation; ● Order for the compensation of data subjects; ● Order the controller or processor to account for profits realized from the violation; or ● Impose a penalty. The penalty amount depends on whether the violator is a data controller or processor of major importance or not. Penalties against data controllers or processors of major importance shall be the higher of N10,000,000 (approximately 22,000 USD) or 2% of the annual gross revenue of the preceding financial year. Penalties against other data controllers and processors shall be greater than N2,000,000 (approximately 4,300 USD) or 2% of the annual gross revenue of the preceding financial year OFFENCES AND SANCTIONS
THANK YOU!

Recommended

OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014UsmanMAmeer
 
Data legislation, governance and policy/Abraham M Keetshabe
Data legislation, governance and policy/Abraham M KeetshabeData legislation, governance and policy/Abraham M Keetshabe
Data legislation, governance and policy/Abraham M KeetshabeAfrican Open Science Platform
 
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...Gsma pmp - enhancing data protection and privacy in nigeria through the dat...
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...Nzeih Chukwuemeka
 
Averting the dangers embedded in lack of privacy law in nigeria by arazim
Averting the dangers embedded in lack of privacy law in nigeria by arazimAverting the dangers embedded in lack of privacy law in nigeria by arazim
Averting the dangers embedded in lack of privacy law in nigeria by arazimArazim Sheu
 
DATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptxDATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptxJaeKim165097
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
PRIVACY RIGHTS ARE HUMAN RIGHTS (2).pdf
PRIVACY RIGHTS ARE HUMAN RIGHTS (2).pdfPRIVACY RIGHTS ARE HUMAN RIGHTS (2).pdf
PRIVACY RIGHTS ARE HUMAN RIGHTS (2).pdflinda gichohi
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 

Recommended

OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014
OVERVIEW OF NIGERIA DATA PROTECTION ACT 2014UsmanMAmeer
 
Data legislation, governance and policy/Abraham M Keetshabe
Data legislation, governance and policy/Abraham M KeetshabeData legislation, governance and policy/Abraham M Keetshabe
Data legislation, governance and policy/Abraham M KeetshabeAfrican Open Science Platform
 
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...Gsma pmp - enhancing data protection and privacy in nigeria through the dat...
Gsma pmp - enhancing data protection and privacy in nigeria through the dat...Nzeih Chukwuemeka
 
Averting the dangers embedded in lack of privacy law in nigeria by arazim
Averting the dangers embedded in lack of privacy law in nigeria by arazimAverting the dangers embedded in lack of privacy law in nigeria by arazim
Averting the dangers embedded in lack of privacy law in nigeria by arazimArazim Sheu
 
DATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptxDATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptxJaeKim165097
 
Unit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrUnit 6 Privacy and Data Protection 8 hr
Unit 6 Privacy and Data Protection 8 hrTushar Rajput
 
PRIVACY RIGHTS ARE HUMAN RIGHTS (2).pdf
PRIVACY RIGHTS ARE HUMAN RIGHTS (2).pdfPRIVACY RIGHTS ARE HUMAN RIGHTS (2).pdf
PRIVACY RIGHTS ARE HUMAN RIGHTS (2).pdflinda gichohi
 
UAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfUAE-Personal-Data-Protection-Law.pdf
UAE-Personal-Data-Protection-Law.pdfDaviesParker
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Data privacy Legislation in India
Data privacy Legislation in IndiaData privacy Legislation in India
Data privacy Legislation in IndiaLATHA H C
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Data protection regulations in Nigeria
Data protection regulations in NigeriaData protection regulations in Nigeria
Data protection regulations in NigeriaMercy Akinseinde
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
Final projet
Final projetFinal projet
Final projetserge-parfait Goma
 
Hexagon presentation light.pptx
Hexagon presentation light.pptxHexagon presentation light.pptx
Hexagon presentation light.pptxPabRonaldCalanoc1
 
POPI Seminar FINAL
POPI Seminar FINALPOPI Seminar FINAL
POPI Seminar FINALImraan Kharwa
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Burton Lee
 
