3 points from the 2019 Nigeria Data Protection Regulation (NDPR) that startups must pay attention to;
1) Procuring consent: *Part two of the NDPR* provides that personal data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the data subject. In line with this *Section 2.3* provides for the various conditions that must be satisfied before consent procurement can be said to be lawful, some of which are;
a) Specific purpose of collection must be made known to the data subject before data is obtained.
b) Data controller or startup must ensure that the consent of a data subject has been obtained without fraud, coercion or undue influence.
c) Also where processing is being done based on consent, startup or controller must be able to show that the data subject has consented to processing of his/her personal data and that the data subject has the legal capacity to give consent
2) Legal processing of personal data: *Section 2.2 of the NDPR* provides for five (5) conditions amongst which at least one must be satisfied by controller or startup before personal data of the data subject can be said to have been processed lawfully. Three (3) out of these five conditions will be highlighted below
a) The data subject must have given consent to the processing of his or her personal data for one or more specific purposes.
b) Where processing is necessary to perform a contract to which the data subject is a party or for the purpose of taking steps at the request of the data subject prior to entering into a contract
c) where processing is necessary for the performance of a task carried out in the public interest or in exercise of official mandate vested in the controller or startup
3) Data security : *Section 2.6 of the NDPR* provides that anyone involved in data processing or control must adopt data security procedures, which may include, but are not limited to, protecting systems from hackers, putting up firewalls, and keeping data securely with access to it. Using data encryption technology and specific authorized individuals. Creating an organizational policy for dealing with Personal Data and other sensitive information or confidential data, email system security, and continual capacity structure for its employees.
We believe it’s important for start ups and companies generally, to speak with lawyers to draft or review data privacy and protection policies, data sharing agreements and such other documents.
You can visit our website for more details and follow us on our social media handles for news updates and informative articles.
