Intelligent CIO Africa Issue 20 - Page 66

INTELLIGENT BRANDS // Cloud The importance of GDPR compliance for Nigerian businesses ///////////////////////////// Adebayo Sanni, Oracle Nigeria’s MD stresses that the significance of GDPR isn’t only for global companies, a small start-up in downtown Lagos serving a customer in Europe isn’t exempt from compliance. T he deadline for compliance with the General Data Protection Regulation (GDPR) has come and gone. And while it happened without too much fanfare in Nigeria, companies that think they can ignore the legislation and maintain a business as usual approach are in for a rude awakening. Any organisation (irrespective of its size, industry or geographic location) that has dealings with a company or people inside the European Union (EU) must adhere to it. Those not willing to do so face fines of either €20 million or 4% of their global revenue. For cloud providers that have customers around the world, this is a significant piece of regulation. However, even a small start-up in downtown Lagos that provides a service to a person living in France must be compliant. Of course, the cloud provides many benefits to organisations that are required to be GDPR-compliant. Not only does it provide a more secure platform, but the environment is robust and continuously updated to reflect the latest technology innovations. Changing behaviour At 68 pages with 99 separate areas of focus, it is hardly surprising that many feel intimidated by GDPR. For those providing cloud or ‘as-a-service’ solutions, there are 66 INTELLIGENTCIO Adebayo Sanni, Managing Director, Oracle Nigeria four key requirements to consider – data security; rights of individuals; documentation and security audits; and data breach notifications. But even before one can delve into the technical aspects of compliancy, the reality is that many Nigerian businesses need to change the way they view and use data. Certainly, the situation is not unique to the country with many others struggling to adapt to a new way of capturing, storing, using and sharing data. Companies should carefully review whether the information they collect about their customers is necessary and, if it is, how securely is it stored and protected from external systems. An important aspect of this is to make sure the language used in data collection policies is written in a way that the layperson can understand. So, no more hiding behind legalese or difficult to follow technical concepts. Already, there is a groundswell of support to the mantra ‘your data, your property.’ Nigerian businesses must ensure they keep this in mind. This is also where the critically important ‘right to forget’ component of GDPR comes in. A consumer can delete his or her profile at a business with the personal information needing to be wiped clear. Just consider the impact this will have on social networks. Local guidance Fortunately, Nigeria has the Digital Rights and Freedom Bill for companies to fall back on. Even though it is still awaiting presidential assent, the bill does provide organisations with guidance on data handling, collection and use in the country. Furthermore, compliance is not something that is done once and forgotten. Instead, decision-makers need to continually review and assess their data management strategies and policies. The GDPR is an ongoing concern that requires an integrated approach to data. Fundamentally, local companies do not have the luxury of using disparate databases and systems any longer. They must all be integrated, with the data securely stored every step of the process. n