CYBER SCAPE AFRICA | Q2
2019
Privacy & Protection of data: Too important
for Africa
In the financial services industry, the foundation
of the banking sectors and FinTech companies is
trust. The customers trust that their personal
information which is of great commercial value in
today’s world will be treated with utmost care,
although they may not have a clue on what
companies may do with it. So, it behooves on
FinTech companies to obtain the required
consent for the use or storage of customer’s
personal data. But such consent should not be
irrevocable.
Privacy is an inherent fundamental and
constitutional right which is also enshrined in the
Universal Declaration for Human Rights. It is from
this fundamental right; regulations drew data
protection and data privacy. The privacy of every
individual on earth should be protected at all cost
and should not be compromised. Data Protection
and Privacy is a cliché. It came into limelight after
the data breaches by Facebook and Cambridge
Analytica.
No company either in the banking industry or the
FinTech sector is immune from security gaps. It
does not matter if the companies communicate
with the customers on how their data are
accessed, used, or stored; or if the companies
utilize Application Program Interfaces (APIs).
Also, it does not matter if there are regulations
put in place to protect customers. No measure is
100% safe-proofs.
By May 2018, the General Data Protection
Regulation (Regulation (EU) 2016/679) (GDPR)
came into effect and became applicable to
corporations processing personal data of
European Union (EU) citizens irrespective of
whether they are located in Europe or not. In
Africa, laws similar to the EU GDPR are the
Protection of Personal Information (POPI) Act of
South Africa, and in Nigeria, the Nigerian Data
Protection Regulation (NDPR) 2019.
The debate remains that to avoid vulnerabilities
associated with cyber-attacks, and cyber thefts,
organizations must stick to a primary policy of
“Little is Better”. That is, to hold onto as much
little sensitive personal data of its customers as
possible, for the shortest time as possible.
Compliance to regulations and laws does not
protect data either does it protect privacy.
In Africa, there is no unified GDPR for African
nations. Most nations rely on old, antiquated laws
for data protection and privacy. Now, each
African nation is faced with its duty to enact data
protection and privacy law(s). But, for
multi-national organizations in Africa, the battle
on whether or not to transfer the personal data
of its users across the national boundary is an
issue of data sovereignty.
Nnubia Ogbuefi
Tech Lawyer
Data sovereignty is the regulation of data,
particularly in electronic form in its country of
residence. Thus, for each data protection laws in
Africa, there is a principle on data sovereignty
and it prevents the transfer of personal data from
one country to another. The exception to this rule
is compliance with the conditions stipulated in
each individual law.
The bane of these laws is premised on four crucial
measures which all FinTech companies are
obligated to comply with. They include Consent,
Data breaches, Right to access, and Transparency.
37