Applying Data Privacy Techniques on Published Data in Uganda
Applying Data Privacy Techniques on Published Data in Uganda Applying Data Privacy Techniques on Published Data in Uganda
Applying Data Privacy Techniques on Published Data in UgandaKato Mivule
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Mobile privacy in Zambia
Mobile privacy in ZambiaMobile privacy in Zambia
Mobile privacy in ZambiaFrancesca Kabaso
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
Report_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfReport_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfDaviesParker
 
Data Protection In Ghana
Data Protection In GhanaData Protection In Ghana
Data Protection In GhanaEmmanuel K Asare
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 

More Related Content

Similar to OVERVIEW OF DATA PROTECTION AND PRIVACY.pptx

Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Data privacy Legislation in India
Data privacy Legislation in IndiaData privacy Legislation in India
Data privacy Legislation in IndiaLATHA H C
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law Owako Rodah
 
Data protection regulations in Nigeria
Data protection regulations in NigeriaData protection regulations in Nigeria
Data protection regulations in NigeriaMercy Akinseinde
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityEmerson Bryan
 
Hexagon presentation light.pptx
Hexagon presentation light.pptxHexagon presentation light.pptx
Hexagon presentation light.pptxPabRonaldCalanoc1
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Burton Lee
 
Applying Data Privacy Techniques on Published Data in Uganda
Applying Data Privacy Techniques on Published Data in Uganda Applying Data Privacy Techniques on Published Data in Uganda
Applying Data Privacy Techniques on Published Data in UgandaKato Mivule
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in IndiaHome
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analyticsshekharkanodia
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...Dr. Oliver Massmann
 
Report_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfReport_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfDaviesParker
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the PhilippinesShirley Ingles-Cruz
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfJakeAldrinDegala1
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Edouard Nguyen
 

Similar to OVERVIEW OF DATA PROTECTION AND PRIVACY.pptx (20)

Data protection regulation
Data protection regulationData protection regulation
Data protection regulation
 
Data privacy Legislation in India
Data privacy Legislation in IndiaData privacy Legislation in India
Data privacy Legislation in India
 
The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law The Summary Guide to Compliance with the Kenya Data Protection Law
The Summary Guide to Compliance with the Kenya Data Protection Law
 
Data protection regulations in Nigeria
Data protection regulations in NigeriaData protection regulations in Nigeria
Data protection regulations in Nigeria
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
Jamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business communityJamaica's Data Protection Act: Compliance required from the business community
Jamaica's Data Protection Act: Compliance required from the business community
 
Final projet
Final projetFinal projet
Final projet
 
Hexagon presentation light.pptx
Hexagon presentation light.pptxHexagon presentation light.pptx
Hexagon presentation light.pptx
 
POPI Seminar FINAL
POPI Seminar FINALPOPI Seminar FINAL
POPI Seminar FINAL
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
 
Applying Data Privacy Techniques on Published Data in Uganda
Applying Data Privacy Techniques on Published Data in Uganda Applying Data Privacy Techniques on Published Data in Uganda
Applying Data Privacy Techniques on Published Data in Uganda
 
Data Protection in India
Data Protection in IndiaData Protection in India
Data Protection in India
 
Mobile privacy in Zambia
Mobile privacy in ZambiaMobile privacy in Zambia
Mobile privacy in Zambia
 
Privacy issues in data analytics
Privacy issues in data analyticsPrivacy issues in data analytics
Privacy issues in data analytics
 
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
NEW DECREE ON PERSONAL DATA PROTECTION AND CROSS-BORDER PROVISION OF DATA THE...
 
Report_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdfReport_PrivacyAmongChildren.pdf
Report_PrivacyAmongChildren.pdf
 
Data Protection In Ghana
Data Protection In GhanaData Protection In Ghana
Data Protection In Ghana
 
Data Privacy Act in the Philippines
Data Privacy Act in the PhilippinesData Privacy Act in the Philippines
Data Privacy Act in the Philippines
 
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdfAll_you_need_to Know_About_the_Data_Privacy_Act.pdf
All_you_need_to Know_About_the_Data_Privacy_Act.pdf
 
Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?Data Protection Guide – What are your rights as a citizen?
Data Protection Guide – What are your rights as a citizen?
 

