Download This PaperConducting Data Protection Impact Assessments for Online Profiling under the NDPR 2019
Protecting Digital Consumers, Assets, Identity, Privacy and Data in a Digital Economy: The Nigerian Experience
32 Pages Posted: 30 Jun 2021 Last revised: 17 Jun 2022
Date Written: June 17, 2021
Abstract
Under the Nigerian Data Protection Regulations 2019 (the NDPR 2019), one of the governance mechanisms recommended by the National Information Technology Development Agency (NITDA) as part of being accountable in data processing operations is the data protection impact assessment (DPIA), a tool for identifying and minimising data protection risks. According to NITDA, data processing operations involving the intense use of personal data should be subjected to a DPIA. On this basis, I argue that online profiling including online behavioural advertising (OBA) is an intensive data processing operation and is thus eligible for a DPIA. I support this argument by examining the particular nature of online profiling, and identifying specific data protection risks inherent in online profiling that poses harm to the rights and freedoms of the data subject, thereby justifying a need for a DPIA.
Based on a review of experiences and recommended practices from other jurisdictions, I thereafter set out a simple and flexible framework for conducting a DPIA in the context of online profiling. In this regard, I describe each stage of the DPIA process in relation to online profiling and how it may assist data controllers and processors comply with their accountability obligation under the NDPR 2019. The aim here is to provide a reference guide for mitigating data protection risks inherent in online profiling and particularly, to assist data controllers formulate an overall data processing compliance strategy for online profiling under the NDPR 2019 pending when NITDA issues comprehensive guidance for organisations wishing to conduct a DPIA in this circumstance.
Suggested Citation: Suggested Citation