10 Questions on GDPR Answered

In this article, we look at some questions on the GDPR – what it means, why it matters and possible implications for Nigerian businesses.
10 Apr 2018
GDPR
IEOM Contributor

IEOM Team is used to refer to our in-house writers who have contributed articles/content to the Export Brief.

Topics

GDPR

What does GDPR mean?

GDPR stands for General Data Protection Regulation. The law was drafted by the European parliament and came into effect on May 25th, 2018, replacing the 1995 European Data Protection Directive.  It’s a regulation that covers data protection and is aimed at improving and unifying the way personal data is currently protected.

What is considered to be personal data?

The concept of ‘personal data’ is very broadly defined.

In general, it means any type of information that relates to an identified or identifiable ‘natural person’ that allows the ‘natural person’ to be easily identified based on the data such as their IP address, ID number or their physical/physiological/genetic/mental/economic/cultural features or attributes

Who does GDPR apply to?

The GDPR applies to data controllers and data processors - in other words to every organization that processes, stores, or transmits personal data of EU residents.

The main difference between the data controllers and processors is that the controller decides how and for what purpose personal data is processed, while the processor acts on the controller’s behalf. However, both roles have obligations under GDPR.

My business is based in Nigeria. Why should I care about GDPR?

The GDPR only applies to processing of personal data of EU residents. As a Nigeria-based enterprise, you should only care about the GDPR if your organization does business with EU residents. If your business does not do business – offer goods and/or services – in Europe, you have no need to worry about it.

What is the penalty for non-compliance?

When GDPR is enforced, organizations that breach the regulations may be fined either between 2% to 4% of their annual global turnover or up €20 million, whichever is higher. Frequent breaches of the regulations and failure to address the issue can even result in higher fines of up to €40 million.

Who should comply with the GDPR?

Public and private businesses, agencies and institutions.  GDPR will affect any areas of a business that handles personal data, for example HR, sales, marketing, membership/customer services, IT, finance or legal. There is no distinction or exception between public and private either. Every organization which has personal data is within the scope. And, let’s not forget that the personal data of employees is also affected by GDPR and will need to be acquired, stored, managed and to the same standards as any ‘natural person’.

What are the rights of individuals under GDPR?

The GDPR applies to processing of personal data of EU citizens. This means that it not only applies to EU- based organizations, but that it also applies to organizations that are based outside of the EU that offer goods or services to EU citizens or any organization that processes the data of EU citizens; in other words, the vast majority of organizations.

The GDPR requires organizations to provide individuals with fair and transparent information about the processing of their personal data.

To be more specific, individuals will have the following rights under GDPR:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure (also referred to as the ‘right to be forgotten’)
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

Does my organization need to hire a Data Protection Officer (DPO)?

GDPR calls for certain types and sizes of organizations to appoint a nominated Data Protection Officer.

The exact text states: “it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies

 (irrespective of what data they process), and for other organisations that – as a core activity – monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.”

In summary, any organization which qualifies as a public authority or your core business is data processing and inextricably linked to data processing must appoint and assign a DPO.

Besides the fines, what else could happen if my organization doesn’t comply?

In Nigeria, data protection laws are non-existent so organizations do not feel inclined to follow any rules with regards to protecting clients/customers’ data. Even where they have internal processes for user data processing, they don’t feel obliged to inform the data subject of anything. For instance, before GDPR, majority of Nigerian banks either did not feature a “privacy policy” on their website or featured a bare bones privacy policy that could best be described as being neither here nor there.

By contrast, banks like First Bank and Access Bank with UK operations feature privacy policies on their UK-facing websites with varying levels of comprehensiveness, covering as much information as possible.

EU residents are well aware of their rights and European businesses are under direct threat of the GDPR and may decide not to do business with your Nigerian company if you are not GDPR-compliant or at least have some GDPR features in place. So if your company has an EU-based subsidiary, branch, client, partner or otherwise processes data of EU-based data subjects, you run the risk of losing business.

I only do business with the UK. With BREXIT coming into effect soon, Will I still need to comply with GDPR?

The United Kingdom has its own recent Data Protection Bill which was drafted to complement and aid the implementation of GDPR. The bill may even impose higher standards so even if the UK is not in the EU anymore, it will have similar or greater obligations as the GDPR.

In essence, implementing the provisions of the EU’s GDPR will bring your organization in compliance with the UK’s Data Protection Bill. So if you are subject to the GDPR, go ahead and implement it.

Ok, I get it. What can we do now to get started on GDPR compliance?

There are various steps involved in becoming GDPR-compliant. However, the first thing to do is to ascertain whether you are subject to the provisions of GDPR.

At IEOM, we can help you do this. We can also help you conduct a data protection impact assessment which is a requirement for certain types of organizations; and guide you through the entire process of becoming GDPR-compliant.

This article was published in the Export Brief magazine #1. You can subscribe to the Export Brief magazine (print version) here.