1 / 29

NDPR Employee Awareness and DPO Training

NDPR training materials (for participants)

writeosahon
Download Presentation

NDPR Employee Awareness and DPO Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIGERIA DATA PROTECTION REGULATION (NDPR) EMPLOYEE AWARENESS AND DPO TRAINING NITDA LICENSED DPCO Note: This presentation, training material and supporting materials do not constitute legal advice.

  2. NDPR OVERVIEW What does NDPR stand for? NDPR stands for Nigeria Data Protection Regulation. The NDPR was created in 2019 by NITDA (National Information Technology Development Agency). NITDA is the national agency charged with developing national regulations for electronic governance, electronic data interchange, electronic communication transactions, data protection and data privacy

  3. NDPR OVERVIEW What does NDPR (the regulation) mean? • The regulation covers all transactions involving the collection, control and processing of personal data; regardless of the means of data collection, control and processing. • The regulation applies to organisations operating within Nigeria or organisations that operate outside Nigeria but whose transactions involve the personal data of Nigerian citizens. • The regulation applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria. • The regulation provides articles which cover – accountability/responsibilities of organisations, rights of citizens/data subjects, and the compliance/enforcement of the regulation. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  4. NDPR OVERVIEW Does NDPR replace other laws and legislation? NO. NDPR is there to protect the personal data and personal data rights of citizens. Other legislation will dictate what you collect, with whom you should share it, how long you should keep it. NDPR also does not deny any Nigerian or any natural person the privacy rights he is entitled to under any law, regulation, policy, or contract; being in force in Nigeria or in any foreign jurisdiction ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  5. NDPR OVERVIEW What are the consequences of NDPR non-compliance? Non-compliance by organisations that fall under the purview of the NDPR could result in all/one of: • Sanctions – organisations could face sanctions like suspension of services or operating license; an order to comply etc. • Fines – Fines of up to 10 million or 2% of annual gross revenue (whichever is higher) • Legal Prosecution – Where non-compliance leads to breaches, fraud, national security concerns etc. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  6. NDPR – Definitions of Terms These terms are used in NDPR and should be understood • Natural Person – an individual that can be identified either directly or indirectly by means of an identifier such as name, identification numbers (e.g. BVN, TIN, passport number), electronic identifiers (e.g. email, ip address), physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; medical information, SIM, bank details, and others; • Personal Data – any information relating to an identified or identifiable natural person ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  7. NDPR – Definitions of Terms These terms are used in NDPR and should be understood • Data Subject – any person that can be identified, directly or indirectly by the personal data being collected or processed. • Sensitive Personal Data – any data relating to religious or other beliefs, sexual orientation, health, financial, biometric, race, ethnicity, political views, trades union membership, criminal records or any other sensitive personal information ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  8. NDPR – Definitions of Terms These terms are used in NDPR and should be understood • Personal Identifiable Information (PII) – any information that can be used on its own to identify, contact, or locate a single person, or to identify an individual in a context. E.g. email address, national identity number etc. • Processing – any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, erasure, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination etc. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  9. NDPR – Definitions of Terms These terms are used in NDPR and should be understood • Profiling – any automated processing of personal data intended to evaluate, analyse or predict data subject behaviour e.g. banks may use automated procedures to evaluate an individual’s credit/debit history and income in order to determine if the individual is loan worthy OR insurance firms may use automated algorithms/processes to analyse an individual’s age, occupation, previous accident history in order to determine if the individual is insurable and what premium to place on the individual. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  10. NDPR – Definitions of Terms These terms are used in NDPR and should be understood • Data Controller – a person, group of people, organisation, which solely or jointly with a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed • Data Processor / Data Administrator – a person, entity or organisation that processes data on behalf of the Data Controller NOTE: the data controller can also be the data processor ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  11. NDPR – Definitions of Terms These terms are used in NDPR and should be understood • Data Protection Officer (DPO) – a staff or contractor duly appointed by the Data Controller for the purpose of ensuring adherence with NDPR, ensuring utilization of relevant privacy instruments and data protection directives as determined by the Data Controller. The DPO acts as the contact point for the supervisory authority on issues related to personal data privacy and protection. NOTE: the DPO must be verifiably competent to handle data protection and privacy issues. This position can be outsourced/contracted ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  12. NDPR – Definitions of Terms These terms are used in NDPR and should be understood • Data Protection Compliance Organisation (DPCO) – any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with NDPR or any foreign Data Protection Law or Regulation having effect in Nigeria. • Supervisory Authority – NITDA or any other statutory body or establishment having government’s mandate to deal solely or partly with matters relating to Personal Data NOTE: UTOPIA SOFTWARE is a duly licensed DPCO ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  13. NDPR MODEL Summary of entities involved in NDPR Regulatory oversight DPCO NITDA (compliance & implementation partner) Compliance & implementation services (supervisory authority) Assessment Enforcement Permission to process Data subject Duties Data Processor Data Controller (organisations) Processing Rights Employ / Assign Ensure Compliance Inform? Lawful third parties (police, EFCC, FiRS etc.) Foreign countries DPO Is transfer NDPR compliant? Disclosure? ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  14. NDPR OBJECTIVES Why was NDPR created? • To safeguard the rights of natural persons to data privacy. • To foster safe conduct for transactions involving the exchange of Personal Data. • To prevent unauthorized and criminal use of Personal Data. • To ensure that Nigerian businesses remain competitive in international trade through the safe guards afforded by a just and equitable legal regulatory framework on data protection and which is in tune with best practices. