[Column] Adebayo Sanni: Nigerian businesses and the GDPR compliance
The deadline for compliance with the General Data Protection Regulation (GDPR) has come and gone. And while it happened without too much fanfare in Nigeria, companies that think they can ignore the legislation and maintain a business as usual approach are in for a rude awakening.
Any organisation (irrespective its size, industry or geographic location) that has dealings with a company or people inside the European Union (EU) must adhere to it. Those not willing to do so, face fines of either 20 million euros or four percent of their global revenue.
Already, the past few weeks have seen a notable increase in emails from subscription lists mentioning data privacy and how the personal information of subscribers are stored and kept safe.
For cloud providers that have customers around the world, this is a significant piece of regulation. However, even a small start-up in downtown Lagos that provides a service to a person living in France must be compliant. While a lot of focus is currently on companies inside the EU, it will only be a matter of time before ‘outside’ businesses and services are reviewed and audited.
Of course, the cloud provides many benefits to organisations that are required to be GDPR-compliant. Not only does it provide a more secure platform, but the environment is robust and continuously updated to reflect the latest technology innovations. This results in a smoother migration path when it comes to data security and management with GDPR in mind.
At 68 pages with 99 separate areas of focus, it is hardly surprising that many feel intimidated by the GDPR. For those providing cloud or ‘as-a-service’ solutions, there are four key requirements to consider – data security; rights of individuals; documentation and security audits; and data breach notifications.
But even before one can delve into the technical aspects of compliancy, the reality is that many Nigerian businesses need to change the way they view and use data. Certainly, the situation is not unique to the country with many others struggling to adapt to a new way of capturing, storing, using, and sharing data.
It all starts with consent and whether the user agrees to the kind of data being stored about them and what it will be used for. This forces a re-think in the way data is collected. Companies should carefully review whether the information they collect about their customers are necessary and, if it is, how securely is it stored and protected from external systems. The days of blindly sharing customer data and insights with third parties are a thing of the past. An important aspect of this is to make sure the language used in data collection policies is written in a way that the layperson can understand. So, no more hiding behind legalese or difficult to follow technical concepts.
Already, there is a groundswell of support to the mantra ‘your data, your property.’ Nigerian businesses must ensure they keep this in mind. This is also where the critically important ‘right to forget’ component of GDPR comes in. A consumer can delete his or her profile at a business with the personal information needing to be wiped clear. Just consider the impact this will have on social networks.
Fortunately, Nigeria has the Digital Rights and Freedom Bill for companies to fall back on. Even though it is still awaiting presidential assent, the bill does provide organisations with guidance on data handling, collection, and use in the country.
Furthermore, compliance is not something that is done once and forgotten. Instead, decision-makers need to continually review and assess their data management strategies and policies. The GDPR is an ongoing concern that requires an integrated approach to data. Fundamentally, local companies do not have the luxury of using disparate databases and systems any longer. They must all be integrated, with the data securely stored every step of the process.
Even though the deadline of 25 May is long forgotten, companies must review and assess their policies to ensure they do not fall foul of regulators. The cost of not doing so is too severe to ignore.