Nigerian Data Protection Regulation –

Compliance Pre-requisite

March, 2020
Sensitivity: Internal
Personal Data Protection:

Data Protection is a process

which involves the safe and
lawful processing (collection,
retention, transmission and
use) of personal data of
individuals.

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Personal Data:

10100110100100001
Name & image 010100111101110110 Academic Records
11011010101000011
10010101100101010
01110101000101010
00101101011011011
01000101011100010
Email address
Credit Card Details 10100010100010111
Personal Data 01011000100110100
means any information 11010010000101010
relating to an identified or 011110111011011011
identifiable individual 01010100001110010
(data subject). 10110010101001110
Social Media
handle/account
10100010101000101 Car Number
10
10100110100100001
010100111101110110
11011010101000011
10010101100101010
Phone Number &
Home Address 01110101000101010
SMS
00101101011011011
01000101011100010
3 10100010100010111
01011000100110100
[Add disclaimer text in slide master mode] 11010010000101010
Sensitivity: Internal
Sensitive Personal Data:

1010011010010000
10101001111011101
Trade-union
membership
10110110101010000
Political opinion or
11100101011001010 philosophical beliefs
10011101010001010
10001011010110110
Sensitive Personal Data are 11010001010111000
personal data revealing racial or 1010100010100010
Medical 11101011000100110 Your Sexual Ori-
ethnic origin, political opinion, Records entation
1001101001000010
religious or philosophical 10100111101110110
believes, trade-union membership; 11011010101000011
data concerning health or sex life, 1001010110010101
genetic data or biometric data. 00111010100010101
Biometric
0001011010110110 Genetic Data
(e.g. Finger
print) 1010011010010000
10101001111011101
10110110101010000
11100101011001010
10011101010001010
10001011010110110
4
11010001010111000
[Add disclaimer text in slide master mode]
1010100010100010
Sensitivity: Internal
5 Key Business Disruptors in the Telecommunications Industry

Social Media
Regulation

Customer
Personal Data & Demand and Globalisation
Technology Preference

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Personal Data Protection Laws Across the Globe:

Europe Asia
Robust data Strong but
protection laws fragmented

Africa America
Data protection is at Very Strong but
its infancy. vertically focused
federal privacy
laws

01 Europe
02 Africa
03 Asia
04 America

• General Data Protection Regulation • AU Convention on Cybersecurity and Data Protection. • Singapore - Personal Data Protect Act 2012 • No central federal level privacy law, like the EU’s
(GDPR). • ECOWAS Data Protection Act 2010 • South Korea - Personal Information Protection Law GDPR. But there are several vertically-focused
• Nigeria – Nigerian Data Protection Regulation • China – No single data protection law, rules are found in federal privacy laws,
• South Africa – Protection of Personal Information Act various legislations • There are also new generation of consumer-oriented
6 2013 privacy laws coming from the states. E.g. the
California Consumer Privacy Law (CCPL).
[Add disclaimer text in slide master mode]
Sensitivity: Internal
Data Protection: Fines & Risk

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Nigerian Data Protection Regulation, 2019 by (NDPR)
The Regulation came into force on 25th January, 2019

Objectives

Improves Busi-
Data Privacy and Protec- ness Environ-
tion ment Detailed Objectives of the NDPR

 To safeguard the rights of natural persons to data privacy;

 To foster safe conduct for transactions involving the
exchange of personal data;
 To prevent manipulation of personal data; and
 To ensure that Nigerian businesses remain competitive in
Secure Ex- Create Sus-
change of Data tainable Jobs international trade through the safe-guards afforded by a just
and equitable legal regulatory framework on data protection
and which is in tune with best practice.

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Nigerian Data Protection Regulation, 2019 by NITDA

The Regulation came into force on 25th January, 2019

Scope

Detailed Scope of the NDPR

All Nigerian Res- All Nigerians
idents

 The Regulation applies to all transactions intended for the

processing of personal data, to the processing of personal
data notwithstanding the means by which the data
processing is being conducted or intended to be conducted
in respect of natural persons in Nigeria; and

All Personal
 The Regulation applies to natural persons residing in Private & Public
Data
Sector
Nigeria or residing outside Nigeria who are citizens of
Nigeria

[Add disclaimer text in slide master mode]

Sensitivity: Internal
NDPRA Fines & Risk Based Stratification by NITDA

Very High • Banks, Telcos, CBN, PFC/PFA, Big insurance companies etc.
Statutory Fines

