Data Protection In Nigeria
Data is that the lifeblood of the financial industry.
The rapid climb of Fintech companies within the last decade happened thanks to the requirements of consumers for faster and more convenient financial services. These needs still evolve over time and traditional financial institutions struggle to stay up. However, open banking offers financial institutions who have access to information of consumers (“Providers”) the chance to share such information with other financial institutions (“Consumers”) to stay them conscious of those needs and enable them to offer premium services.
Data and NDPR
The NDPR was issued by the National Information Technology Development Agency (NITDA) in 2019 to manage the gathering, processing, and storage of private data. Personal data is information concerning a private who is often identified, directly or indirectly, especially with regard to an identifier. It includes a reputation, address, a photo, an email address, bank details, medical information, IP address, IMEI number, IMSI number, SIM, et al..
Due to the very fact that the damage a private may suffer within the course of breach of some personal data could also be higher, data like ethnic and racial information. These data must, therefore, be subject to a better level of protection. Although the NDPR doesn’t classify financial data as sensitive, financial institutions have access to a variety of sensitive data like ethnicity and biometrics.
Irrespective of the info protection requirements under the Framework, the Framework specifically requires participants to suits all extant laws on data privacy like the NDPR and therefore the NDPR Implementation Framework. Under the NDPR, before personal data of a customer are often used for a purpose different from that which it had been initially given, the info controller, (in this case, the financial institution) is required to tell the customer of:
- the purpose that the info was originally collected;
- if there’s any connection between the first purpose and therefore the proposed purpose;
- the possible impact of the new processing on the info subject; and
- the existence of security safeguards to guard the info.
The Framework further requires participants to list the precise rights which customers may grant to the participants and acquire the consent of the customer for every right separately.
Providers also are expected to make sure that customers revalidate their consent annually or after 180 days in cases where the service of the provider has not been used.
While the Framework seeks to support innovation within the Nigerian financial sector, participants of the open exchange of knowledge are expected to reassess their data privacy practices to make sure they meet compliance requirements of the NDPR and therefore the Framework.