General Data Protection Regulation in Nigeria
Introduction to GDPR: The Who, What, When, Why, and Where of GDPR
Why IT professionals should learn about GDPR – it is law in all countries that are members of the European Union (EU) and the countries working with the European Union or having clientele in European Union countries.
Why GDPR Exist – the core reason to protect the people’s fundamental rights i.e. Right to Privacy.
Why do we need GDPR – EU Data protection passed in 1995 and as technology evolves there is so many changes in data.
Whom it applies – GDPR applies to organizations that do anything with data about people.
It applies to all the organizations in the EU and all those organizations who work with the EU i.e. offering goods and services in the EU or monitoring behavior.
Simply to say GDPR applies to all organization inside the EU or Outside EU who works with people of EU.
- Data use is fair and expected
- Just have data that are Necessary
- All data must be accurate
- Delete when finished
- Keep data secure
- BE accountable.
What is the risk of non-compliance to GDPR?
1. Reputation – if the organization is not compliant with GDPR it means people might not trust that company.
2. Fine and penalties if not following GDPR – fine could be Euro 20 million or 4% global turnover of the organization
3. Liability risk – people/customer who are using organization services they can sue the organization if their data is misused or leaked.
In each country has a local Data protection authority. In Nigeria, there is no such authority but Data protection covers under the IT ACT (70). It is a punishable offense and the person can get a jail term for 3 years or a fine of Rs. 5,00,000/-
Let’s understand GDPR in detail –
GDPR Article 1 – “This regulation lays down rules relating to the protection of living humans with regard to processing anything with personal data… ”
- Living humans – means we “people” belong to any geography.
- Processing of personal data – means doing anything or something with data i.e. Collecting, analytics, using, recording, structuring, consultation, retrieval, transmission or be anything.
- Personal data – any information relating to an identified or identifiable living human i.e. Social Security number, PAN number, driving licenses.
Three key terms in GDPR
- Data subjects – it’s the data of the people whom they work for and who are working for them means customers or employees
- Data controller – means where the data controls i.e. information once you log in, your work and activities you perform
- Data processors – where data processes, like organizations, are using cloud services to process the data, it could be AWS or any cloud. Both Data Controllers and Data Processors process (do anything with) personal Data. Companies or governments can be data controllers or processors.
GDPR regulations –
GDPR splits into 02 parts
- Recitals – 173 recitals in the count
- Articles – 99 articles in the count
GDPR principles in details
1). Fair and expected – let’s discuss in detail, all processing of data is lawful, fair, and transparent. Transparent means – when you are collecting data you should tell people what are you going to do with data, and why.
2). Fair – balancing the fundamental rights and freedoms of the person whose data it is, with the rights of holding his/her data for further processing means, A financial website can’t share people personal data with other companies without the consent of people.
3) Lawful – there are six reasons for processing the data –
- Consent from the data subject
- The contract from the data subject
- Legal obligation – companies are bound to share data with government authorities.
- Vital interests.
- Public interest / official authority – the processing of your personal data like Siebel for your financial status.
- Legitimate interests.
Key Data Protection Concepts and Principles: All Processing Must Be Lawful
Besides the above 6 principles, there is special category data that can’t be allowed for processing or need special approval from Government authorities.
The categories are
- Allowing Discrimination – race, religion, political party, or trade union membership.
- Genetic/biometric Data,
- Sexual life/orientation
But still, if an organization or person wants to process the Special category data, in that case, they need another good reason and these are 6.
- Explicit consent from the data subject
- Employment – context about employment under special category
- Vital interests – healthcare
- Substantial public interest
- What an organization does
- public health processing special category data
(Disclaimer – if you are looking for some government specify the information on GDPR, in that case, you should check with a Lawyer who can consult about GDPR)
Innovative Technology Solutions, Gurgaon, Nigeria