The lowdown on Data Privacy and Data Protection Policy for Startups

The lowdown on Data Privacy and Data Protection Policy for Startups by Olisa Agbakoba Legal OAL

Data is fueling and leveraging an increasing number of businesses and industries. You would probably have heard the expression “data is the new oil.” The director of WIPO Director General Tang said the proliferation of data in the last few years is greater than all the data generated pre 1980.

A striking example of the power of data was given by Dean Jolliffe of the World Bank, who chaired a meeting’s panel, “Data, beyond AI in a fully interconnected world”. In 1999, Cyclone BOB 06 devastated the Indian state of Odisha, killing nearly 10,000 people. In response, the state disaster management authority was tasked with collecting, evaluating, monitoring and analyzing weather data. When a similar-sized cyclone hit Odisha in 2013, over 1 million people were evacuated, and thousands of lives were saved. The Odisha case shows, said Mr Jolliffe, how the value of data even data that has been collected and tracked for many years can increase when rigour is applied.

According to Ms Khalid, Senior Research Analyst at Dubai Future Foundation in the UAE, data can be used to streamline operations and improve cost efficiency (for example, aircraft manufacturer Airbus has cut supplier delivery times from a couple of weeks to just a couple of hours by sharing design and engineering data).

The world’s most valuable companies include tech giants such as Google, Apple, Facebook and Amazon (GAFA) and Baidu, Alibaba and Tencent (BAT) whose subscribers are routinely required to provide their data to facilitate access. The internet and smartphones have contributed significantly to making data more valuable, available and abundant.

Companies are now quite eager to gather your personal data, and understandably so Legislators, on the other side of the coin, are keen to protect the privacy and safety of individuals in the face of increased data use and unethical abuse of data. Data privacy regulations like the Nigerian Data Protection Regulation, 2019 (‘NDPR’) and  Europe’s General Data Protection Regulation (GDPR) have all been passed recently to manage the risks associated with data breaches and data privacy. These regulations demand strict access controls to protect sensitive personal data.

 

What is a Data Privacy Policy?

A “Data Privacy Policy”  refers to the handling of critical personal information, also known as “personally identifiable information” (PII) and “personal health information” (PHI). Such information can include social security numbers, health records, and financial data, including bank account and credit card numbers.

It discloses how much a party gathers, uses, discloses, and manages a customer or client’s data. It adheres to a legal requirement to protect a customer’s or client’s privacy. Personal information can serve as an indicator used to identify an individual, not limited to the person’s name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intent to purchase goods and services.

In a business context, data privacy goes beyond the PII of employees and customers. Data privacy also concerns the information which helps the company operate. This could include proprietary research, development data, or financial information. Essentially all companies should have an internal policy which guides the way data is used, generated and stored.

 

A data protection policy should cover the following key features;

  • The scope of required data protection
  • Data protection techniques and policies applied by relevant parties such as individuals, departments, devices, and IT environments
  • Any applicable legal or compliance requirements for data protection
  • The roles and responsibilities related to data protection, including data custodians and roles specifically responsible for data protection activities

 

What is Data Protection?

Data protection is the process of safeguarding important information from corruption, compromise or loss. The importance of data protection increases as the amount of data created and stored continues to grow. Consequently, a large part of any data protection strategy is hinged on ensuring that data can be restored quickly after any corruption or loss.

 

The Importance of Data Privacy

Keeping private data and sensitive information safe is paramount. If information such as financial data, healthcare information, and other personal consumer or user data fall into the wrong hands, it can create a dangerous situation. The lack of access control regarding personal information can put individuals at risk for fraud and identity theft.

Additionally, a data breach at a government level may risk the security of entire countries. And if one occurs within your company, it could make your proprietary data accessible to a competitor.

This is where data protection laws come into play. As an increasingly large portion of our lives and activities now occurs online, making cybersecurity an ever-growing concern.

 

Data Privacy Laws and NDPR

In Nigeria, we have the Nigerian Data Protection Regulation, 2019 (‘NDPR’) whilst, in Europe, Europe’s General Data Protection Regulation (GDPR) prevails

The NDPR contains regulations related to the processing of personal data of individuals (formally referred to as data subjects in the NDPR) located in Nigeria. NDPR applies to all enterprises regardless of the location and size of the company or the citizenship and residence of the consumer. The NDPR mandates all organizations that process the personal data of more than 1000 data subjects in a period of 6 months and 2000 Data Subjects in a period of 12 months to submit a Data Protection Audit report to NITDA not later than 15th March every year. This involves the organization’s audit of its data privacy and protection practices. Audits are meant to show that the data controller or processor complies with the law.