 2% of Annual Gross Revenue

High • Big Fintec, Notable Hospitals, NIMC, Stock Brokers
of the preceding year or payment of the
sum of 10 million Naira, whichever is
greater for Data Controller dealing with
more than 10,000 Data Subjects. Average • Large Companies, Medium Financial Companies, PENCOM

 1% of the Annual Gross Revenue

of the preceding year or payment of the
sum of 2 million Naira, whichever is
Low • Schools, Transport Companies, Couriers companies e.t.c.
greater for Data Controller dealing with
less than 10,000 Data Subjects.
Very Low • SMEs, payrolls etc..
10

[Add disclaimer text in slide master mode]

Sensitivity: Internal
 NDPR - Lawful Processing of Data
Processing shall be lawful if at least one of the following applies;

Compliance with Legal Obligation

Example: SIM registration as mandated by the NCC SIM Registration Guideline 2011

Performance of a Contract with the Data Subject

Example : Get a modern PowerPoint Presentation that is beautifully
designed.

Consent of Data Subject

Example: Where processing is not in compliance with legal obligation or
performance of a contract.

Protecting the vital Interest of the Data Subject

Example : Where the Data Subject is sick and needs medical attention.

To Protect Public Interest

11
Example: Preserving national security or preventing the out break of law and order
[Add disclaimer text in slide master mode]
Sensitivity: Internal
Consent of a Data Subject

Consent means any freely

Freely Given
given, specific, informed and
unambiguous indication of
the data subject's agreement.

Right of
withdrawal Specific

. Conditions of a
valid consent
Silence/Acquiescence is not the
same thing as consent. If a data
subject says nothing when given
the opportunity to object, or Demonstrable Distinguishable
fails to opt-out or unsubscribe,
will not amount to valid
consent. Informed

12

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Personal Data Protection Humour

13

[Add disclaimer text in slide master mode]

Sensitivity: Internal
 NDPR: Rights of Data Subjects

01 0 04 05
Right of
Access 03 2
Right of
Rectification
Right to be
Forgotten
Right to
Restrict
06
Right of Data
Portability
Right to Object
Processing
Processing

For information about Data subjects have the If the continued Meaning that the data Receive in a structured, Where the basis of the
purpose of the right to rectification of processing of those data may only be held by the commonly used, processing is public
processing, categories of inaccurate personal data. is not justified, the data controller, and may machine-readable interest or legitimate
data processed, period subject can withdraw only be used for limited format that supports interest of the
for which the data consent and demand purposes. Where data re-use, transfer or controller. Data subject
would be stored, the erasure of their data. subject cannot demand transmitted from can also object
sources of the data. erasure. controller to another, processing for direct
(charged fees in some store it. marketing purposes.
instances

14

[Add disclaimer text in slide master mode]

Sensitivity: Internal
 NDPR: Rights of Data Subjects

07 0 0 1
Right to be

Right to
Communicate
8
Right to be
informed about
9
Right Right of
information relating to 0
informed about
reasons of delay
or non- Right
processing of data on
Right
Erasure all rights request . provision of
information.

For information about Data subjects have the right to For all information relating Where there is delay in in
purpose of the processing, rectification of inaccurate processing (any form of the provision of Where t
categories of data personal data. processing) information to theReceive
data
processed, period for which subject, the data subject
the data would be stored, has right to be informed
the sources of the data. about reason for the delay.
(charged fees in some
instances

15

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Personal Data Protection Humour

16

[Add disclaimer text in slide master mode]

Sensitivity: Internal
 Controller’s Obligations (MTN Obligations)

Accountability Notify Affected Data Subjects about Breaches

The controller is responsible for implementing appropriate Notify without undue delay the contact details of the DPO, likely
technical measures to ensure compliant with the requirements consequences of the breach and measures taken to remedy same.
of the

Impact Assessments
Data Protection by Design Where a new processing activity is proposed (especially where new
Incorporate safeguards both in the planning & implementation technologies will be used) resulting in a high degree of risk for data
phases of processing activities of any new product or service. subjects

Records of Processing Activities Appointment of a DPO

Such as purposes of processing, categories of data subjects and the A controller or processor must appoint a DPO if local laws require it
data processed, whom the data may be shared with, retention period to do so, or if its data processing activities involve processing data on
etc. a large scale.
17

[Add disclaimer text in slide master mode]

Sensitivity: Internal
General Data Protection Principles

1st Step towards Compliance

01 – FAIRLY & LAWFULLY 05 – LIMITED RETENTION PERIOD

Personal data must be processed fairly and Personal data must be kept for no longer
lawfully. than is necessary.

