Policy Documents Required For

NDPR Compliance
By
Harry David
 OUTLINE
• Introduction.
• Consent Form.
• BYOD(Bring your own device) Policy.
• Password Policy.
• Privacy Notice.
• Clean Desk Policy.
• Personal Data Retention Policy.
• Data Breach Policy.
• Data Processing Policy.
• Conclusion.
• Recommendation.
2
 INTRODUCTION
 NDPR was issued on the 25th of January, 2019.
 What is NDPR?
 Nigeria data protection regulation(NDPR) are set of rules about how
an organization should process personal data of individuals.

 NDPR’s objectives include:

 To safeguard the rights of natural persons to data privacy.
 To foster safe conduct of transactions involving the exchange of
personal data.
 To prevent manipulation of personal data which may lead to breach
of public peace and national security.
 A policy document specifies the rules, guidelines and regulations that an
organization requires employees to follow.
3
 CONSENT FORM
• Consent form is basically a form in which data subjects give their
consent for the processing of their personal data.
• Data subjects give consent for the processing of their personal data held
by the company, or any associated company for business related
purposes.
• Data subjects also give consent for the processing of their sensitive data
e.g. sickness absence records, medical reports, details of criminal
convictions.
• Data subjects give consent to the company for the provision of their
personal data to a third party, these third parties include pension
scheme providers, insurance companies.
• The consent form ends with the data subject's name, signature, phone
number and email address.

4
 BYOD POLICY
• This policy establishes an organization's guidelines for employee use of
personally owned electronic devices for work-related purposes.
• Employees must get authorization in writing from the organization,
before the opportunity to use their personal devices is given.
• Authorized employees are required to have anti-virus and mobile device
management (MDM) software installed on their personal mobile, to
ensure the security of the organization.
• Employees whose personal devices have camera, video or recording
capability are restricted from using those functions anywhere in the
building or on company property at any time unless authorized in
advance by management.
• Failure to follow the organization's policy and procedures, concerning the
use of personal devices for work-related purposes may result in
disciplinary action, up to and including termination of contract.
5
 PASSWORD POLICY
• Employees in an organization access variety of information
technology(I.T) resources, including computers, data storage systems,
and other accounts.
• All employees who have access to any of those resources are
responsible for choosing strong passwords and protecting their log-in
information from unauthorized people.
• The purpose of this policy is to ensure that all the organization's
resources and data receive adequate password protection.
• The policy covers all employees who are responsible for one or more
account or have access to any resource that requires a password.

6
 PRIVACY NOTICE
• A statement made to a data subject that describes how the
organization collects, uses, retains and discloses personal
information.
• A privacy notice is sometimes referred to as a privacy statement,
a fair processing statement or sometimes a privacy policy.
• A privacy notice must be displayed in the organization’s
premises, e.g. Reception.
• A privacy notice must also be displayed on the organization’s
website.

7
 CLEAN DESK POLICY
• Clean desk policy ensures that all sensitive/confidential materials are removed
from an end user workspace and locked away when the items are not in use.
• It is one of the top strategies to utilize when trying to reduce the risk of
security breaches in the workplace.
• The purpose for this policy is to establish the minimum requirements for
maintaining a “clear desk” – where sensitive/critical information about
employees, intellectual properties, customers, and vendors are secured in
locked areas and out of sight.
• The Information security team will verify compliance to this policy through
various methods, including but not limited to, periodic walk-through, video
monitoring, business tool reports, internal and external audits, and feedback
to the policy owner.
• Any employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

8
 PERSONAL DATA RETENTION POLICY
• A data retention policy is a set of guidelines that helps organizations
keep track of how long information must be kept and how to dispose of
the information when it’s no longer needed.
• The policy should also outline the purpose for processing the personal
data.
• This ensures that an organization have documented proof that justifies
its data retention and disposal periods.
• A simple data retention policy will address:
– The types of information covered in the policy. e.g names, addresses,
financial records e.t.c
– How long the organization is entitled to keep information.
– What an organization does with the data when it's no longer needed.

9
 DATA BREACH POLICY
• Data breach is a breach of security leading to the unlawful destruction,
loss, alteration, unauthorized disclosure of, or access to personal data
transmitted, stored or otherwise processed.
• This Policy and Plan aims to help an organization manage personal data
breaches effectively.
• Examples of a data breach could include the following:
– Loss or theft of data or equipment on which data is stored, for
example loss of a laptop or a paper file (this includes accidental
loss).
– Equipment failure.
– Human error (for example sending an email or SMS to the wrong
recipient).
– Unforeseen circumstances such as a fire or flood.
10
 DATA PROCESSING POLICY
• Data Processing Policy sets out how an organization handles the
Personal Data of their customers.

• Data Processing Policy applies to all Personal Data an organization

processes regardless of the media on which that data is stored or
whether it relates to past or present customers, clients, or website
users.

11
 CONCLUSION
• In conclusion, organizations must:
– Ensure that consent form is made available for each data subject.
– Ensure that all employees follow the Bring your own device(BYOD)
policy.
– Ensure that employees having access to Information
Technology(I.T) resources, choose strong passwords for each
account.
– Ensure that privacy notice is made available to all staffs and
customers.
– Ensure that the clean desk policy is strictly followed by all
employees.

12
 RECOMMENDATION
• These policy documents ensure that the personal data of data
subjects are well-guarded.

• The policy documents also reduces the risk of data breach in an

organization.

• It is therefore necessary that these policy documents are present in

organizations.

13