Data

Protection
and Privacy
 Understanding Data Protection

01
Introduction
Overview
Data protection ensures that data privacy is
maintained and that organizations are
compliant with various regulations regarding
the handling, processing, and securing of
personal and sensitive data.

Why Data Protection is important:

• To safeguard sensitive information against
unauthorized access, use, or exposure.
• To ensure compliance with legal and regulatory
requirements.
• To maintain public trust and confidence in
practices of handling personal data.
Key Concepts in Data Protection
• Sensitive Information Defined:
• Personal data that identifies an individual or could be used to do so (e.g., names, social
security numbers, biometric data).

• Data Protection Principles:

• Legality: Ensuring all data handling is lawful and fair.
• Transparency: Data processing should be transparent to data subjects.
• Purpose Limitation: Data collected for specified, explicit, and legitimate purposes.
• Data Minimization: Collecting only data that is necessary for the purposes stated.
• Accuracy: Keeping data accurate and up to date.
• Storage Limitation: Storing data for no longer than necessary.
• Integrity and Confidentiality: Securing data against unauthorized access.
Legal Frameworks in Data Protection
• Key Regulations:
• GDPR (General Data Protection Regulation): Sets guidelines for collecting and processing
personal information within the EU.
• HIPAA (Health Insurance Portability and Accountability Act): Protects sensitive patient
health information in the United States.
• Overview of other regional laws (e.g., PIPEDA in Canada, Data Protection Act in the UK,
NDPR in Nigeria).

• Rights of Individuals:
• Right to access: Individuals can request access to their personal data.
• Right to rectify: Correcting errors in personal data.
• Right to erase: The 'right to be forgotten'.
• Right to restrict processing: Limiting how data is used.
• Right to data portability: Transferring personal data from one service provider to another.
Data Protection Impact Assessments (DPIAs)
• A DPIA is a systematic process aimed at identifying and minimizing the data protection risks of a
project or plan. It focuses on protecting personal data and ensuring compliance with data
protection laws.

• When to Conduct a DPIA:

• High Risk Situations: It is necessary for processing activities that could result in high risks
to the privacy rights of individuals. Examples include:
• Largescale processing of sensitive personal data.
• Systematic monitoring or tracking of individuals, particularly in public areas.
• Use of new technologies or methods that might affect the privacy of individuals.
Steps in Conducting a DPIA
• Identifying the Need for a DPIA:
• Evaluate whether the data processing activities are likely to pose significant privacy risks to
individuals. This step determines if a DPIA is required based on the nature, scope, context,
and purposes of the processing.
• Describing the Processing Operations:
• Provide a clear and detailed description of the data processing operations. This includes
what data will be collected, how it will be used, who will have access to it, and where it will
be stored.
• Assessing the Necessity and Proportionality:
• Assess whether each element of data processing is necessary and proportionate to the
objectives. This includes evaluating the benefits of the processing activities against the
potential privacy impacts on individuals.
• Mitigating Risks and Outcomes:
• Identify and implement measures to mitigate the identified risks to the privacy and security
of personal data. This may include technical and organizational measures to ensure the
protection of personal data throughout the lifecycle of the project.
Case Study: Implementing DPIAs
Background
• A financial institution planned to launch an online portal allowing customers to view account information and
transaction history. Recognizing the sensitivity of financial data, they conducted a Data Protection Impact
Assessment (DPIA) to address privacy risks and regulatory requirements.
Steps Taken
• Risk Identification: The team assessed risks associated with handling financial data online, particularly about
unauthorized access and data breaches.
• Stakeholder Input: They consulted key stakeholders, including customers, IT security experts, and compliance
officers, to align security measures with user expectations and regulatory standards.
• Enhanced Security: Based on the DPIA findings, the institution implemented twofactor authentication, strong
encryption, and limited access permissions to protect customer data.
Challenges
• User Convenience vs. Security: Customers expected easy access, but implementing strict security measures
occasionally impacted usability.
Outcomes
• Improved Customer Trust: The DPIA helped boost customer confidence in the portal's security, increasing
adoption rates.
• Regulatory Compliance: Compliance with data protection regulations, like GDPR, was ensured, safeguarding the
institution from legal risks.
 Data Masking and Anonymization

•Data Masking – A technique that obscures sensitive information by replacing it with

fictitious data while maintaining the original structure. It is commonly used in non-
production environments like testing and development to prevent unauthorized access to
real data.

Example: In a database containing customer credit card numbers, data masking

might replace the real number 4321-5678-9101-1234 with XXXX-XXXX-XXXX-1234
to prevent unauthorized use.
Data Masking and Anonymization
•Anonymization – A process that removes or modifies personally identifiable
information (PII) to ensure that individuals cannot be re-identified. This is crucial for
compliance with privacy laws and for securely sharing datasets for research and
analysis.