Recently uploaded

100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxolyaivanovalion
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...Suhani Kapoor
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz1
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiSuhani Kapoor
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusTimothy Spann
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystSamantha Rae Coolbeth
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023ymrp368
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Delhi Call girls
 
VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxolyaivanovalion
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSAishani27
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxolyaivanovalion
 

Recently uploaded (20)

100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptx
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptx
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signals
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and Milvus
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data Analyst
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
 
VidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptxVidaXL dropshipping via API with DroFx.pptx
VidaXL dropshipping via API with DroFx.pptx
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Ukraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICSUkraine War presentation: KNOW THE BASICS
Ukraine War presentation: KNOW THE BASICS
 
BabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptxBabyOno dropshipping via API with DroFx.pptx
BabyOno dropshipping via API with DroFx.pptx
 

OVERVIEW OF DATA PROTECTION AND PRIVACY.pptx

  • 1. OVERVIEW OF PERSONAL DATA PROTECTION Joeson Consult Ltd. Presented by: Dr. Iyere Samuel Iheonkhan
  • 2. Section 1: 10:00am to 11:00am Break: 11:00am - 12am Section 2: 12:00pm - 1:00pm Closing Program of Event
  • 3. TRAINING OBJECTIVES By the end of this training, participants will be able to: - Identify the primary regulations, policies, and laws governing data protection in Nigeria. - Explain personal data and sensitive personal data. - Describe the principles for processing personal data within the Nigerian context. - Explain Data Subject Right - Explain the roles of DPO - Describe the Data protection documents and policies - Understand the requirements for compliance with the Nigerian Data Protection Act (NDPA) and the consequences of non-compliance.
  • 4. - Introduction - Data Protection and Data Privacy - Data Privacy Legislation and Guideline in Nigeria - Personal Data, Sensitive Personal Data and Data Processing. - Exemption from Application of the ACT - Personal and sensitive - Data People - Key principles that apply to the processing of personal data - Data Subject Privacy Rights - Data Protection Officer - Documents/Information - NDPR Compliance Requirement - Liability for Non Compliance TABLE OF CONTENTS
  • 5.
  • 6. Introduction In today's digitally driven world, data has become a quintessential asset, powering innovation, driving economic growth, and transforming various aspects of our lives. However, this surge in data usage has also brought forth significant concerns regarding privacy, security, and individual rights. As a response to these challenges, data protection regulations have emerged as a critical framework aimed at safeguarding personal information and fostering trust in the digital ecosystem. First and foremost, data protection regulations serve to uphold fundamental human rights, particularly the right to privacy. In an era where personal data is constantly collected, processed, and analyzed, individuals must have control over how their information is utilized. Data protection laws establish guidelines to ensure that personal data is processed lawfully, transparently, and with respect for individual privacy preferences. By empowering individuals with rights such as consent, access, and erasure, these regulations reinforce the notion that personal data belongs to the
  • 7. Introduction… Moreover, data protection regulations play a pivotal role in fostering trust and confidence among consumers, businesses, and other stakeholders in the digital economy. By setting clear standards for data handling practices, these regulations mitigate the risks of data breaches, identity theft, and other forms of cybercrime. Organizations that comply with data protection laws demonstrate their commitment to ethical conduct and responsible stewardship of personal information, thereby enhancing their reputations and credibility in the marketplace. This trust is essential for promoting innovation, driving consumer engagement, and facilitating cross-border data flows in a globalized world. Furthermore, data protection regulations are essential for promoting fair competition and preventing monopolistic practices in the digital marketplace. In an environment where data is often referred to as the "new oil," it is imperative to prevent the abuse of dominant positions by certain players who may exploit personal data for anti-competitive purposes. By imposing obligations such as data minimization, purpose limitation, and data portability, these regulations level the playing field and promote a more open and competitive digital ecosystem where users have a choice over how their data is used and shared.
