GDPR and Its Possible Impacts on Nigerian Businesses

The GDPR (General Data Protection Regulation) is now operative; it certainly is going to have its impact on the management of personal data by data controllers and processors, not just in Europe, but everywhere across the world.

Let’s discuss how the new regulation, because of its far-reaching provisions, could possibly impact Nigerian businesses. Let’s focus on the different aspects of this issue.

The GDPR stipulates that even if a business is not located in the European Union and processes personal data/information of people or in relation to goods/services offered within the European Union, it would have to comply with the provisions of the regulation. Thus, Nigerian businesses that process personal data of citizens or residents of the European Union would have to comply with the provisions of GDPR, even if they don’t have an office or even employees physically present in the European Union.

Nigerian businesses that would have to comply with the provisions of the GDPR include:

• Those that target Europen Union citizens/residents via the internet.

• Those that market using a language spoken in any European Union country.

• Those that accept or agree to accept a currency used in any European Union country for the goods or services offered.

• Those that appoint sakes agents in European Union countries.

• Those that offer to ship goods to countries in the European Union.

• Those that represent that have customers in the European Union or track/monitor people in the European Union to analyze spending patterns or online behavior.

To be noted is the fact that the GDPR would be applicable even if a business that has any of these characteristics doesn’t engage in a financial transaction.

Thus, when a business that has no physical presence within the European Union goes against the provisions of the GDPR, it would have to face the consequences. The representative of the business within the jurisdiction of the GDPR would have to face the action. The website or the service of the company may be blocked and if there is a sale or delivery of goods, the goods may be seized. Goods/services of the companies might be blocked and the company might have to face trade restrictions. Assets that the company has within the European Union might even get frozen. The company’s assets in other jurisdictions that recognize judgments of the European Union might also get frozen or seized.

Those Nigerian businesses that would have to comply with the provisions of the GDPR would have to audit, review, update and publicize their data protection and privacy policies, payment policies, and terms of use of their websites/services offered. They would have to implement data protection procedures and train employees on GDPR compliance. They would also have to review/amend contracts with suppliers/vendors involved in activities that involve processing of personal data. They would have to follow certain other guidelines too, including ensuring that only necessary personal data is collected/stored, ensuring deploying processes for security of stored data, appointing Data Protection Officers when large-scale data processing is involved, having clear, unambiguous consent process, implementing data breach detection and notification processes, adopting data masking/encryption/pseudonymization solutions to protect customer data, considering insurance coverage when large-scale data is processed etc.

Many Nigerian companies representing various sectors, including airlines, telecommunications, finance, e-commerce, travel and hospitality, logistics, digital advertising companies, software, application development etc would come under the purview of the GDPR.