If you are a Nigeria-based business providing goods and services directly to (or targeted at) EU businesses or residents, this is a blog post you definitely want to read.
With many Nigeria-based businesses now operating across borders, and relying on the strength of their cross-border (international) mailing and customer lists to build their brand strength, it may be useful for you to consider the implications of the new EU General Data Protection Regulation (GDPR) on your business.
The GDPR (Regulation (EU) 2016/679) was adopted by the European Parliament on 27 April 2016 (enforceable from 25 May 2018) and covers the export of personal data outside the EU.
“Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.”
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016
The GDPR will impact Nigeria-based businesses that offer goods or services to individuals in the EU, or process the personal data connected to the offering of goods or services to EU businesses and individuals, or monitor the behaviour of consumers within the EU (regardless of whether they are physically located in the EU).
It will particularly affect any Nigeria-based business that:
- owns or processes data pertaining to an identifiable person resident in the EU.
- contacts those individuals via email, phone, SMS or mail.
- track their engagement via e-shots, cookies, or landing pages for the purpose of profiling EU-resident individuals.
it is reality that a lot of B2B businesses will fall into one or more of these categories, particularly marketing businesses. For B2C businesses, you will impacted by stricter responsibility because there are rules about how you can market to individuals via their personal email address or phone number.
WHAT DOES THIS MEAN?
The definitions of personal data and processing are now more detailed and very broad (e.g. full name, job title, work email address, telephone number, any data relating to an individual’s actions or areas of interest, and even computer IP address), it is any data that allows a person to be identified or even indirectly. It has broadened to encompass all websites and apps that track EU citizens’ online behavior/digital activities e.g. by the use of tracking cookies.
The GDPR applies to not just ‘controllers’, but also ‘processors’ of personal information of customers. Controllers are the persons or entity who determines how and what to use the information for. Processors are the persons or entity who use the information.
There are new requirements and legal obligations on processors (who could also be the controllers) e.g. the requirement to maintain records of personal data and processing activities,and significantly more legal liability for a breach.
Your EU Customers now need to opt in, rather than opt out, of your mailing lists. The usual ‘opt-out’ clause at the bottom of your emails and websites will need to be replaced by opt-in consent. You need to be able to show that your contacts freely gave, specific, informed, unambiguous consent( i.e.they were aware of what they were signing up for). This could be by a written statement, including by electronic means, or an oral statement, or ticking a box when visiting an internet website, or choosing technical settings for information society services or another statement or conduct which clearly indicates their acceptance of the proposed processing of the personal data. Pre-ticked boxes or inactivity will not constitute consent.
WHAT DO YOU DO NEXT?
Speak to us to help you get familiar or ready for the GDPR. If you are a Nigeria-based business with your customers being EU residents, or your target customers being EU residents or you monitor EU residents, you should come speak to us about being ready for and compliant with the provisions, and we can help you determine an approach to comply.
Review your processes. You may need to immediately begin to adapt and implement your new privacy management systems for the May 2018 deadline.Make sure your current opt-in process meet the new rules? If it doesn’t, you will need to change it. You will have to contact everyone (EU Resident) in your database and collate their consent (or else you will need to delete them). You will need to make sure you store this information so you have evidence of their opt-in if you need it.
JEE Client Services provides a shoulder to support your governance, business administration, and compliance burdens. We take away the distractions and help you focus on your core task of running your business. Find out more on how we can support your organisation by visiting our website, subscribing to our posts or contacting us.