  • 8. Introduction… Additionally, data protection regulations are crucial for ensuring accountability and fostering a culture of responsible data governance. By requiring organizations to implement privacy-by-design principles, conduct data protection impact assessments, and appoint data protection officers, these regulations promote proactive measures to identify and mitigate privacy risks throughout the data lifecycle. This proactive approach not only helps organizations comply with legal requirements but also cultivates a broader culture of data ethics and responsible innovation, thereby benefiting society as a whole.
  • 9. • Data Protection is about Data Security • It ensures that personal data is safeguarded from unlawful access by unauthorized parties • It protects organizational assets by “keeping threats out” • Data Protection is a Governance issue • If you collect personal data, then you have the responsibility of protecting it from unauthorized access DATA PROTECTION • Data Privacy is contained in Section 37 CFRN as “citizen’s right to Privacy in their homes, correspondence, telephone conversations and telegraphic communications guaranteed” • Every Nigerian therefore has a right to data privacy • This dictates the rights of Nigerians over their personal data • If you collect personal data then you must respect privacy rights DATA PRIVACY
  • 10. DATA PRIVACY LEGISLATIONS AND GUIDELINES IN NIGERIA The principal data protection legislation in Nigeria is the Nigeria Data Protection Act 2023 (“NDPA”) which was signed into law by President Bola Ahmed Tinubu on 14 June 2023. The Nigeria Data Protection Commission (“NDPC”) is the primary data protection authority and is responsible for enforcing the NDPA in Nigeria. The NDPA establishes the NDPC. The NDPC is the agency responsible for enforcing the provisions of the NDPA and the administration of all data protection matters in Nigeria. The NDPA retained and did not repeal the existing NDPR and its Implementation Framework. These documents are now to be read in conjunction with the NDPA; however, where there is any conflict in their provisions, the provisions of the NDPA are to prevail.
  • 11. DATA PRIVACY LEGISLATIONS AND GUIDELINES IN NIGERIA The following laws and regulations impact data protection in Nigeria: a. The Constitution of the Federal Republic of Nigeria 1999 (as amended). b. The Nigeria Data Protection Regulation 2019 (“NDPR”). c. The NDPR Implementation Framework 2020, issued by the National Information Technology Development Agency (“NDPR Implementation Framework”). d. The Child Rights Act 2003. e. The Cybercrimes (Prohibition, Prevention, etc.) Act, 2015. f. The Freedom of Information Act, 2011. g. The National Health Act, 2014. h. The HIV and AIDS (Anti-Discrimination) Act, 2014.
  • 12. DATA PRIVACY LEGISLATIONS AND GUIDELINES IN NIGERIA The following sector-specific laws, regulations and guidelines have an impact on data protection in Nigeria: a. The Consumer Code of Practice Regulations 2007 (“NCC Regulations, 2007”) published by the Nigerian Communications Commission (“NCC”). b. The Registration of Telephone Subscribers Regulations 2011, published by the NCC. c. The Consumer Protection Regulations 2020, issued by the Central Bank of Nigeria (“CBN”), Nigeria’s apex bank. d. The Lawful Interception of Communications Regulations, 2019 which was issued by the NCC. e. The Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020, issued by the NITDA. f. The Official Secrets Act 1962. g. The CBN Guidelines on Point of Sale Card Acceptance Services 2011. h. The CBN Regulatory Framework for Bank Verification Number Operations and Watch-List for The Nigerian Banking Industry 2017. i. The NITDA Guidelines for Nigerian Content Development in Information and Communication Technology 2019 (as amended).
  • 13. ● The NDPA will not apply “to the processing of personal data carried out by one or more persons solely for personal or household purposes” as long as such processing does not violate the fundamental right to privacy of a data subject. ● processing activities by law enforcement during the prevention, investigation, detection, or prosecution of a crime, ● processing for the prevention or control of a national public health emergency, national security or public interest purposes, and as necessary for the establishment, exercise, or defense of legal claims are exempt from most of the obligations under Part V of the Act Exemption from Application of the Act
  • 14. Accordingly, the NDPA will not apply to a data controller or data processor if the processing of personal data is carried out by a competent authority for any of the following purposes: ● the prevention, investigation, detection, prosecution, or adjudication of a criminal offense or to execute a criminal penalty in accordance with any applicable law; ● to prevent or control a national public health emergency; ● as is necessary for national security; ● in respect of publication in the public interest, for journalism, educational, artistic and literary purposes to the extent that such obligations and rights are incompatible with such purposes; or ● necessary to establish, exercise, or defend legal claims, whether in court proceedings, or in an administrative or out-of-court procedure. Exemption from Application of the Act
  • 15. Section 30 of the Act defines personal data as “any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.” PERSONAL AND SENSITIVE PERSONAL DATA
  • 16. It further defines sensitive personal data as personal data relating to an individual’s: ● genetic and biometric data, for the purpose of uniquely identifying a natural person; ● race or ethnic origin; ● religious or similar beliefs, such as those reflecting conscience or philosophy; ● health status; ● sex life; ● political opinions or affiliations; and ● trade union memberships. PERSONAL AND SENSITIVE PERSONAL DATA
