Many Nigerians still don’t take the protection of their data privacy seriously. This explains why their data and personal information are breached by some dubious companies and individuals whose custodies the data are kept. This lack of adequate knowledge about what data protection entails is no doubt making Nigerians’ data vulnerable to breach.
On Tuesday, the National Information Technology Development Agency (NITDA) slammed a N10 million fine on an online lending platform, Soko Lending Company Limited (Soko Loans), for privacy invasion.
In addition to the fine, NITDA also suspended the firm over unauthorised disclosures and failure to protect customers’ personal data. The IT regulatory agency said the company also failed the necessary due diligence enshrined in the Nigeria Data Protection Regulation (NDPR) as carried out by NITDA.
It said Soko Loans would grant its customers uncollateralised loans and would require them to download its mobile application on their phone and activate a direct debit in the company’s favour. “This enables the app to gain access to the loanee’s phone contacts’’, NITDA’s spokesperson Hadeeza Umar said.
She said: “According to one of the complainants, when he failed to meet up with his repayment obligations due to insufficient credit in his account on the date the direct debit was to take effect, the company unilaterally sent privacy-invading messages to the complainant’s contacts.”
She said the online lending company would then breach its customers’ data by contacting the contacts in their phones who were neither party to the loan transaction nor consented to the processing of their data.
And this is one of the reasons experts said every Nigerian should be fully aware of data protection and privacy. Data protection is the process of safeguarding important information from corruption, compromise, or loss.
The importance of data protection increases as the amount of data created and stored continues to grow. Consequently, a large part of any data protection strategy is hinged on ensuring that data can be restored quickly after any corruption or loss.
Protecting data from compromise and ensuring data privacy are other key components of data protection; however, where there are no laws to enforce in the event of a breach, the value of those rights is lost. In order to uphold the sanctity of these rights, sovereign nations of the world put in place regulations and other mechanisms to guarantee them.
Nigeria is not left out in this global community of data privacy and protection regulation. This paper seeks to evaluate the laws which regulate and protect data in Nigeria and how they could impact her data privacy and data protection regime.
Nigeria Data Protection Regulation
The Nigeria Data Protection Regulation (NDPR) was issued in January 2019 pursuant to Section 6 (a,c) of the NITDA Act 2007. The regulation is the current national law on data protection in Nigeria. It applies to public and private sector processing of personal data within and outside Nigeria. The regulation is aimed at protecting the right to privacy, creating the right environment for digital transactions, job creation, and improving information management practices in Nigeria.
The terms data protection and data privacy are often used interchangeably, but there is an important difference between the two. Data privacy defines who has access to data, while data protection provides tools and policies to actually restrict access to the data, according to data protection experts.
Why is data privacy important?
Data privacy concerns apply to all sensitive information that organisations handle, including that of customers, shareholders, and employees. Often, this information plays a vital role in business operations, development, and finances.
Data privacy helps ensure that sensitive data is only accessible to approved parties. It prevents criminals from being able to maliciously use data and helps ensure that organizations meet regulatory requirements.
Data privacy is enforced by data protection regulations. Non-compliance may result in monetary fines or loss of brand authority.
Data protection technologies and practices that can help you
When it comes to protecting your data, there are many storage and management options you can choose from. Solutions can help you restrict access, monitor activity, and respond to threats. Here are some of the most commonly used practices and technologies:
Data loss prevention (DLP)—a set of strategies and tools that you can use to prevent data from being stolen, lost, or accidentally deleted. Data loss prevention solutions often include several tools to protect against and recover from data loss.
Storage with built-in data protection—modern storage equipment provides built-in disk clustering and redundancy. For example, Cloudian’s Hyperstore provides up to 14 nines of durability, low cost enabling storage of large volumes of data, and fast access for minimal RTO/RPO.
Firewalls—utilities that enable you to monitor and filter network traffic. You can use firewalls to ensure that only authorized users are allowed to access or transfer data.
Authentication and authorization—controls that help you verify credentials and assure that user privileges are applied correctly. These measures are typically used as part of an identity and access management (IAM) solution and in combination with role-based access controls (RBAC).
Encryption—alters data content according to an algorithm that can only be reversed with the right encryption key. Encryption protects your data from unauthorized access even if data is stolen by making it unreadable. Learn more in our article: Data Encryption: An Introduction.
Endpoint protection—protects gateways to your network, including ports, routers, and connected devices. Endpoint protection software typically enables you to monitor your network perimeter and to filter traffic as needed.
Data erasure—limits liability by deleting data that is no longer needed. This can be done after data is processed and analysed or periodically when data is no longer relevant. Erasing unnecessary data is a requirement of many compliance regulations, such as GDPR.
Keeping up with data protection regulations
The widespread usage of personal and sensitive data, has raised the significance of protecting this data from loss, and corruption. Global authorities have stepped in with regulatory compliance like General Data Protection Regulation (GDPR).
The GDPR emphasizes the personal data rights of EU residents, including the right to change, access, erase, or transfer their data. Personal data refers to any information that relates to an individual. This includes names, physical traits, addresses, racial or ethnic characteristics, and biometric data like DNA and fingerprints.
How organisations can maintain secure data storage
Organizations usually store sensitive data on their computers, servers, and on the cloud. Without a proper data security policy, sensitive information can fall into the hands of attackers, enabling them to gain access to your network, and expose the personal information of customers and employees.
Data encryption
Data encryption is a process of converting data into encoded information, called ciphertext. The encoded information can only be decoded with a unique decryption key. You can generate the key either at the time of encryption or beforehand.
Encryption ensures the integrity of data by protecting it from unauthorized modification. Encryption reduces the risk of accessing data from untrustworthy sources by verifying data’s source.
Continuous data protection
Continuous Data Protection is a method for backing up data every time a change is made. A continuous data protection system maintains a record of all data changes and enables you to restore a system to any previous point in time.
