MITIGATING DATA SECURITY RISKS IN THE WORKPLACE
One fundamental principle of processing under the Nigeria Data Protection Act 2023 (the “NDPA”), is that personal data must be processed in a manner that ensures appropriate security of the personal data. Consequently, data controllers and processors must adopt robust measures to protect the confidentiality and integrity of personal data under their control and steer clear of practices that may potentially result in data breach incidences. These measures include the protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.
Despite the awareness of data breach consequences, both data controllers and processors often overlook common risks within their organizations, inadvertently compromising data security and paving the way for significant breach incidents or regulatory violations.
The focus of today’s article is to highlight 8 (eight) everyday workplace activities that compromise data security within an organization:
- Data Hoarding: Collecting and retaining more data than necessary without proper justification or consent can result in the violation of the NDPA principle of adequacy and increase security risks and liability in the event of a breach.
- Non-compliant Data Transfers/Data Sharing: Sharing sensitive information with third parties without verification of Privacy practices, explicit consent of the data subject or proper data-sharing agreements can lead to violations.
- Inadequate Physical Security: Lack of physical security measures, and inadequate access control measures to vital points such as the server rooms, can compromise the integrity of data storage.
- Shared Passwords or Overly Permissive Access Controls: Sharing login credentials, such as passwords, undermines access controls and makes it difficult to trace actions back to specific individuals. Furthermore, granting excessive permissions to multiple users who do not need them increases the risk of unauthorized access and data misuse.
- Improper Document Disposal: Discarding physical or digital documents containing sensitive data without proper shredding or secure deletion can lead to unauthorized access.
- Inadequate Employee Training: Lack of proper training on data privacy policies and NDPA can result in unintentional violations by employees who are unaware of proper procedures.
- Neglecting Data Breach Response Plans: Failing to have a well-defined plan for responding to and reporting data breaches can exacerbate the impact of such incidents.
- Failure to Update Systems: Neglecting regular updates and patches on software and systems can leave vulnerabilities that attackers can exploit, leading to data breaches.
It is essential to note that managing the above activities in the workplace reduces the risks of data breach occurrence, which could potentially cost a data controller or processor, monetary sanctions as well as its reputation. In the event of a breach, the data processor is to notify the data controller, who shall in turn notify the Nigeria Data Protection Commission (the Commission) within 72 hours. Moreover, a data processor or data controller is mandated to maintain a record of all personal data breaches which shall include the facts relating to such breaches, their effects, and remedial action taken in a manner that enables the Commission to verify compliance with the NDPA.
Taxaide Technologies Limited (“Taxtech”) is dedicated to supporting organisations in the implementation of adequate data protection and privacy measures to mitigate risks and manage data breach incidences. By partnering with us, you can be confident to achieve robust compliance with the data protection laws that instill trust amongst your stakeholders.