  • 17. Core Values WHAT IS DATA PROCESSING? Article 65 of Nigerian Data Protection Act defines “Processing” as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction and does not include the mere transit of data originating outside Nigeria
  • 18. THE DATA PEOPLE DATA SUBJECT DATA PROCESSOR (ADMIN) DATA CONTROLLER DATA PROTECTION OFFICER DATA PROTECTION COMPLIANCE OFFICER An individual to whom personal data relates An individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor An individual, private entity, public Commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data ; An individual who ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. NITDA Licensed Organizations Who provide Data Protection services
  • 19. · Data Controller or Data Processor of Major Importance According to the NDPA, a “Data Controller or Data Processor of Major Importance” is a Data Controller or Data Processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects who are within Nigeria, as the NDPC may prescribe, or such other class of Data Controller or Data Processor that is processing Personal Data of particular value or significance to the economy, society or security of Nigeria as the NDPC may designate.
  • 20. These principles are designed to protect individuals' rights and ensure their data is handled responsibly. ● Lawfulness, Fairness and Transparency ● Purpose Limitation ● Data Minimization ● Accuracy ● Storage Limitation ● Integrity and Confidentiality Key principles that apply to the processing of personal data
  • 21. Section 24(1) of the NDPA provides that Personal Data shall be processed in a fair, lawful and transparent manner. It also provides that Personal Data is to be collected for specified, explicit, and legitimate purposes and is not to be further processed in a way incompatible with these purposes. Example: In case the personal is collected from an online bookshop prior to downloading an e-book, the data subject must be informed about the purpose of the data collection and must be asked to give their consent. However, if the bookshop wants to add this person to its emailing list, the data subject must knowingly agree to it by opting in. DATA PROTECTION PRINCIPLES Lawfulness, Fairness and Transparency
  • 22. LEGAL BASES FOR PROCESSING PERSONAL DATA CONSENT VITAL INTEREST OF DATA SUBJECT PUBLIC INTEREST LEGITIMAT E INTEREST CONTRACT LEGAL COMPLIANCE
  • 23. LEGAL BASES FOR PROCESSING PERSONAL DATA Lawful basis for processing: Section 25 of the NDPA provides six lawful bases for the processing of Personal Data: A. where the Data Subject has given and not withdrawn consent for the specific purpose or purposes for which Personal Data is to be processed; B. where processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract; C. where processing is necessary for compliance with a legal obligation to which the Data Controller or Data Processor is subject; D.where processing is necessary in order to protect the vital interests of the Data Subject or of another natural person; E. where processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the Data Controller; or F. where processing is necessary for the purposes of the legitimate interests pursued by the Data Controller or Data Processor, or by a third party to whom the data is disclosed.
  • 24. Personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Example: Many online stores collect personal data so that they can provide customers with target offers that match their spending habits. However, the principle of purpose limitation would be breached if those supermarkets then handed such data to a travel agency, as this is beyond the scope of the data collection DATA PROTECTION PRINCIPLES Purpose Limitation
  • 25. Data controllers should only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed. Organizations should avoid collecting unnecessary or excessive amounts of personal data. Example: A recruitment agency helps an employer to find qualified candidates for a job opening. The agency asks candidates to fill out a general questionnaire that contains specific health-related questions that are only applicable to specific jobs. Obtaining such data from a person who applied for an office job would be unnecessary. DATA PROTECTION PRINCIPLES Data Minimization
  • 26. Personal data should be accurate and, where necessary, kept up to date. Data controllers are responsible for taking reasonable steps to ensure that inaccurate personal data is rectified or erased without delay. Example: If a person decides to move home from Europe to Canada, documenting that they currently live in Europe would be incorrect. Nevertheless, a record indicating that they once lived in Europe remains true, even though they do not live there DATA PROTECTION PRINCIPLES Accuracy
  • 27. Section 24(1)(d) of the NDPA provides that a Data Controller or Data Processor shall ensure that Personal Data is retained for not longer than is necessary to achieve the lawful bases for which the Personal Data was collected or further processed. Example: An organization has collected and used the personal data of its customers to better understand their needs before launching a particular product. The principle of storage limitation would be breached if the organization would not dispose of such data after the product is launched. DATA PROTECTION PRINCIPLES Storage Limitation
