A Guide on Data Protection by Design

The General Data Protection Regulation (“GDPR”) requires that a data controller put in place appropriate technical and organisational measures to implement the data protection principles in order to meet the requirements of the regulation and to protect the rights of the data subject. The measures are to be implemented both at the time of the determination of the means for processing and at the time of the processing itself. This is data protection by design and default. Data protection by design and default entails embedding data protection into the design of technology, systems and practices and throughout the lifecycle, such that data protection is considered from the beginning, rather as an afterthought.

DISAP AIR delivers its solution in Nigeria, therefore processes the personal data of individuals resident in Nigeria. DISAP AIR is subject to the data protection legal framework in Nigeria being the Nigeria Data Protection Regulation (“NDPR”). The NDPR just like the GDPR seeks to protect the rights of individuals as it relates to their personal data. Whilst the NDPR makes provision for data protection principles and requires adherence to the principles in the processing of personal data by controllers and processors, the regulation is silent on the data protection by design and default; it has no express provision similar or with the same effect as Article 25 of the GDPR.