Tinubu projects 500,000 jobs with Nigeria Data Protection Law (NDPB 2023)
Yes, it possible – Destiny Young
As I opined here:
Yesterday, I made an opinion concerning the signing of the Nigeria Data Protection Law 2023 by President Bola Ahmed Tinubu. In that exposition, I was economical when I stated that the Law, having established the Nigeria Data Protection Commission (NDPC) as a government agency to “regulate and formulate policy frameworks around Data privacy and compliance in Nigeria”, will create job opportunities for IT, Cybersecurity and Legal Professionals.
Truthfully, I only made that personal submission after just reading a news headline that Mr President has signed the Bill into Law.
I am a contributor to the bill. The Bill is the brainchild of National Information Technology Development Agency NITDA Nigeria
Link to the NDPB Bill 2023:
https://acrobat.adobe.com/link/review?uri=urn:aaid:scds:US:0d285dbd-aa38-4441-97a0-531a0eebfbe3
I was part of those who contributed opinion for that bill through a memo communicated to the Agency.
The Law is fundamentally a legal instrument meant to provide for what is called CIA in the information security industry. CIA stands for Confidentiality, Integrity, and Availability. It is an information security model that IT team must use to design organisational IT systems to guarantee the safety of:
1. Personally Identifiable Information (PII)
2. Sensitive Personally Identifiable Information (SPII)
3. IT Infrastructure and Data
4. Network resources
Confidential is a set of rules that limits access to information, Integrity is the assurance that the information is trustworthy and accurate, and Availability is a guarantee of reliable access to the information by authorized people.
To protect personal information, organisations must ensure that appropriate security controls are put in place to ensure that CIA is maintained across the organisation’s IT value chain.
For example, using a Bank.
To open an account, potential customers are requested from the bank to fill a form, and in the most cases, the form requires: Full Name, Date of Birth, Email, Address, Contact Address, LGA, BVN, NIN, etc, all these are Individual’s personal information.
It is the responsibility of the bank to ensure that the information supplied by customer are well protected and that on no account should the bank allow that information be used for other purposes other than for the creation of customer’s account and those data must protected from security breach.
The Bank’s responsibility to safeguard the customer information lies with the Management of the Bank. The management is sometimes made up of Directors, the Head of Legal Department, the Chief Information Technology Officer, the Chief Information Security Officer, etc.
The NDPB 2023 requires that companies and organisations handling personal information of Nigerian Citizens should designate Officers within the organisation that should be responsible for the processing and custody of these data so that in the event of a breach of this information, someone should be held responsible. This brings me to the concept of Data Controller, Data Processor, and Data Subject as enshrined in the NDPB 2023.
Data Controller:
The data controller is the person (or company) who determines the purposes for which, and the way in which, personal data is processed. In the case above, the Bank
If you are classed as a data controller, you are responsible for ensuring that you comply with the NDPB and demonstrate compliance with the regulation’s data protection principles.
A bank (controller) collects the data of its clients when they open an account, but it is another organisation (processor) that stores, digitizes, and catalogs all the information produced on paper by the bank. These companies can be datacentres or document management companies.
Data Processor:
A data processor is a person, company, or other body which processes personal data on the data controller’s behalf.
Data Subject:
Data subject refers to any individual person who can be identified, directly or indirectly, via an identifier such as a name, NIN number, location data, BVN, email address, contact address, etc.
Going by the above, it means, with the signing of the NDPB into Law, companies and organisations that process or manage any kind of personal information and operating in Nigeria must have people who ensure that appropriate legal and information security guidelines are followed to ensure the privacy of individual’s personal information.
Impliedly, professionals in the legal, IT, Information Security and allied professions will be employed.
In conclusion, there is a possibility of a significant job opening arising from the enactment of this NDPB 2023.
Destiny Young
Cybersecurity Analyst
Writes from Uyo