The requirement to leverage on third party service providers for the dissemination of products and services has remained in constant demand for businesses.
With the continuously increasing number of data-driven businesses around the world, engaging third party data processors to process the personal data of customers has also become relevant. Given the emerging rules surrounding the protection of personal data, it is also crucial for a business (“Controller”) to understand certain steps which should be taken before engaging the services of a data processor (“Processor”). Today’s newsletter highlights a few of these steps to ensure compliance with the Nigerian Data Protection Regulations 2019 (“NDPR“).
- Researching Applicable Law.
It is important for the company to, first and foremost, conduct research into the applicable laws. This is relevant as there are certain restrictions on the processing of personal data. For instance, the following restrictions apply to the processing of personal data;
- Sensitive personal data cannot be processed except with the consent of the data subjects[i]
- Bank Verification Number of individuals can only be processed for banking purposes and cannot be stored or processed outside Nigeria.[ii]
- Personal data cannot be transferred to countries which are not on the whitelist without the specific consent of the data subject[iii]
Also read: Lending regulation in Nigeria
2. Conducting a DPIA
It is also important to conduct a Data Protection Impact Assessment (DPIA). A DPIA is an assessment conducted to identify, evaluate and minimize the possible risks associated with a data processing activity. Prior to engaging the services of a Processor, it is prudent for the Controller to assess the potential risks attributable to the processing activity. This can be carried out by a Data Protection Officer or a licensed Data Protection Compliance Organisation (DPCO). This is particularly more important where it is a new business process or activity which would involve the use of sensitive information or heavy use of personal information of individuals. Generally, the DPIA will enable the Controller identify the risks and mitigate such risks.
3. Audit of the Service Provider
Under the Nigeria Data Protection Regulation (NDPR), the Controller is responsible for ensuring that the Processor has complied with the provisions of the NDPR. Consequently, before a Processor is engaged, the Controller is required to conduct an audit/ of the practices of the Processor to ensure that the Processor generally complies with the NDPR and any other applicable data protection laws in relation to collection, storage and other processing activities. This is also imperative because the Controller and Processor will be jointly liable for the acts or omissions of the Processor.
The audit may be conducted by sharing a questionnaire requesting responses and evidence on relevant data privacy matters as well as conducting an on-site inspection by a representative of the Controller.
4. Entering into a Data Processing Agreement
A company engaging a Processor is expected to enter into a contract with the Processor, containing provisions which ensure that the Processor:
- only processes personal data as instructed by the Controller;
- adopts adequate security measures to prevent a data breach;
- together with its employees, are under confidentiality obligations;
- do not engage a sub processor without the consent of the Controller and subject to compliance with the law;
- assists the company to comply with the Data Subject rights;
- assists the company in the event of a breach (notification of the National Data Protection Bureau and the data subject) or conducting a DPIA;
- deletes the data upon conclusion of the engagement;
- provides evidence of compliance with the NDPR including allowing and contributing to audits and inspections.
The President of Nigeria recently approved the establishment of the Nigeria Data Protection Bureau (NDPB), a government agency precisely dedicated to promoting and implementing the NDPR and other data privacy issues, previously within the scope of the National Information Technology Development Agency.[iv]
With the growing awareness of data protection in Nigeria, companies are expected to adopt proper steps before engaging Processors to ensure their compliance with the data privacy laws.
[i] Article 5.3.1 NDPR Implementation Framework
[ii] Article 1.9 Central Bank of Nigeria Regulatory Framework for Bank Verification Number (BVN) Operations and Watch-list for the Nigerian Banking Industry
[iii] Article 2.12 of the NDPR and 7.2 of the NDPR Implementation Framework