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  15. PRINCIPLES OF NDPR How does NDPR achieve it’s objectives? NDPR OPERATES UNDER 7 PRINCIPLES OR RULES 1. Lawfulness and Legitimacy 2. Specific Purpose 3. Data Minimization 4. Accuracy 5. Storage and Security 6. Confidentiality, Integrity and Availability 7. Compliance and Enforcement ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  16. NDPR The Legal and Lawful Conditions for Collection/Processing of Personal Data • Data Subject Consent – the Data Subject has given informed consent to the processing of his or her Personal Data for one or more specific purposes • Necessary for Contract Execution – the collection and processing of Personal Data is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  17. NDPR The Legal and Lawful Conditions for Collection/Processing of Personal Data • Legal Obligation – Collection/Processing of personal data is required by law or necessary for compliance with a legal obligation to which the Data Controller is subject. E.g. CBN regulations require banks to collect certain personal data; SEC requires brokerage firms to collect certain personal data. • To Protect Vital Interests – processing is necessary in order to protect the vital interests of the Data Subject or of another natural person. Vital interests are common in life or death healthcare situations. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  18. NDPR The Legal and Lawful Conditions for Collection/Processing of Personal Data • For Public Interests – collection/processing of personal data is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the data controller. E.g. for public census, for general house-to-house immunisation programmes. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  19. NDPR How long is a Data Controller allowed to store Personal Data? NDPR does not explicitly provide for data storage time period because that detail may be subject to existing laws or contractual agreements. However, where the time frame for storage/holding of the personal data is not specified, the following shall be adopted: • 3 years after the last active use of a digital platform. • 6 years after the last transaction in a contractual agreement. • Upon presenting evidence of death of Data Subject. • Upon request of Data Subject or his legal representative. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  20. EXCEPTIONS TO NDPR NDPR will not apply in certain circumstances • Situations of national security, public safety and legal order by agencies of government or those they expressly appoint to carry out such duties on their behalf. • Criminal and Tax Offence Investigation – NDPR will not act in anyway to limit the powers of criminal investigators and prosecutors • NDPR does not apply to the use of personal data in domestic affairs. However, where family members, friends, etc use personal data to commit a crime against the Data Subject, the data shall be subject of police investigation and prosecution. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  21. NDPR ENTITIES Accountability & Responsibilities of Data Controller /Organisations • Implement appropriate technical & organisational measures to ensure and demonstrate compliance (e.g. training, policies, audits etc) • Maintain relevant documentation e.g. controller info, purposes of processing, recipients and location of data, data retention schedules, security measures, privacy and protection policies. • Implement data protection by design e.g. minimisation, pseudonymisation, transparency, security. • Use Data Protection Impact Assessments / Risk Assessments. • Appoint a Data Protection Officer ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  22. NDPR ENTITIES Rights of the Data Subject 1. The Right To Be Informed 2. The Right Of Access To Personal Data 3. The Right To Rectification 4. The Right To Erasure 5. The Right To Restrict Processing 6. The Right To Data Portability 7. The Right To Object To Processing 8. The Rights In Relation To Automated Decision Making And Profiling NOTE: All employees must know, adhere and uphold these rights ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  23. NDPR ENTITIES Data Protection Officer (DPO) - Responsibilities • The DPO is responsible for informing and advising the Data Controller or Data Processor and employees of the organisation regarding NDPR and data protection/privacy. • DPO must monitor NDPR compliance, including monitoring assignment of responsibilities; awareness and training of staff involved in data processing and related audits. • Provide advice on the Data Protection Impact Assessment and monitor its performance. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  24. NDPR ENTITIES Data Protection Officer (DPO) - Responsibilities • The DPO must cooperate with the supervisory authority (NITDA). • Act as the contact point for the supervisory authority on issues related to the processing of personal data. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  25. NDPR BREACH REPORTING Personal Data breach is a breach of security leading to the destruction, alteration, unauthorised disclosure, or unauthorised access to, Personal Data. NDPR requires Data Controllers to have policies and procedures for monitoring and reporting violations of data privacy and protection. Data Controllers MUST notify NITDA of Data Privacy/Protection breaches within 72 hours of being aware of the breach. Data Controllers need to notify individuals where there is breach to their Personal Data ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  26. NDPR TRANSFER OF DATA Transfer of Data to foreign countries/locations Transfer/Storage of Personal Data to a foreign country or an international organization may take place where NITDA has decided that the foreign country, or the international organization in question ensures an adequate level of protection. Example of Foreign Countries where data can be transferred are – EU GDPR Countries, United States, Australia, China. If Personal Data is not being transferred to an approved protection country, then the consent of the Data Subject MUST BE OBTAINED and Data Subject must be made aware of the risks. ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  27. BENEFITS OF EMBRACING NDPR Advantages of NDPR to Data Controllers As You Increase: • NDPR Awareness • Training • Security • Use of formal processes • General accountability & compliance These Risks Decrease: • Data Breaches • Severe Penalties or Sanctions • Legal Prosecution • Loss of reputation & trust ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  28. INTERNATIONAL DATA PROTECTION & PRIVACY LAWS EU GENERAL DATA PROTECTION REGULATION (GDPR) The General Data Protection Regulation (GDPR) is Europe’s framework for data protection and privacy laws. It came into effect on 25 May 2018 across all European Union member countries, including the UK. It applies to all entities within the EU and any organisation controlling/processing Personal Data of EU citizens. GDPR is the gold standard in data privacy and protection regulation. NDPR and the principles of NDPR are closely mirrored and compliant with the GDPR. GDPR ©UTOPIA SOFTWARE Happy Customer, Perfect Software Email: info@utopiasoftware.com.ng

  29. NIGERIA DATA PROTECTION REGULATION (NDPR) EMPLOYEE AWARENESS AND DPO TRAINING NITDA LICENSED DPCO THANK YOU!!

More Related