Example: A hospital conducting research might remove patient names and

replace birth dates with age ranges (e.g., replacing John Doe, born 01-15-1985
with Male, 35-40 years old).
Data Masking and Anonymization
•Pseudonymization – A data protection method that replaces identifying information
with pseudonyms, allowing data to be processed without directly linking it to an
individual, but still enabling re-identification under specific conditions.

Example: A company storing customer data might replace names with unique
identifiers like User12345, allowing retrieval of original data only with proper
authorization.
 The Roles of a Data Protection
1. Data Protection Officer (DPO)
Role:
The DPO is responsible for overseeing an organization's data protection strategy and ensuring
compliance with regulations like the General Data Protection Regulation (GDPR) and Nigeria Data
Protection Regulation (NDPR). The DPO acts as a bridge between the organization, data subjects,
and regulatory authorities.

Key Responsibilities:
Monitor compliance with data protection laws.
Provide guidance on data protection policies.
Conduct risk assessments and audits.
Act as a point of contact for regulators and data subjects.

Example:
A multinational bank appoints a DPO to ensure that customer financial data is processed lawfully,
respond to data subject requests, and report data breaches to regulators within the required
timeframe.
The Roles of a Data Protection
2. Data Controller
Role:
A Data Controller determines why and how personal data is processed. They are responsible for
ensuring that data processing complies with legal requirements and protects individuals' privacy
rights.

Key Responsibilities:
Define the purpose and means of data processing.
Ensure that data is collected and processed lawfully.
Implement data protection policies and security measures.
Work with Data Processors to maintain compliance.

Example:
An e-commerce company collecting customer information for order processing acts as a Data
Controller. It decides what data to collect (name, address, payment details), how long to store it, and
how it is shared with delivery partners.
 The Roles of a Data Protection
3. Data Processor
Role:
A Data Processor processes data on behalf of a Data Controller. They do not determine why data is
processed but must follow security guidelines set by the Data Controller.

Key Responsibilities:
Process data only as instructed by the Controller.
Implement appropriate security measures.
Report data breaches to the Controller.
Maintain records of processing activities.

Example:
A cloud storage provider hosting customer data for an insurance company is a Data Processor. They
store and secure the data but do not decide how it is used.
 GDPR VS NDPR

The General Data Protection Regulation (GDPR) and the Nigeria Data Protection Regulation (NDPR) are
both privacy laws designed to protect personal data and ensure individuals’ privacy rights. GDPR,
enforced by the European Union (EU), sets strict rules on how organizations collect, process, and store
personal data of EU citizens, with a focus on transparency, accountability, and consent. Similarly, the
NDPR, introduced by Nigeria’s National Information Technology Development Agency (NITDA), provides
guidelines for the collection, processing, and protection of personal data in Nigeria.
 GDPR VS NDPR

The similarities between GDPR and NDPR include:

1.Data Protection Principles: Both regulations emphasize transparency, consent, and accountability in
processing personal data.
2.Rights of Individuals: GDPR and NDPR grant individuals rights over their data, such as access,
correction, and deletion of personal data.
3.Data Breach Notification: Both require organizations to notify relevant authorities and affected
individuals in the event of a data breach.
4.Penalties: Non-compliance with both GDPR and NDPR can result in significant financial penalties.
While GDPR applies to EU citizens, regardless of where the data controller is located, the NDPR
specifically targets Nigerian citizens and organizations operating within Nigeria or processing the data of
Nigerian citizens
 Feature
Scope
Regulatory Authority
Penalties for Non-Compliance
Consent Requirements
Data Protection Impact Assessment
(DPIA)
International Data Transfers
GDPR (EU) NDPR (Nigeria)
Applies to all EU countries and any Applies to Nigerian organizations and
organization processing EU residents' foreign entities processing the data of
data, even if located outside the EU. Nigerian citizens.
European Data Protection Board (EDPB) NITDA (National Information Technology
and national Data Protection Authorities Development Agency) is responsible for
(DPAs) in each EU country. enforcement.
Fines up to ₦10 million (about €20,000)
Fines up to €20 million or 4% of annual or 2% of annual gross revenue,
global turnover, whichever is higher. depending on the severity of the
violation.
Consent must be freely given, specific, Consent must be explicit and verifiable,
informed, and unambiguous, with clear but the NDPR does not emphasize opt-in
opt-in. as strictly as GDPR.
Mandatory for high-risk data processing
Encouraged but not strictly enforced.
activities.
Strict rules on transferring data outside
NDPR is less stringent on international
the EU, requiring adequate protection
data transfers but requires compliance
measures (e.g., Standard Contractual
with Nigeria’s laws.
Clauses, adequacy decisions).
THANK YOU