February 28, 2020
We recently shared a Data Privacy Compliance update within our client network and would like to share a few points from the update, which is based on a recent data privacy audit that we conducted for a Nigerian company, in line with the legal requirement that certain companies, acting as Data Controllers or Data Processors, in Nigeria should conduct and file a summary of its Data Privacy Audit by March 15, of every year.
Scope, Pricing & Methodology
The scope and methodology of a Data Privacy Audit is highly dependent on a number of variables, which includes the vertical in which your company plays, the industry at large, your company’s human resource strategy, work flow process, location and number/seniority and nationality of staff. Evidently, these factors may also determine the price your Company pays for a Data Privacy Audit as well. Meaning that, if your Data Privacy Adviser is not taking these factors into consideration as a foundational matter, you are likely overpaying and/or not getting value for money.
Enterprise Risk Management
It’s important not to think about a Data Privacy Audit in isolation. Atleast, not as a general rule. Some cases may present a good opportunity to review the risk exposure of your business across board, on an enterprise basis. If you think about it, the reality that Nigerian companies face is that regulations will increase and regulators will step up enforcement across board. Also, across board, the likelihood that vulnerabilities and breaches will get more severe is real. In practical terms, the occurrence of a risk that is not data privacy related, can trigger some level of exposure on data privacy front.
Employee Engagement
It’s important for ALL employees, ( including customer care, front desk, admin and other non-tech/IT staff) to be carried along, to fully understand and to have a sense of responsibility around data privacy issues. This is a lower hanging fruit and proactive compliance strategy that we advise all clients to adopt. Sometimes, employees can be the saving grace of potential data breach or exposure on the regulatory side.
Existing Employees
We generally advise clients to procure a written consent from existing employees, i.e. individuals who were in employment before the enactment of the Nigerian Data Privacy Regulations. In point of substance, it is useful to note that storage of employees’ personal data is a form of “processing” recognised under the Nigeria Data Privacy Regulations. To the extent that the personal information of employees are kept in some form of storage by employers, it would be prudent for companies to procure a written consent from these category of employees.
Business Disruption
One other point is ensuring that the Data Audit process does not unduly disrupt your business. This is very possible especially seeing that by law, a Data Privacy Audit is a Q1 deliverable – a time when the business sets the tone for the rest of the year. Again, this depends largely on methodology.
Team
Sometimes, depending on the nature your business, a Data Privacy audit may require a multifunctional team of lawyers and information technology experts. This is how we have structured our data privacy practice at Balogun Harold. Our Data Privacy team consists of Certified Offensive Security Professionals and compliance professionals, who provide support around integrity issues. This approach is particularly important for us within the context of the Nigerian Data Privacy Regulations which mandates Data Controllers or Data Processors to secure all Personal Data against “all foreseeable hazards and breaches, such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements”.
A few other points to note in conclusion – Overall, Nigerian companies need to step up and be more responsible with the privacy of the personal information of their employees. In the end, data privacy regulations are built to protect human beings ( not corporate entities) and to that extent, we are all involved and should be rightly concerned. Also, data privacy issues can potentially affect the bottom-line and competitiveness of companies because , prudent third parties would generally take the time to ensure that counterparties are compliant, if they are keen on a business relationship. The reason is because compliant third parties may become exposed to regulatory or legal risk as a result their a relationship with a non-compliant organisation. In point of substance, the Nigerian Data Privacy Regulations, places a due diligence obligation on counterparties to take reasonable measures to ensure that other parties do not have a record of violating the data privacy principles preserved under the Nigerian Data Privacy Regulations.
Please reach out to your Balogun Harold contact or via support@balogunharold.com for additional inquiries.
