Each transaction through online channels such as e-commerce platforms results in the exposure of consumer’s merchantable personal data of consumers. Data allows businesses the avenue to improve decision-making, create new products and services, improve operational efficiency, and personalise the customer experience. Over time, consumers have grown increasingly concerned about risks associated with procuring services through digital channels. The fear of identity theft is prevalent, as personal data breaches expose sensitive information to cybercriminals. There is also the issue of a lack of transparency from businesses about how they handle data. Also, concerns over unauthorized data sharing, targeted advertising, and profiling without consent are common. These concerns over data privacy necessitate that businesses prioritise the protection of consumer data privacy rights.
The Nigeria Data Protection Act, 2023 (NDPA) in Part VI enshrines several fundamental rights for data subjects (for the “consumers”). These rights include:
- Right to be Informed: Consumers have the right to be aware of how their data is handled by businesses. They should be aware of the collection and processing of their data, including the purposes for which it is being used.
- Right of Access: Consumers can request information about the personal data held about them by businesses handling their data.
- Right to Rectification: Consumers have the right to request the correction of inaccurate or incomplete personal data in the custody of a business.
- Right to Erasure: Consumers can request the deletion of their data under circumstances such as when there is no need to process the data anymore.
- Right to Restriction of Processing: as an alternative to erasure, Consumers can restrict how their data is processed.
- Right to Data Portability: Consumers have the right to obtain their data in a structured, commonly used, and machine-readable format and transmit it to another business (when technically possible) without delay.
- Rights in Relation to Automated Decision-making: Consumers have the right to object to the processing of their data through automated decision-making, for direct marketing, or profiling.
- Right to Compensation: Consumers have the right to seek compensation for damages suffered due to data breaches or violations of their privacy rights.
- Right to Judicial Redress: Consumers can seek legal remedies for violations of their data protection rights.
Furthermore, to ensure the rights of customers as data subjects are adequately protected, businesses operating in Nigeria must follow the following essential principles and adhere to the set of compliance requirements (as provided by the NDPA) below:
- Data Minimization: Businesses must collect and process only the amount of data necessary for a specific purpose. In other words, avoid gathering excessive or irrelevant data.
- Purpose Limitation: Businesses must use data collected solely for the purpose it was intended for. Businesses must avoid repurposing data without outright consent.
- Data Security: Implement strong technical and organisational measures to safeguard data against unauthorized access, disclosure, alteration, or destruction.
- Accountability and Compliance: Businesses must take full responsibility for complying with the NDPA and any other industry-specific regulation or law that addresses the processing of data within the industry of the business. These include:
- Collecting freely and directly given consent to process the personal data of the customers. Where a child (any customer under the age of 18) is involved, such consent is to be collected from the legal guardian or parents of the child. Also, appropriate mechanisms, including technology, must be incorporated to verify age and consent;
- Registering as a data processor or data controller with the Nigeria Data Protection Commission (NDPC) as long as the business falls within the minimum threshold set by the NDPC;
- In the event of a data breach, businesses should be prudent enough to promptly notify the NDPC within 72 hours of occurrence of such breach. Same should be communicated to the affected customer in plain and simple language, including means to mitigate the effect of such breach;
- Conduct Data Protection Impact Assessments (DPIAs) for any high-risk data processing activities to identify and mitigate potential risks;
- Conducting data protection audits and filing audit reports with the NDPC. The audits are relevant for assessing and identifying loopholes in the data protection structure of a business and coming up with a means to fix such loopholes;
- Ensuring compliance with regulations on data transfer outside Nigeria, including confirming that adequate level of protection exists in the country such data is to be transferred to;
- Ensuring that adequate security is available to safeguard the personal data of customers collected to facilitate the provision of services to the customers;
- Drafting robust, simple, and direct privacy policies for websites and other software platforms; and
- Designating a knowledgeable person as a Data Protection Officer
- Robust Internal Mechanisms: To further reinforce a business’s data protection framework, it is essential to implement robust internal mechanisms that safeguard customer data and ensure compliance with industry and regulatory standards. Below are some key mechanisms a business can adopt:
-
- Carefully assess third-party service providers to ensure they comply with the highest data protection standards. Additionally, businesses are advised to enter into sound data processing agreements with third parties or include comprehensive data processing clauses within existing service agreements;
- Establish a clear and comprehensive internal data privacy and protection policy or guideline for employees;
- Implement access control measures to restrict access to customers’ personal data to only those employees who need it for their role at any given time;
- To prevent data loss, businesses must implement regular backups and establish a reliable recovery plan to ensures that data can be restored quickly and efficiently in case of a breach;
- Establish a responsive customer support system, ensuring that customer concerns related to privacy are addressed promptly, professionally, and effectively.
- As the backbone of a business’s effective data privacy strategy, employees are at the vanguard of data protection. Regular, well-curated employee training sessions are essential. These trainings should cover the risks associated with poor data processing practices, the business’s compliance obligations, the efficient application of existing policies, and the ability to adapt to emerging data privacy threats.
Consequences of Poor Data Privacy Culture
The consequences of a poor data protection strategy for an organization include the following; lack of trust and reputational damage leading to the decline of customer patronage and investor confidence; disruptions to the operations of the business; risk of litigations against the business; and statutory consequences under the NDPA which includes fine between the sum of N10,000,000 or 2% of its annual gross revenue from the preceding financial year, whichever is greater.
The above can lead to staggering financial loss, resulting from fines, legal fees, compensation payouts, and costs associated with restoring halted operations and repairing compromised systems. Additionally lack of customer trust, potential loss of business partnerships will in the long run hamper the ability of the business to generate sustainable revenue, leaving its future growth and financial health in jeopardy.
Conclusion
Adherence to robust data privacy practices offers numerous advantages for businesses. Firstly, it promotes trust between the business and its customers. By demonstrating a commitment to protecting personal information, businesses can build strong and lasting relationships with their customers Secondly, compliance with data protection laws mitigates the risk of hefty fines, legal actions, and reputational damage that can arise from data breaches.
A sound data privacy culture goes beyond mere compliance. It is a business-wise imperative in that by prioritising customer data privacy, businesses not only get to stay in the good side of the law but also thrive on increased trust, operational efficiency, reduced susceptibility to risks, and a competitive edge against competitors in the same industry.