What security obligations are imposed on data controllers and data processors?
Security requirements may not always be included in the data protection law, but are key to guaranteeing lawful processing of personal data. The entity processing the data must take all useful precautions with respect to the nature of the data and the risk presented by the processing, to preserve the security of the data and prevent alteration, corruption or access by unauthorized third parties. Appropriate technical and organizational measures should be implemented to ensure a level of security appropriate to the risk.
Employers in Nigeria should follow the data security standards outlined in the Nigerian Data Protection Regulation (2019, 2.6). Measures should include protections from all conceivable hazards and breaches, including theft, cyberattacks, viruses, dissemination and manipulations. Employers should implement measures including “protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.”
HR Best Practices: Nigeria’s Data Protection Regulation imposes a general duty of care when collecting personal data from individuals (including employees and job applicants). Beyond the required measures, employers should act with reasonable diligence to protect personal information and to prevent data breaches.