GDPR & Cloud Computing in Nigeria

GDPR stands for General Data Protection Regulation. It came into effect on May 25^th, 2018 just a little over a year ago. It was created simply to protect the personal data of all EU citizens and will be enforced on all organizations, regardless of location, that collects or processes personal data. By introducing it as a single law, the EU believes that it will bring better transparency to help support the rights of individuals and grow the digital economy and because the GDPR is a regulation and not a directive, it means that it is directly applicable in all EU member states. Organisations that ignore the GDPR are opening themselves up to uncertain liabilities, substantial risk, and potential financial hardships.

On January 25, 2019, Nigeria’s National Information and Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation 2019 (the Regulation) in what I will like to believe is a response to the EU’s GDPR. The Regulation took effect on same date to safeguard the rights of natural persons to the privacy of their personal data by, among other measures, regulating transactions involving the collection, use and exchange of personal data. However, Nigeria does not have an enforcing framework to ensure that as a country we conform or adhere to these standards.

Enforcing data protection ensures that organisations using or keeping people’s data, do so in a more responsible manner, minimising the risk of the data being used without permission or much worse for illegal purposes.

From a GDPR enforcement perspective, with the advancement of technology, a company that sells products or provides services online is a global business. With this global reach comes certain responsibilities, some of which are embedded in laws and regulations with specific and potentially costly consequences in Europe. The EU can levy fines of up to 4% of the global turnover or 20million euros, whichever is greater. Organisations can no longer get away with people signing long, verbose documents as a mitigant to this responsibility. Before the use of data, there must be clear and explicit permission from the subject.

From a cloud perspective, data protection is an embedded ethos and the bedrock to the principles guiding the use of cloud platform. Cloud computing is sold on a platform of data security and confidentiality. With a large number of organisations using the cloud, the responsibility extends to the cloud provider to handle the customer data.  The cloud provider cannot see or make use of its clients’ data easily. Management of clients’ data in a cloud environment is a joint responsibility between the data owner and the cloud provider. This is what makes the cloud providers internal processes and monitoring very important.

• The cloud provider needs to ensure that there is a demarcation of responsibility within their organisation to ensure that there is no breach of clients’ data.
• There must be an internal logging of activities to show who does what and when and that all clients’ data are always safe and intact.
• Data control and visibility: Users should have a clear view of the data stored and backup. Visibility across the entire infrastructure is required.
• GDPR mandates that data is only used for what it is collected for. Control over the way the data is used, and the retention period is important.
• There also needs to be a way of the clients understanding and managing their side of the responsibility matrix. To a great number of clients, the cloud environment is a black box. Without clear guidelines the client could inadvertently compromise their data. The same guiding principles of an internal infrastructure platform is applicable in a cloud environment.

With serious penalties for violations, failing to comply with the GDPR can prove a huge risk and an expensive mistake. Implementing the necessary measures is essential to protect your data and demonstrate your compliance. Whether you’ve implemented basic cyber security controls or taken it a step further by implementing an ISO 27001 ISMS (information security management system), you’re already enroute to GDPR compliance.