Author: Ade Adedeji from DataWorks Analytics
The global data protection landscape is growing. As nations tackle the huge challenge resulting from the invasion of privacy of their citizens and the abuse of personal data, due to the increase in the use of technology in everyday living and business, new data protection laws are emerging in every continent.
To tackle this issue, Nigeria issued the Nigeria Data Protection Regulation (NDPR) in 2019 – its first comprehensive data protection regulation and will soon be passing a new Data Protection Bill of 2020.
These laws protect personal data and provide individuals with rights over their data, and consequently imposes new compliance obligations around how organisations and governments process, handle and utilise personal data.
The introduction of the regulation comes with complex data protection and information security challenges and risks that most organisation from various sectors need to understand and introduce both technical and organisational measures to mitigate these challenges by protecting the privacy of individuals and reducing data breaches.
Some of these challenges faced by organisations include:
✅ Some organisations know they need to comply with the regulation but don’t know how to start.
✅ Lack of awareness of the regulation within the organisation particularly amongst senior business executives and C-level leaders.
✅ Some leaders do not see the importance or relevance of these regulations to their business.
✅ Shortage of skilled data protection and privacy professionals such as Data Protection Officers to advice business leaders.
✅ Lack of education and awareness about data protection compliance activities.
7 Essential Steps to Get Ahead with NDPR Compliance
1.Get Senior Stakeholder Buy-in
One of the most important steps to get ahead with NDPR compliance in an organisation is to ensure that there is continuous support from the senior executives within the organisation.
They need to be brought up to speed quickly to: understand the regulation, the obligations of the regulation on the organisation, the impact of non-compliance of the regulation and a data breach, the implied risks to the organisation as well as to the data subjects, etc.
2. Appoint a Privacy Champion
It is vital for organisations to appoint a Privacy Champion – a Senior Executive who has full support of the Chief Executive Officer (CEO) to take ownership and lead the delivery of NDPR compliance within the organisation – to set out the data protection strategy and goals of the organisation which should include setting up a privacy programme.
The Privacy Champion could be the Chief Risk Officer, Head of Legal, Head of IT, Head of Compliance, etc.
Key functions of the champion include managing communication to engage the entire organisation, ensure their peers are on-board and fully engaged, and to mobilise the organisation to get behind the compliance initiative.
3. Engage a Good Data Protection Compliance Organisation (DPCO)
NDPR introduces the concept of the Data Protection Compliance Organisations (DPCO). DPCOs are organisations licensed by Nigeria Information Technology Development Agency (NITDA) to provide support and expertise to organisations as they embark of their NDPR compliance journey.
A good DPCO would understand the intricacies of the regulation and how to set up a programme to steer the organisation as in the right direction.
The privacy programme should include a communication plan, NDPR training and awareness for all staff, completion of a NDPR audit and file the NDPR Audit report with NITDA, and the delivery of a prioritised remediation plan with effective privacy and security, a method to measure the privacy maturity of the organisation, in order to demonstrate progress.
4. Appoint or Outsource a Data Protection Officer (DPO)
The Data Protection Officer (DPO) plays a pivotal role in the compliance journey of an organisation. According to the regulation the DPO is responsible for ensuring that the organisation applies the laws protecting individuals’ personal data. The regulation also states that a DPO must have verifiable professional expertise and knowledge of data protection.
The challenge is that the privacy profession in Nigeria is new, and in its infancy. Subsequently, there is a shortage of good DPOs and most organisations find it difficult to hire one.
An option is to hire or appoint from within, however it is important you have a DPCO working alongside the DPO to ensure they are acquiring relevant skills and knowledge. Another option is to outsource the DPO function to a DPCO while the DPO is being trained.
5. Educate Staff
Embedding NDPR compliance within the organisation is comparable to most change and business transformation initiatives. Staff are going to resist embracing the changes to policies, procedures and the new ways of working.
It is common for NDPR or other privacy compliance initiatives to be seen by staff as a barrier and road block to getting things done.
Consequently, it is important the staff are educated about the regulation, understand; the new data protection policies and guidelines, the benefits of compliance to the organisation and individual amongst others.
It is essential staff understand the changes they need to make to their daily operational processes and procedures were personal data is handled, to bring them in compliance with the regulation.
6. Measure Progress
It is of utmost importance that organisations are able to track and measure progress of the privacy programme using an agreed set of metrics that would be shared with the senior executives periodically.
These should highlight how the identified risks are being remediated and what residual risks are still in-place after controls have been applied to ensure the leaders are clear of what these risks exists.
The NDPR compliance activity is a complex journey with a myriad of challenges that organisations will encounter.
A good way forward, after the organisation completes its audit is to look at how some of the issues identified can be resolved by deploying effective controls based around leveraging the use of privacy enhancing technology.
The advantage of using these tools are that they help simplify your compliance effort, improves collaboration amongst key stakeholders, ensure your controls are robust and effective, provide visibility to key stakeholders and ensure you are able to respond to handle data in a more compliant way.