02 – LIMITED PURPOSE 06 – RIGHTS OF DATA SUBJECTS

Personal data shall only be used in Personal data must be processed in
accordance with the purposes for which it was accordance with the rights of data subject .
collected. MTN Nigeria Communication Limited
vs Barrister Godfrey Eneye
.

03 - PROPORTIONATE 07 - SECURITY
Personal data must be protonate, relevant and Appropriate technical and organizational
not excessive. measures must be established to protect the
data.

04 - ACCURATE 08 - TRANSFER
Personal data must be accurate and where Personal data must not be transferred outside
necessary kept up to date. territorial jurisdiction unless adequate
18 provisions are in place.

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Personal Data Protection Humour

19

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Scanning through HR Division

Employees Personal details

This include name, address, images, tribe,

Applicants’ personal details

Names, address, tribe, religion etc.

Employees’ emails, staff I.D numbers

Employees’ records
This include the performance scores, line
manager’s comment etc.

20

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Scanning through Corporate Relations

Details of MTN Foundation’s beneficiaries

This include name, address, images,
phone numbers

Sensitive personal details of MTN

Foundation beneficiaries
This include, tribe, religion, opinion, union
membership.
Details of politically exposed persons

This include name, address, positions,

phone numbers etc.
Personal records of complainants etc.
This include names and address of
complainants through Legal department

21

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Scanning through Customer Services

Text messages of customers

This include customers’ personal text, or
complaint to Customer Services.

Customers personal details

This include pictures, home addresses,
email addresses.

Call records of customers

This include the time, location and
numbers called.

Customers activities (profiling) details

Number of recharge, amount recharged,
browsing activities etc.

Your Text Here

22

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Scanning through Procurement

Personal details of vendors representatives

This include name, home address, email
addresses, phone numbers

Sensitive Personal details of vendors

representatives
This include, tribe, religion, opinion, union
membership.
Personal details of Shareholders &
Directors of MTN partners
This include names, home addresses,
positions, phone numbers etc.
Personal records of employees.
Names, email addresses & phone numbers
of staff that apply for procurement services.

23

[Add disclaimer text in slide master mode]

Sensitivity: Internal
 Required Compliance Solutions

REQUIREMENT COMPLIANCE SOLUTIONS

Processing and  Use personal data only for the purpose and time specified by the user, process it lawfully & fairly.
Storing Personal
Data  Mask, encrypt, and anonymize all Personally Identifiable Information (PII) , depending on their exact usage and
storage state
 Collect and process all personal data only after obtaining explicit consent, where there is no statutory or contractual
User Consent basis for collection.

 Redesign processes linked to VAS and other data monetization strategies, in line with the user consent mandate

 Honor the rights of the data subject.

Rights of the data  Implement a robust data lifecycle management framework involving data minimization and data access
subject management, with built-in functionalities for easy data modification, portability and erasure

 Report data breaches.

Data Breach
 Build effective breach detection and notification mechanisms across internal system
24

[Add disclaimer text in slide master mode]

Sensitivity: Internal
Required Compliance Solutions

REQUIREMENT SOLUTIONS

 Carry out data protection impact assessments regularly

 Leverage solutions such as data encryption, masking, and pseudonymisation

Data protection by  Promote role-based access to IT and data assets through enforcement of advanced identity and access management
design (IAM) protocols.

 Conduct a vulnerability assessment and penetration testing (VAPT) for all applications, and chalk out a business
continuity plan (BCP) for each one.

 Conduct data protection impact assessments to identify risks to users, and also detail how such risks will be
mitigated
Impact assessments
 Roll out an extensive compliance audit program for robust risk management

Data protection  Appoint a DPO to oversee the data security strategy and NDPR compliance (and other local laws)
officers (DPO

 Maintain record of processing activities and prepare records of processing as a part of the NDPR assessment report.
25
Records of processing
[Add disclaimer text in slide master mode]
Sensitivity: Internal
Personal Data Protection Humour

26

[Add disclaimer text in slide master mode]

Sensitivity: Internal
 27

[Add disclaimer text in slide master mode]

Sensitivity: Internal
 Thank you

Sensitivity: Internal