The need to protect the integrity of personal data from unauthorized access and breaches cannot be overstated. The reason is not far-fetched: personal data is specific to each data subject and represents that data subject’s identity, which invariably makes any breach potentially ruinous to the data subject. This perhaps also explains the somewhat onerous obligations imposed on data controllers over personal data in their custody under the Nigeria Data Protection Regulation 2019 (NDPR). However, it is generally accepted that breaches are bound to occur, sometimes out of negligence, and other times for no reasons attributable to negligence of the data controller. Where there is a data breach, the NDPR has prescribed a few response and mitigation requirements, and these will be examined below.
Surveillance
For effective data breach response and mitigation, time is of the essence. This is because prompt discovery of a data breach gives the data controller a better chance of curtailing the scope and scale of the breach. It is in recognition of this reality that the NDPR obligates data controllers to conduct periodic reviews of their data protection architecture, have multiple layers of protection, educate employees on data protection, and emplace policies for staff reporting of any suspected data breach. Data controllers are also expected to invest in technology that can monitor access/authorization to all personal data within their custody, and give early warnings of any potential or actual breaches. Typically, a data protection audit conducted by a licensed Data Protection Compliance Organization (DPCO) will reveal the compliance level of the data controller, identify any lapses, and provide recommendations on remediation along the lines of the safeguards discussed above which when implemented will surely enhance the surveillance capability of the data controller.
Data Breach Reporting
Data Controllers and Administrators have a duty to self-report personal data breaches within 72 hours of their knowledge of the breaches. The report must include the date or time/period during which the breaches occurred, an assessment of the risk the breach poses to data subjects, description of the cause of the breach, an estimate of the number of personal data and or data subjects that are affected by the breach, description of steps taken to notify the affected data subjects of the breach, among other information. The report is to be sent to the regulator – Nigeria Data Protection Bureau (NDPB). To ensure compliance with this regulatory prescription, it may be expedient for data controllers particularly corporate organisations, to engage a DPCO to advise on regulatory obligations and mitigation strategies in the event of a data breach. It is also very vital for the concerned data controller to notify data subjects affected by the breach as soon as possible to take necessary measures to limit their exposure to the breach.