Professional Documents
Culture Documents
12 Processes Towards NDPR Compliance
12 Processes Towards NDPR Compliance
By
David Harry
1
Outline
Introduction.
Raise Awareness.
Information Mapping And Data Audit.
Notices & Privacy Communications.
Data Subjects Rights Under NDPR.
Subject Access Requests.
Legal basis for processing.
Collecting and Managing Consent.
Processing Personal Data of Children.
Data security and breaches.
Privacy by design and default.
Duties of a Data protection officer.
Requirements for Data transfers.
Conclusion.
Recommendation.
2
Introduction
NDPR was issued on the 25th of January, 2019.
What is NDPR?
Nigeria data protection regulation(NDPR) are set of rules about how an
organization should process personal data of individuals.
5
Information Mapping And Data Audit
All personal data an organization holds should be
documented, where it came from, how it was collected and
with whom and how it is shared.
All sources of data and all types of data relationship must be
identified.
Undertaking a formal information audit must be considered.
Question to be asked may include:
Who are your data subjects?,
Who has access to sensitive data?
Where do we keep personal data?
Where do we transfer personal data to?
6
Notices & Privacy Communications
A full review of current privacy notices must be done.
These privacy notices must align with the requirement under
NDPR.
These notices must:
Indicate the processing activities occurring at the time
personal data is collected.
Be present at all points where personal data is collected.
Right to lodge complaint.
Recipients and transfers of data.
State the right to withdraw consent at any time.
7
Data Subject Rights
Under NDPR, the rights of data subjects are well recognized.
Organizations must be able to demonstrate that they can respond to a
data subjects personal data request.
Generally, response to a request must be done within a stipulated
time.
In compliance, organizations must be able to demonstrate that they
can:
Validate the identity of the requesting data subjects.
Enable a data subject to request access to their personal data.
Respond to request for personal data access
Request rectification and rectify personal data.
In the event of data breach, contact those entities for data erasure.
Discontinue data processing and demonstrate compliance.
8
Subject Access Requests
In organizations, procedures should be updated and a plan on
how request will be handled to take account to new rules must
be implemented.
An organization can refuse or charge for requests that are
excessive.
If a request is refused, the individuals should be told why and
should also be that they have the right to complain to the
supervisory authority and to a judicial remedy.
An organization could develop systems that allows individuals
to access their information easily online, if the organization
handles a large number of access request.
9
Legal Basis For Processing
10
Collecting and Managing Consent
11
Processing Personal Data of Children
12
Data Security And Breaches
15
Requirements For Data Transfers
16
Conclusion
In conclusion:
Organizations must be aware of NDPR regulations and must organize
trainings to enlighten its staffs.
All personal data held by an organization must be documented.
Full review of privacy notice must be done and it must align with NDPR
requirements.
Organizations should be able to respond to requests of personal data by data
subjects over a stipulated time.
Organizations should ensure that only necessary personal data a processed.
Organizations must seek consent from individuals to process their personal
data.
Organizations that manage data on a large scale must appoint a DPO.
Organizations must ensure that personal data can be transferred to customers
at any time.
These steps must be followed judiciously in order to be in full compliance with
the NDPR regulations.
17
Recommendation
It is of great significance that organizations commence the
implementation of NDPR, the benefits outweighs the
drawbacks.
The benefits include:
Brand image and competitive advantage are improved.
Customer trust and customer confidence are built.
Risk from data breaches and hackers are decreased.
Security incidents are minimized.
Avoidance of payments of fines.
18