What is processing?
The word “processing” is perhaps the most common word one comes across in any discourse relating to privacy and data protection compliance.
Processing refers to any and every action taken by a data controller or data administrator in relation to the personal data of one or more data subjects. It covers the collection of personal data to the destruction of such data, and all actions in-between. The Nigeria Data Protection Regulation 2019 (“NDPR”) defines processing to mean “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available alignment or combination, restriction, erasure or destruction.”
Many everyday actions – the collection of an employee’s biodata information using an employee onboarding form, the storage of a company’s Vendor Masterfile (containing personal data) remotely, the update of an individual customer’s residential address, the destruction of paper files containing personal information of deceased employees, sending sales information containing personal information to a parent company outside Nigeria – would qualify as “processing” under the NDPR and the GDPR. It is immaterial whether such actions were performed using computer systems or other automated means or not.
Legal basis for processing personal data
A data controller must have a recognisable ground to lawfully process the personal data of one or more data subjects. The NDPR recognises five legitimate bases for processing personal data, and they are as follows:
1. Consent. A data controller may process personal data of a data subject where such data subject has given consent to the processing of the data for one or more specific purposes. For instance, when visiting some websites or accessing some apps, it is common to see pop-ups requiring the consent of users before certain information can be accessed by such users. Some companies also require users to elect as to whether their information will be stored by such companies. All these instances are scenarios where consent is sought by data controllers.
It is important to point out that consent must be clear and positive – that is, by means of positive action. Negative or implied consent is not recognised under the NDPR (or the General Data Protection Regulation (“GDPR”), for that matter).