SUMMARY OF DAY ONE OF THE NBA IBADAN CLE TRAINING ON DATA PROTECTION ESSENTIALS FOR LEGAL PROFESSIONALS
Meet the Facilitators for the NBA Ibadan CLE Training on Data Protection
January 22, 2025
The summary below was primarily generated via Artificial intelligence
Tolulope Idowu began the Legal Education Series, welcoming everyone and introducing the NBA Chairman, Ibrahim Lawal, Esq. Ibrahim expressed his pleasure at the meeting and emphasized the importance of being updated on legal issues, particularly data protection. He thanked the committee and the members for their participation and welcomed the lecturers. Tolulope then thanked the chairman and the committee for their support and introduced the facilitators for the day.
Data Protection and Personal Data
The speaker, Oluwagbeminiyi Ojedokun introduces the topic of data protection, explaining its importance and the purpose of the event. She defines data protection as the processes and measures to keep information safe, including methods like encryption, access control policies, and data protection policies. The speaker distinguishes between data privacy, which focuses on individuals’ rights to control their personal data, and data protection, which concerns the security measures to safeguard data. Key terms such as personal data and sensitive personal data are introduced, with personal data defined as any information that can be used to identify a natural person.
Data Protection in Nigeria Overview
Oluwagbeminiyi discussed the key data protection terms, including special categories of data, processing, data subject, data controller, and data processor. She explained the legal framework for data protection in Nigeria, including the Nigerian Data Protection Act (NDPA) 2023 and the Nigerian Data Protection Regulations (NDPR). She also outlined the principles for processing personal data, such as lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, and integrity and confidentiality. Oluwagbeminiyi further discussed the lawful bases for processing personal data, including consent, performance of a contract, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests. She also highlighted the rights of data subjects, such as the right to confirm processing, access, rectification, erasure, data portability, objection, and not being subject to automated decision-making. Lastly, she emphasized the obligations of data controllers and processors under the NDPA, including registration with the Nigerian Data Protection Commission, implementing technical and organizational measures for data security, conducting data protection impact assessments, engaging third-party processors, and notifying relevant stakeholders in case of a data breach.
Nigeria Data Protection Regulation Overview
Oluwagbeminiyi discussed the Nigeria Data Protection Regulation (NDPR), emphasizing the importance of annual compliance audits and the right of individuals to monitor, audit, and report on data controllers’ compliance. She also addressed cross-border data transfers, stating that organizations can transfer data to countries with adequate data protection measures, such as binding corporate rules, contractual clauses, or certification mechanisms. Oluwagbeminiyi clarified that an employee can request access to their personal data, including information from previous employers, and that the NDPR largely follows the GDPR in addressing cross-border data transfers. She concluded by stressing the importance of understanding and adhering to data protection laws in multiple jurisdictions.
Securing Client Data in Legal Practice
Fernandez begins a discussion on best practices for securing client data in legal practice. He encourages attendees to review privacy guidance documents available on the NBSLP website, including guidelines on AI use, technology usage, and privacy for legal practitioners in Nigeria. Fernandez emphasizes the importance of client data protection for lawyers, citing professional ethics, legal compliance, and risk mitigation as key reasons. He notes that lawyers are entrusted with sensitive client information and have a duty to protect it according to professional rules and regulations.
Protecting Client Data and Privacy
Fernandez Marcus-Obiene discussed the various ways data can be compromised, including phishing attacks, stolen devices, insider threats, ransomware attacks, misconfigured cloud storage, unsecured file transfers, physical document theft, unauthorized access, improper disposal, third-party vendor breaches, misdirected communication, and social engineering. He emphasized the importance of protecting client data and privacy, and provided tips on how to do so, such as collecting only the minimum necessary data, obtaining informed consent, having transparent data protection policies, ensuring secure storage and transmission practices, and conducting regular risk assessments. He also highlighted the need to be competent in using technology and to update software regularly to avoid vulnerabilities. Fernandez also demonstrated how to check the authenticity of emails and how to use AI tools like Chat GPT and Claude while maintaining client privacy.
Security and Privacy in Law Firms
Fernandez discussed the importance of security and privacy in law firms, emphasizing the need for a streamlined approach to managing these aspects. He demonstrated how to share a screen without revealing sensitive information and suggested using cybersecurity guidelines from the NBA’s digital committee to build a privacy program. Ridwan then took over, discussing the importance of identifying a cybersecurity framework and implementing a privacy program. He highlighted the need for staff training to foster a security culture and ensure confidentiality and integrity of client data. Both speakers stressed the importance of compliance with cybersecurity and privacy laws.
Cybersecurity Measures for Law Firms
Ridwan Bhadmus discussed various cybersecurity measures for law firms, emphasizing the importance of two-factor authentication and password managers. He recommends using complex passwords, encrypting files, and maintaining data backups. Ridwan also stresses the need to vet vendors, including AI providers, and to implement proper access controls. Fernandez adds advice on securing client data in litigation, suggesting redacting sensitive information before sharing, implementing retention policies, and using multi-factor authentication. He also recommends regularly updating passwords and authentication keys, and advises against using free antivirus software in favor of Windows Defender or paid alternatives.
Data Privacy and Legal Compliance
Ade Adedeji, a chief privacy and data officer at Data Works Analytics, was the next speaker. He discussed the legal basis for processing personal data, focusing on contract and consent. Ade emphasized the importance of transparency and the need for organizations to demonstrate how consent was given and when it was revoked. He also touched on the use of consent notices and privacy policies in legal firms. The session was interactive, with Ade encouraging questions and discussions.
Clear Communication and Data Protection
Ade discussed the importance of clear communication with clients regarding data processing, including the purpose of data processing, the types of personal data processed, and the rights of data subjects. Ade emphasized the need for organizations to provide information to their clients before collecting or sharing their data. He also highlighted the importance of data security, using technical measures to ensure data is not compromised, and the need for organizations to have a data protection office. Ade concluded by stressing the need for organizations to include their contact information in their privacy policy for data protection-related matters.
Data Processing Agreements and Outsourcing
Ade discussed the importance of data processing agreements, particularly in the context of outsourcing IT or HR departments to third-party organizations. He emphasized that these agreements are legally binding and should include details such as the purpose and scope of processing, roles and responsibilities, data collection purposes, security measures, sub-processors, data breach notification, data retention and destruction, data portability, audit and inspection rights, and indemnification. Ade also mentioned that these agreements are not only important for the organization but also for the third-party organizations working on behalf of the organization. He concluded by encouraging the participants to participate in an interactive quiz to reinforce their knowledge on the topic.
Data Protection and Cybersecurity Framework
Ade led a comprehensive session on data protection, covering topics such as the General Data Protection Regulation (GDPR), the Data Protection Act (DPA), and the National Data Protection Commission (NDPC). The session included interactive quizzes to test participants’ understanding of the material. The session concluded with a discussion on the cost and setup of a cybersecurity framework for law firms, and whether it’s necessary to have a cybersecurity expert or if staff can be trained to handle this function. The session also addressed the legality of Internet Service Providers sharing browsing history with employers without consent. Ade emphasized the importance of understanding the specific purpose of data processing and the legal basis for it, and suggested outsourcing cybersecurity if in-house expertise is lacking. The session ended with a reminder of a follow-up session on compliance requirements and strategies for litigating data protection issues.
The above summary was primarily generated via Artificial intelligence.
.
Click on the button below to download the Programme Schedule
.
Register for the NBA Ibadan CLE Training via:
