Table of Contents

Importance of a privacy program for businesses in Nigeria

Business Advisory

All business entities in Nigeria that deal with any form of human data must have and maintain a privacy program. Unfortunately this is not the case with a lot of entities. The benefits of having a privacy program are listed below:

1. Legal requirement

The protection of the right to privacy of Nigerians is one of the underlying objectives of the Nigerian Data Protection Act 2023 (NDPA). To give meaning to the right to privacy, the NDPA makes it mandatory for all businesses engaged in processing of personal information to have a privacy program. The privacy program at the barest minimum must ensure that the collection, use, and disclosure of personal information by businesses are done in ways that respect and protect the right to privacy of citizens. The trigger for compliance under the law is the processing of personal information which is defined broadly to include any information capable of identifying a person. Thus where a business collects, uses or shares for any reason personal information which uniquely identifies a person, the obligation to comply with the law is triggered. The following examples are illustrative of when an organisation is required to have a privacy program. Collection of registration information from customers such as name, address, phone number as a precondition to offering of goods and services. Keeping of personnel files of employees within an organisation. Adoption of identity verification system such as biometric sign-in at the workplace. These examples are merely illustrative and do not capture the scope of what constitutes processing of personal information under the NDPA. Because the adoption of a privacy program is a legal requirement, non-compliance can result in both civil and criminal sanctions against an organisation. As a way of demonstrating the seriousness of compliance, the Nigerian Data Protection Commission (NDPC) in collaboration with the Nigerian Federal Competition and Consumer Protection Commission recently awarded monetary penalty running into several millions of dollars against META (Facebook) for non-compliance with Nigerian privacy laws. Additionally, citizens whose right to privacy is breached through non-compliance can sue businesses and recover compensation through the civil courts.

2. Risk mitigation strategy

Apart from the fear of sanctions from the NDPC, proactive organisations usually have a privacy program as part of their risk mitigation strategy. Through the adoption of a privacy program, organisations are able to proactively prepare against incidents of misuse of personal information and breach of privacy within the organisation. The adoption of a privacy program equally communicates the importance of handling personal information properly to employees of the organisation. Because organisations can only act through individuals, and are often liable for acts of their employee, having a privacy program will ensure that employees have the necessary training and awareness about respecting privacy rights of customers and clients of the business. This will serve to protect the business from misuse of its client’s information by unscrupulous employees. Additionally, having a privacy program ensures that the business is able to protect its confidential information from misuse. This is particularly important for most businesses with confidential information that gives them a competitive advantage over their competitors. Through the adoption of a privacy program, organisations are able to segregate access to information within their business such that individuals only have access to what is required to do their job.

3. Building clients’ confidence

For most privacy conscious clients, the privacy policy of an organisation is often a determining factor on whether they want engage the organisation or not. Clients of an organisation with a robust and publicized privacy program generally have more confidence in the quality of service they receive, compared to organisations that pay lip service to protection of information of their clients and customers. Thus adoption of a privacy program can serve as a means of communicating to clients and customers that the organisation cares and will do all in its powers to protect their information

4. Image booster for brands.

Having a privacy program is an effective way of communicating to the organisation’s clients and customers that the business takes its compliance obligations seriously. This is especially true in societies where citizens are conscious of their rights as consumers, including their privacy rights. A typical example is within countries of the European Union. For businesses looking to attract clients and customers from these regions, adoption of a privacy program goes a long way in projecting the image of the company. This can be contrasted with an organisation that has achieved notoriety as a serial violator of privacy rights in which case, clients would readily avoid said organization,where alternative businesses exists that respect their privacy rights. An illustrative example is the common practice for organisations that require the service of cloud-based entities to investigate their history of privacy breaches as a precondition to signing up with them. In some jurisdictions, industry regulators often publish a blacklist of organisations that pay lip service to protection of privacy rights, or that have experienced major data breaches through negligence. Presently, there is nothing in the NDPA preventing the Data Protection Commission from adopting the same approach as a way of keeping organisations accountable.

5. Safeguards against compliance pitfalls

Under the privacy laws in most jurisdictions, Nigeria inclusive, there are certain compliance pitfalls when it comes to processing of personal information. There are some processing activities that fall into the prohibited or restricted lists. Examples include transfer of personal information abroad, processing of information of children, use of surveillance devices that capture biometric images, processing of medical information, etc. The processing of personal information that fall into any of this class creates heightened risks for businesses, and imposes additional obligations to adopt necessary safeguards to avoid the pitfall of non-compliance. By having a privacy program, organisations are conscious of when their information processing activities fall into the prohibited or restricted categories, and are able to carry out the necessary privacy impact assessments to avoid the danger of non-compliance.
The foregoing list is not meant to be an exhaustive treatment of the desirability of having a privacy program. Additionally, the above should not take the place of expert advice that is tailored towards the specific needs of your business. For additional information on compliance obligations of businesses under the Nigerian Data Protection Act, please visit our resource page for businesses.
Contact Privacy Pro to create an efficient privacy program for your organisation and answer all your questions about the above. We can be reached via info@privacypro.ng or leave a message through our contact page.
Scroll to Top