  • 28. Section 8.2 of the NDPR Implementation Framework specifies the statutory retention periods for storing Personal Data which will be applicable where no specific duration is agreed between parties or is stated in any applicable law. The retention period stipulated in section 8.2 of the NDPR Implementation Framework are as follows: A. three years after the last active use of a digital platform; B. six years after the last transaction in a contractual agreement; C. upon the presentation of evidence of death by a deceased’s relative, the Data Controller and/or Processor must immediately delete the Personal Data of the deceased Data Subject unless there is a legal obligation imposed on the Data Controller to continue to store the Personal Data; D. immediately upon a request by the Data Subject or his/her legal guardian where: I. no statutory provision provides otherwise; and II. the Data Subject is not the subject of an investigation or suit that may require the Personal Data sought to be deleted. The NDPR Implementation Framework further requires that Personal Data which is no longer in use or which has been retained beyond the requisite statutorily required retention period Storage Limitation
  • 29. Personal data should be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage. Controller and Data Processor to implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of Personal Data in its possession. Example: For remote work, an organization offers laptops to its staff with secure storage lockers for home use and locking system for outside use. However, the risk of theft and loss of equipment still persists. The principle of integrity and confidentiality would be breached if the organization would not encrypt all of the data stored on the laptops. The encryption of the data would reduce the improper and unauthorized use of DATA PROTECTION PRINCIPLES Data Security
  • 30. ● Obtain information regarding the personal data held by a controller or processor about the requestor, in a commonly used electronic format; ● Know the source of information where the data has been collected from a source other than the data subject; ● Lodge a complaint with the Commission; ● Know the existence of automated decision-making (ADM) and not to be subject to a decision that is solely based on automated processing of personal data ● Correct, and where it is not feasible or suitable, ● delete inaccurate, out-of-date, incomplete, or misleading information; ● Request erasure where the personal data is no longer required in relation to the purpose for which it was collected; ● Request the restriction of processing personal data; ● Object to the processing of personal data; ● Data portability. The Act makes it possible for a data subject to receive personal data concerning them from a data controller and transmit it to another controller, or for the data to be directly transferred from one controller to another. ● Withdraw consent to the processing of personal data at any time. DATA SUBJECT PRIVACY RIGHTS
  • 31. Data Protection Officer (DPO)... The role of a Data Protection Officer (DPO) is crucial in ensuring that an organization complies with data protection regulations and effectively manages the privacy and security of personal data. The responsibilities of a DPO typically include: Monitoring Compliance: The DPO is responsible for ensuring that the organization complies with relevant data protection laws and regulations, such as the GDPR or CCPA. This involves staying up-to-date with changes in legislation and assessing the organization's data processing activities for compliance. Advising on Data Protection Matters: The DPO provides guidance and advice to the organization, its employees, and third parties on data protection obligations, policies, and procedures. They may assist in conducting data protection impact assessments (DPIAs) and addressing privacy concerns or inquiries
  • 32. Data Protection Officer (DPO)... Data Protection Policies and Procedures: The DPO helps develop, implement, and maintain data protection policies, procedures, and documentation within the organization. This includes privacy notices, data processing agreements, data retention policies, and incident response plans. Training and Awareness: The DPO ensures that employees are trained on data protection requirements and best practices. They may conduct training sessions, develop educational materials, and raise awareness about the importance of data protection across the organization. Data Subject Rights: The DPO oversees the organization's processes for handling data subject requests, such as access requests, rectification requests, and requests for erasure (right to be forgotten). They ensure that requests are handled promptly and in accordance with applicable laws.
  • 33. Data Protection Officer (DPO)... Monitoring Data Security: The DPO monitors the organization's data security measures to protect against unauthorized access, loss, or misuse of personal data. They may conduct regular audits, risk assessments, and security reviews to identify vulnerabilities and ensure appropriate safeguards are in place. Incident Management and Response: In the event of a data breach or security incident, the DPO leads the organization's response efforts. This includes investigating the incident, assessing its impact, notifying affected individuals and authorities as required, and implementing corrective actions to prevent future incidents. Liaison with Supervisory Authorities: The DPO serves as the point of contact for supervisory authorities (such as the Information Commissioner's Office in the UK or the Data Protection Authority in other jurisdictions) on data protection matters. They may handle communications, inquiries, and notifications to regulators as required by law. Vendor Management: The DPO evaluates the data protection practices of third-party vendors and partners that process personal data on behalf of the organization. They may review contracts, assess vendor compliance, and ensure appropriate safeguards are in place to protect data.
