By Omoruyi Edoigiawerie, Esq
In today’s digital age, data protection is a critical aspect of running a startup. Startups collect and handle vast amounts of user data, making it essential to prioritize data protection to establish trust, safeguard user privacy, and comply with legal requirements.
Nigeria has recently enacted a new Data Protection Act, the Nigeria Data Protection Act is applicable to all businesses that collect and process personal data of Nigerian citizens or residents, regardless of where the business is located. This means that even if a startup is located outside of Nigeria, it will still be subject to the Act as well as the Nigerian Data Protection Regulation ( NDPR), if it collects or processes the personal data of Nigerian citizens or residents
As I often say, data is the new oil and Startups are key miners of this oil, it is therefore very important to ensure that startups have clarity on compliance with the Act and rules and learn how to protect user data, mitigate risks, and build a strong foundation for sustainable growth. This is the fulcrum of my article this week.
IMPORTANCE
For startups, Data protection is crucial due to several reasons – First, it establishes trust with users. Startups that prioritize data protection demonstrate their commitment to safeguarding user privacy, fostering a positive user experience, and strengthening customer loyalty. Additionally, data breaches will invariably lead to reputational damage and financial loss, the implication of this, is that data protection is a business imperative.
LEGAL FRAMEWORK
Presently with the enactment of the Data protection Act, Startups would be primarily bound by the provisions of the Act, however, it is important to note that the Act did not repeal the NDPR which has been in force since 2019; the implication of this, is that the NDPR remains binding on Startups and will only be overlooked where it is inconsistent with the provisions of the Act.
Ultimately, Startups are legally obligated to ensure the following:
Lawfulness, fairness, and transparency in the use of Data: Startups must process personal data in a lawful, fair, and transparent manner. This means that they must have a legitimate reason for collecting the data, and they must inform data subjects about how the data will be used.
Purpose limitation: Startups are expected to only collect personal data for specific, lawful, and legitimate purposes. They should not collect more data than they need, and they should not use the data for any other purposes without the consent of the data subject.
Data minimization: Startups should only collect the minimum amount of personal data necessary to achieve their purposes. They should not collect unnecessary data, and they should delete data that is no longer needed.
Accuracy: Startups must ensure that the personal data they collect is accurate and up-to-date. They should take steps to correct any inaccuracies as soon as they become aware of them.
Storage limitation: Startups should only store personal data for as long as it is necessary for the purposes for which it was collected. They should delete data that is no longer needed.
Integrity and confidentiality: Startups must take steps to protect the integrity and confidentiality of personal data. This means that they must keep the data secure from unauthorized access, use, disclosure, alteration, or destruction.
DATA SECURITY
Implementing robust security measures is essential for startups to protect user data from unauthorized access, breaches, and cyber-attacks. Startups should adopt encryption techniques to secure sensitive data, implement strong access controls, regularly update software and systems, and conduct security audits and vulnerability assessments. Additionally, startups should educate employees about best practices for data security and ensure they follow secure protocols.
THIRD-PARTY DATA PROCESSING
Many startups rely on third-party vendors or service providers for various operations. It is essential to carefully select and enter into “tidy” contracts with these vendors to ensure they also adhere to proper data protection practices. Startups should conduct due diligence on the security measures implemented by these third parties and establish clear guidelines regarding data handling, confidentiality, and breach notification.
DATA PROCESSION AND CONSENT
Startups should prioritize obtaining informed and explicit user consent for data collection and processing. User consent should be freely given, specific, and based on clear information provided in easily accessible privacy policies. Startups should be transparent about the purposes of data collection, how the data will be used, and any third parties with whom the data will be shared. Regular communication with users regarding privacy updates and their rights help to build trust and maintain compliance.
DATA BREACH RESPONSE AND INCIDENT MANAGEMENT
Startups should have a well-defined data breach response plan in place to effectively handle and mitigate the impact of a data breach. This includes promptly notifying affected users, investigating the breach, containing the incident, and working towards remediation. Startups should designate members of staff as Data Protection Contacts (DPCs) or Data Protection Officers (DPOs) for their startups. These trained personnel will be responsible for data management, establish protocols for incident reporting, escalation, and communication at all times.
In addition to the Data Protection Act and the NDPR there are also other data protection laws and regulations that apply to startups in Nigeria, such as the The National Information Technology Development Agency (NITDA) Act, The Freedom of Information Act and the The Cybercrime Act. It is therefore imperative for Startups to be aware of these laws and ensure that they are complying with them.
Data protection is an important issue for all businesses, but it is especially important for startups in Nigeria. By following the tips in this article, startups can help to protect their personal data and comply with the NDPR.
CONCLUSION
Data protection is a critical aspect of running a startup. By prioritizing data protection, startups can build user trust, mitigate risks, and comply with legal obligations. Implementing robust data protection measures, adhering to privacy principles, and staying vigilant will ensure startups establish a strong foundation for growth while safeguarding user data and privacy.
Omoruyi Edoigiawerie is the Founder and Lead Partner at Edoigiawerie & Company LP, a full-service law firm offering bespoke legal services with a focus on startups, established businesses and upscale private clients in Nigeria. The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. His firm can be reached by email at hello@uyilaw.com
