The Federal Government today says the Nigerian Internet community faces “huge impact” when new data protection regulations by European Union (EU) take effect from May.

Dr Isa Ali Ibrahim Pantami, Director General/CEO, National Information Technology Development Agency, (NITDA), the nation’s IT agency says in a statement made available to Technology Times today that Nigerian businesses that that collect, store and process personal data of EU citizens will be affected by the new rules due to take effect from May 25, this year.

NITDA says it wants Nigerian businesses that manage data of EU citizens to be aware of the implications of the new EU General Data Protection Regulation (GDPR), which was adopted on 27 April 2016 and becomes enforceable from 25 May 2018 is replacing the data protection directive of 1995.

According to Pantami, NITDA “has realized that this regulation might have huge impact on Nigerian businesses and/or individuals that use Information Technologies to collect, store, process and transact on EU citizens personal data in EU territory or elsewhere.

According to Pantami, NITDA “has realized that this regulation might have huge impact on Nigerian businesses and/or individuals that use Information Technologies to collect, store, process and transact on EU citizens personal data in EU territory or elsewhere.

“It is in the utmost interest of the Agency to protect Nigerian businesses from unnecessary exposure to the risks of this regulation and/or any regulations that might have negative impact on their businesses as well as the rights of Nigerians that have dual citizenship of any EU member state”, the NITDA DG says.

According to NITDA, Nigerian organisations that control and process personal data of EU nationals must note that companies that meet the following criteria must comply:

• Have offices in an EU member states;
• Have no offices in any EU member state but processes personal data of EU nationals and residents;
• Have more than 250 employees; and
• Have fewer than 250 employees but its data processing impacts the rights and freedoms of data subjects or occasionally includes certain types of sensitive personal data.

According to Pantami, “the regulation requires that data controllers and processors must seek consent from data subjects in an intelligible and easily accessible form, clearly specifying the purpose for the collection. It also stipulates that consent must be clear and distinguishable from other matters and presented in a clear and plain language.”

 He further warns that “breach of the regulation can attract a fine of up to 4% of a company’s annual global turnover or an equivalent of twenty million euros (€20 million). Furthermore, companies can be fined up to 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.”

The NITDA DG further explains that “the regulation also gives data subjects the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.”

Accordingly, “They also have the right to transmit data they had previously provided to another controller. Furthermore, they are entitled to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”

Pantami calls on Nigerian businesses, “especially those carrying out online transactions and meet the GDPR compliance criteria to put in place appropriate measures to observe the provisions of this regulation to avoid being sanctioned for a liable breach.”

In a similar vein, he adds that “organisations are also required to note the provisions of the NITDA Guidelines on Data Protection, issued in 2013 and currently being revised. In an effort to make the Agency’s rule making process transparent and industry-focused, the revised guideline will soon be presented for stakeholder consultation as stipulated in the Rulemaking Process Regulation of NITDA.”