  • 34. CHILDREN’S PRIVACY The Act expands the protections accorded to children and persons lacking legal capacity. under which a data subject is considered a “child” to 18 years, in alignment with the Nigeria Child Rights Act. The Act also includes specific consent requirements for children and persons lacking the legal capacity to consent. To effect this, the Act requires controllers and processors to adopt consent verification mechanisms. To guarantee stronger privacy protections for children, the Commission will create Regulations to guide the personal data processing of a child of 13 years and above in the course of their usage of online products and services. However, there are instances where a controller or processor may process the personal data of children and persons lacking legal capacity without the consent of a parent or legal guardian, such as: ● Where the processing is necessary to protect the vital interests of the child or person lacking the legal capacity to consent; ● Where the processing is carried out for purposes of education, medical, or social care, and undertaken by or under the responsibility of a professional or similar service provider owing a duty of confidentiality; or ● Where the processing is necessary for proceedings before a court relating to the individual.
  • 35. Documents/Information ● Data protection policy ● Privacy policy ● Data subject consent form ● Internal breach register ● Data subject access request procedure and form ● Subject access request record ● Data breach notification procedure ● etc
  • 36. Data protection policy A data protection policy outlines an organization's approach to handling and protecting sensitive information. It typically includes guidelines, procedures, and responsibilities related to collecting, storing, processing, and sharing data to ensure compliance with relevant laws and regulations. Content 1. Purpose The purpose of this policy is to establish guidelines and procedures for the protection of sensitive information collected, processed, stored, and shared by us. 2. Scope This policy applies to all employees, contractors, partners, and third parties who
  • 37. Data protection policy 3. Data Protection Principles Weis committed to upholding the following data protection principles: ● Lawfulness, fairness, and transparency: Data will be processed lawfully, fairly, and transparently in accordance with applicable data protection laws and regulations. ● Purpose limitation: Data will be collected for specified, explicit, and legitimate purposes and will not be further processed in a manner incompatible with those purposes. ● Data minimization: Only necessary data will be collected and processed for the intended purposes. ● Accuracy: Reasonable steps will be taken to ensure that personal data is accurate and up-to-date. ● Storage limitation: Data will be retained only for as long as necessary to fulfill the purposes for which it was collected. ● Integrity and confidentiality: Appropriate technical and organizational measures will be implemented to ensure the security, integrity, and confidentiality of personal data.
  • 38. Data protection policy 4. Data Handling Procedures ● Data Collection: Only collect personal data necessary for specified purposes with the consent of the data subject whenever required. ● Data Processing: Process personal data in accordance with applicable laws and regulations and ensure appropriate security measures are in place. ● Data Storage: Store personal data securely and ensure access is restricted to authorized personnel only. ● Data Sharing: Share personal data with third parties only when necessary and with appropriate safeguards in place. 5. Data Subject Rights We recognizes the rights of data subjects under applicable data protection laws, including the rights to access, rectification, erasure, restriction of processing, data
  • 39. Data protection policy 6. Data Security We will implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction. 7. Data Breach Response In the event of a data breach, We will promptly assess the breach, take necessary steps to mitigate any adverse effects, and notify affected individuals and relevant authorities as required by law. 8. Training and Awareness We will provide training and awareness programs to all employees and relevant stakeholders to ensure compliance with this policy and data protection laws.
  • 40. Data protection policy 9. Compliance Monitoring and Review This policy will be regularly reviewed and updated to ensure compliance with evolving data protection laws and best practices. Non-compliance with this policy may result in disciplinary action, up to and including termination of employment or contractual relationship. 10. Contact Information For questions or concerns regarding this policy or data protection practices, please contact Designated Data Protection Officer or Department. 11. Policy Acknowledgment All employees, contractors, partners, and third parties must acknowledge receipt and understanding of this policy and agree to comply with its provisions.
