Citizens’ data protection more than ever is proving to be a vital yardstick that measures how well a country is doing in preserving its sovereignty against unauthorised meddling, hence the Nigerian Data Protection Commission’s (NPDC) charge to corporate entities urging them to be mindful of not dropping the ball.

On Tuesday 10 September 2024 at the Nigerian Content Development and Monitoring Board (NCDMB) 10 Oxbow Lake Road headquarters in Yenagoa, the NDPC emphasised this as part of an enlightenment campaign.

It was specifically at a one-day Data Protection and Privacy Induction Training for NCDMB staff that this point was made using the Nigerian Data Protection Act (NDPA) of 2023 to mirror the essence of safeguarding user information.

ALSO READ: If writers do not know the way to make money off their art, NCDMB will show them how at a book reading

Leading a presentation on the subject was Ms Adaobi Fatima Sanni who said data protection is primarily concerned with measures and mechanisms to safeguard data against unauthorised access, as well as breaches or loss. 

Section 37 of The Constitution of the Federal Republic of Nigeria, 1999 (as Amended), says the facilitator, guarantees the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications” is protected.

Nonetheless, this is not always the outcome. Therefore giving consumer protection agencies more work to do beyond their scope.

According to Ms Sanni, the ‘Principles of Processing Personal Data,’ must include data minimisation. This feature requests that data should be adequate, relevant and limited to what is necessary unlike what free-flying informal sector players and loan apps have been doing.

Never should any organisation operate beyond the data limitations set by the law and the training for the NCDMB staff reiterates this fact. What is expected of any entity is that information gathering should be restricted to the purpose for which they were collected, the accuracy and storage limitation.

With storage limitation, the facilitator re-established a well-known fact dictating that personal data should be kept only for the period necessary for the purposes. And once data is no longer needed, she adds, they should be deleted or rendered anonymous.

If organisations want to make sure they do not run afoul of the NPD Act, they must be intentional. It starts with developing a data privacy policy, processing data in line with the principles of the NDPA, designating a senior officer as a data protection officer, registering as a data controller or processor of major importance with the Commission, engaging a data protection compliance organisation to file an audit, likewise directing contractors and also vendors to comply with the Act.

Still at the data protection and handling training for the Board’s staff, the second major presentation titled “Technical and Organisational Measures for Data Protection” happened and the facilitator was Mr Victor Danladi Barde, who brought it into the minds of all present what Section 40 of the NDPA says about a time limit for treating data breaches.

ALSO READ: After the pilot oil and gas park, NCDMB spreads its wings to 3 more posts

Within 72 hours of noticing a personal data breach, the responding official be it the data controller or a processor must take necessary mitigation steps.  Responding to security incidents quickly, efficiently and in an organised manner will help organisations minimise damages, mitigate threats, restore operations, services and processes.

Ayodele Johnson

Ayodelé is a Lagos-based journalist and the Content and Editorial Coordinator at Meiza. All around the megacity, I am steering diverse lifestyle magazine audiences with ingenious hacks and insights that spur fast, informed decisions in their busy lives.