Noncompliance or breach of the Privacy rights of any Data Subject under the NDPR shall apart from other criminal liability, attract penalties which include: payment of a fine of 2% of the annual gross revenue of the preceding year or 10 (ten) million naira (whichever is greater), in the case of a data controller dealing with more than 10,000 (ten thousand) data subjects, and payment of a fine of 1% of the annual gross revenue of the preceding year or 2 (two) million naira (whichever is greater), in the case of a data controller dealing with less than 10,000 (ten thousand) data subjects. Where a breach occurs, it is essential you (data controller, self-reports the breach) notify NDPB as it is a major consideration in determining the amount of fine to be levied. The report must be made within 72 hours from the time of knowledge of the breach.

Where a complaint of a breach is filed NDPB through an Administrative Redress Panel will commence an investigation. The investigation may be by way of a special audit check or “spot check”, a review of policies, procedures, or practices of the subject of the complaint and the circumstance of the alleged violation. Where there is prima-facie evidence of a breach, NDPB would request a response from the violator stating the allegations against them. If NDPB is still satisfied that a breach has occurred, it will issue a Notice of Enforcement. NDPB may also issue an administrative fine or penalty. Depending on the circumstance at hand, NDPB may issue a public statement warning the public from dealing with the violator. The NDPB prescribes that this whole process must be concluded within 28 working days. If the violator fails to take steps to address the breach, NDPB may file a Petition or Notice of Prosecution to the Attorney General’s office for the violator to be criminally prosecuted.

If unsatisfied with the decision of the Administrative Redress Panel, the alleged violator may challenge their decision in court.

In February 2022, the Nigeria Data Protection Bureau (“NDPB”), was established by the Federal Government as the principal data protection regulatory body to implement the objectives of the Nigeria Data Protection Regulation 2019 (“NDPR”), replacing the National Information Technology Development Agency (NITDA).

In furtherance of its objectives, the NDPB on October 5, 2022, issued a compliance directive (the “Directive”) to organizations that collect and or process the personal data of Nigerians. (“Regulated Entities”). Regulated Entities are required to ensure that their service providers (i.e agents, licensees, contractors etc.) comply with the NDPR.

 

Governing Principles of Data Processing

Personal data should be collected and processed observing specific, lawful and legitimate purpose as consented to by a Data Subject i.e. owner of the data being collected and processed:

  • Personal data shall be adequate, accurate and respect the dignity of the human person;
  • Storage of Personal data should be on a need-to-retain basis;
  • Personal data should be secured against foreseeable hazards;
  • The custodian of personal data owes a duty of care to the Data Subject;
  • The custodian of personal data is accountable for his acts or omissions;

 

Lawful Processing of Personal Data.

The conditions under which Personal Data would be deemed to have been lawfully processed are as follows:

  • Where consent of the Data Subject has been procured;
  • Where the processing is necessary for the performance of the contract to which the Data Subject is a party;
  • Where it is required for compliance with a legal obligation which the Data Controller i.e. the person or body of persons who determine the purposes for which and the manner in which Personal Data is being or to be processed, is required to discharge;
  • Where it is required to protect the vital interests of the Data Subject;
  • Where it is required for carrying out a task in the public interest or in the exercise of an official public mandate imposed on the Data Controller.

 

Privacy Policy to be Displayed

All media through which Personal Data is being collected must display in a simple, conspicuous and understandable manner, their applicable privacy policy. The minimum requirements for such a privacy policy are:

  • What represents consent for the Data Subject;
  • Description of personal information that is collectible;
  • Purpose of Personal Data being collected;
  • Technical methods deployed to source and store personal information, cookies, web tokens etc.;
  • Whether third parties have access, and if so, the nature of;
  • Principles governing data processing;
  • What remedies can be resorted to in the event of a breach of the privacy policy;
  • Limited period for exercising remedy;
  • No limitation clause would avail any Data Controller who is in default of the NDPR.

 

Key steps to be taken to avoid liabilities:

The key steps to be taken by Regulated Entities in order to avoid legal liabilities and ensure they meet up with the minimum required standard of care required under the NDPR. Regulated Entities are required to: (i) read and understand the NDPR; (ii) develop and implement a privacy policy that is consistent with the NDPR; (iii) notify their employees, customers, and online visitors of their privacy policy; and (iv) designate at least one or two members of staff as Data Protection Contacts (DPCs).

