Obligation to Protect Personal Data

Personal data protection is an important subject that every organization should put into consideration when developing its security policies. The law appreciates this fact and has placed enormous legal obligations on data controllers and processors to ensure that data placed in their custody is secure. In processing personal data, the Nigeria Data Protection Regulations (NDPR) 2019 imposes a duty of data security on the controller. It provides that data processors and controllers shall develop security measures to protect data. Such measures include protecting systems from hackers, setting up firewalls, storing data securely with limited access, employing data encryption technologies, engaging in continuous capacity building of staff, etc.  This means that the data controller and processor have a duty to protect personal data from external attacks and will be responsible for any breach of the data in their custody. For context, a " data controller" is a person who, either alone, jointly with other persons, or in common with other persons or a statutory body, determines the purposes for and the manner in which personal data is processed or to be processed.  A processor, on the other hand, is a person who processes personal data. Failure to protect such personal data results in serious legal and financial consequences to the data controller and processor.

Failing to Protect Personal Data

Where a data controller or processor fails to fulfill its obligation to protect personal data, there are legal and financial implications. Where a data breach has occurred, the legal obligation of the organization affected is to investigate the breach to ascertain the affected areas, identify the cause of the breach, and identify the affected data subjects. When this is done, the organization is required to take the necessary steps to notify the affected data subjects. In addition, data controllers have the obligation to self-report data breaches to the supervisory authority within 72 hours of becoming aware of the breach. The data subject may report a breach to the supervisory authority directly for redress. An order of compliance with the NDPR may be issued to curb further breaches, together with a monetary fine where necessary.  In addition to this, administrative orders may be issued. These include:

1. Suspension of service of the data controller pending further investigations;
2. Order parties in breach to appear before a panel to determine the liability of officers;
3. Public notice to warn the public to desist from patronizing the affected organization; or
4. Refer the matter to the appropriate professional body for sanction of its members involved in the breach.

Also, a failure to protect personal data under the NDPR constitutes an offense and may be punishable with a fine and imprisonment of up to three years.

On the financial end, the NDPR provides additional penalties for breaches of personal data. The data controller shall be liable for any breach of the data subjects’ rights, in addition to any other criminal liabilities, to the following:

1. In the case of a data controller dealing with more than 10,000 data subjects, payment of the sum of 2% of the Annual Gross Revenue of the preceding year or payment of the sum of 10 Million Naira, whichever is greater; or
2. In the case of a data controller dealing with data of less than 10,000 data subjects, payment of the sum of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 Million Naira, whichever is greater.

Furthermore, where a breach of personal data occurs, the organization incurs costs from the investigations conducted to ascertain the extent of the breach and notify the affected data subjects. The organization may also engage a Data Protection Compliance Organization (DPCO) or an expert in data breach management to conduct an audit of the systems and data protection practices with the aim of drawing up a remedial plan to assist the organization in remedying the breach.  Additional costs may also go into rebuilding the goodwill of the business of the data controller or processor.  As noted earlier, the supervisory authority is obligated to issue a public warning for the public to desist from patronizing organizations that breach personal data. It follows that prior to rebuilding its reputation, the organization suffers from a loss of revenue, income, and trust of its customers. This underscores the need to rebuild the organization's goodwill.

Conclusion

Besides the negative impact a personal data breach has on the affected data subject, the data controller and processor are also fraught with the unpleasant wrath of the law, which ranges from the payment of fines and incidental costs to the loss of business reputation and, in the worst cases, criminal prosecution. It is therefore important that every organization adopt security measures when processing personal data, and in the event that a data breach occurs, the necessary steps should be taken to manage the breach.

‍