Today, almost everything from banking, shopping, learning, employment applications to registration for services is done online, via a website or mobile App. A person making use of the various platforms (Data Subject) is required to provide some form of personal information, otherwise known as Personal Data.

Article 2.5 of the Nigeria Data Protection Regulation (NDPR) 2019 requires any medium through which Personal Data is being collected or processed to display a simple and conspicuous Privacy Policy or Notice that the class of Data Subject (person whose data is being collected) can understand.

So, what is a Privacy Policy? Simply put, a Privacy Policy or Notice is a statement or document which explains how an organization handles any customer, client or employee (Data Subject’s) information gathered in the course of its operations.

The NDPR states that a Privacy Policy must contain the following:

i. that the Data Subject has the right to consent to the collection of their data and what constitutes giving of consent i.e. ticking a box. It should also state that the Data Subject has the right to withdraw consent, be forgotten, rectify information provided, to restrict processing and Personal Dataportability 

ii. a description of the collectable Personal Data i.e. what information is required

iii. the purpose for the collection and processing of the Personal Data – i.e. as a result of a contractual obligation – provision of details to receive a service, loan, etc.

iv. the Technical Methods used to collect and store personal information, cookies JWT, web tokens,etc.

v. what access (if any) Third Parties have to the Personal Data collected and the purpose for the access 

vi. period of storage of the Personal Data

vii. remedies available in the event of a violation of the Privacy Policy

viii. the time frame for the remedy

A Privacy Policy is not only required for online businesses, any entity or organization that collects and processes Personal Data must have a Privacy Policyor Notice. 

Next time you are required to provide your Personal Data, it would be wise to look for and read the Privacy Policy first to know how your Personal Data would be handled and who would have access to it.