Sizable fines assessed for data breaches since 2019 suggest that regulators are getting more serious about organizations that don’t properly protect consumer data. Marriott was hit with a $124 million fine, later reduced, while Equifax agreed to pay a minimum of $575 million for its 2017 breach.

 

Below are some other Major cases where fines and penalties assessed for data breaches or non-compliance with security and privacy laws were made:

1. Instagram: $403 million

Ireland’s Data Protection Commissioner (DPC) in September 2022, fined Instagram for violating children’s privacy under the terms of the GDPR. The long-running complaint concerned data belonging to minors, particularly phone numbers and email addresses, which was made more public when some young users upgraded their profiles to business accounts to access analytics tools such as profile visits.

2. T-Mobile: $350 million

In July 2022, mobile communications giant T-Mobile announced the terms of a settlement for a consolidated class action lawsuit following a data breach that occurred in early 2021, impacting an estimated 77 million people. The incident centered around “unauthorized access” to T-Mobile’s systems after a portion of customer data was listed for sale on a known cybercriminal forum. In an SEC filing, it was revealed that T-Mobile would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement. The company would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023.

3. Meta (Facebook): $277 million

In November 2022, the Ireland Data Protection Commission (DPC) fined Meta $277 million (€265 million) for the compromise of 500 million users’ personal information. The DPC started its inquiry on April 14, 2021, following reports of a collated data set of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to the processing carried out by Meta Platforms Ireland Limited (“MPIL”) during the period between May 25, 2018, and September 2019. “The material issues in this inquiry concerned questions of compliance with the GDPR obligation for Data Protection by Design and Default,” the DPC wrote. “The DPC examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept). There was a comprehensive inquiry process, including cooperation with all of the other data protection supervisory authorities within the EU. Those supervisory authorities agreed with the decision of the DPC.”

The decision imposed a reprimand and an order requiring MPIL to bring its processing into compliance by taking a range of specified remedial actions within a particular timeframe.

4. WhatsApp: $255 million

In August 2021 Facebook-owned messaging service WhatsApp was fined €225 million ($255 million) for a series of GDPR cross-border data protection infringements in Ireland. The fine followed a lengthy investigation and enforcement process which began in 2018 and involved the Data Protection Commission’s proposed decision and sanctions being rejected by its counterpart European data protection regulators, resulting in a referral to and ruling from the European Data Protection Board. Allegations focused on complaints from users and non-users of WhatsApp’s services, involving alleged breaches of transparency and data subject information obligations under articles 12, 13 and 14 of the GDPR.

 

It is, therefore, important for all Regulated Entities inclusive of startups, to ensure full compliance with the provisions of the NDPR and avoid the penalties of non-compliance.

The Data Protection Policy ensures an adequate level of data protection as prescribed by relevant legal frameworks.

 

References

  1. UNCTAD (2004) Creative Economy Programme access on 16th January 2023 from https://unctad.org/topic/trade-analysis/creative-economy-programme
  2. Ajay Agarwal (2020) Fuel Your Business Growth with Data-Driven Decision Making access on 14th January 2023 from https://www.eve24hrs.com
  3. James Nurton (2022) Data: the fuel transforming the global economy, WIPO Magazine access on 16th January 2023 from https://www.wipo.int
  4. Yemi Adeniran, Data protection in Nigeria – enforcement in post COVID-19 digital economy/Biometric Update accessed on 16th January 2023 from https://www.biometricupdate.com
  5. Nigeria Data Protection Bureau; Compliance Directives 5th October 2022
  6. Nigeria Data Protection Regulation 2019 (NDPR)
  7. Europe’s General Data Protection Regulation (GDPR)
  8. Cybercrime Act
  9. Constitution of the Federal Republic of Nigeria 1999 (as Amended)
  10. Michael Hill (2022) The 12 biggest data breach fines, penalties and settlement so far, CSO online accessed on 16 January 2023 from https://www.csoonline.com

 

[maxbutton id=”1″ url=”https://oal.law/data/uploads/2023/02/The-lowdown-on-Data-Privacy-and-Data-Protection-Policy-for-Startups.pdf” text=”Download Article” ]

 

 

Contributor

Emmanuel Agherario, OAL

Associate II