  • 41. Privacy policy A privacy policy is a legal document that outlines how an organization collects, uses, stores, and protects personal data collected from individuals. It informs users about their rights regarding their personal information and provides transparency about the organization's data practices. Below is a general template for a privacy policy: 1. Introduction XYZ is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and protect the personal information we collect from you when you use our [website/application/service].
  • 42. Privacy policy 2. Information We Collect ● Personal Information: We may collect personal information such as your name, email address, postal address, phone number, and other contact information when you interact with us. ● Usage Information: We may automatically collect information about your usage of our [website/application/service], including your IP address, device information, browser type, and operating system. ● Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect information about your interactions with our [website/application/service]. 3. How We Use Your Information We may use the information we collect for the following purposes: ● To provide and maintain our [website/application/service]. ● To personalize your experience and provide tailored content. ● To communicate with you about our products, services, and promotions. ● To analyze usage trends and improve our [website/application/service]. ● To comply with legal and regulatory requirements.
  • 43. Privacy policy 4. How We Share Your Information We may share your personal information with third parties for the following purposes: ● With service providers who assist us in providing our [website/application/service]. ● With our affiliates and business partners for marketing and promotional purposes. ● In response to a legal request or to comply with applicable laws and regulations. ● In connection with a merger, acquisition, or sale of assets. 5. Your Choices ● Opt-Out: You may opt-out of receiving marketing communications from us by following the instructions provided in the communication. ● Cookies: You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our [website/application/service] may become inaccessible or not function properly.
  • 44. Privacy policy 6. Data Security We take reasonable measures to protect the security of your personal information from unauthorized access, use, or disclosure. 7. Children's Privacy Our [website/application/service] is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children under 18. 8. Changes to this Privacy Policy We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated effective date. 9. Contact Us If you have any questions or concerns about our Privacy Policy or our data
  • 45. Why should we comply? A- Attraction of reputable investors B- Brand Image Enhancement C- Customer/Citizen Loyalty D- Data Process Maturity E- Earning Power F- Focus for your organization. Reduce distractions G- Goodwill with Government, Citizens and Businesses
  • 46. NDPR Compliance Requirements Designate a Data Protection Officer (DPO) who will be responsible for driving NDPR compliance initiatives within the organization Document and publish a data protection policy in line with the requirements of the Data Protection Regulation – within six months of the issuance Ensure continuous capacity building and training for Data Protection Officer and other personnel involved in processing personal data Engage a licensed Data Protection Compliance Organization (DPCO) to perform a Data Protection Audit and file a report with NITDA within the stipulated timeline – within six months of the issuance + 3 months
  • 47. NDPR Compliance Requirements If a Data Controller processes the personal data of more than 2000 Data Subjects in a period of 12 months, it shall submit a summary of its data protection audit to the Agency If an organisation is a data controller and it processes personal data of more than 2000 people in a year, it must submit an audit to NITDA on the 15th of March 2020 and the 15th March of every subsequent year. If a Data Controller processes the personal data of more than 1000 data subjects in a period of 6 months, it shall submit a soft copy of the summary of the audit to the Agency
  • 49. The Act provides a data subject who has suffered injury, loss, or harm, Where a controller or processor violates the provisions of the Act or subsidiary legislation, the Commission may issue a compliance order requiring them to take specific measures to remedy the situation within a specified period as well as inform them of their right to a judicial review. The Commission may also impose an enforcement order or a sanction. In issuing an enforcement order or a sanction, the Commission may: ● Require the data controller or processor to remedy the violation; ● Order for the compensation of data subjects; ● Order the controller or processor to account for profits realized from the violation; or ● Impose a penalty. The penalty amount depends on whether the violator is a data controller or processor of major importance or not. Penalties against data controllers or processors of major importance shall be the higher of N10,000,000 (approximately 22,000 USD) or 2% of the annual gross revenue of the preceding financial year. Penalties against other data controllers and processors shall be greater than N2,000,000 (approximately 4,300 USD) or 2% of the annual gross revenue of the preceding financial year OFFENCES AND SANCTIONS
  • 50.