Laws and Regulation (e.g. GDPR, NDPR)

Why Data Protection Laws Exist

Before these laws:

• Companies collected personal data without limits
• Users didn’t know how their data was used
• Data breaches were hidden
• There were few consequences for misuse

Governments introduced data protection laws to:

• Protect personal privacy
• Force companies to be transparent
• Reduce data misuse
• Penalize negligent organizations

What Is Personal Data?

Personal data is any information that can identify a person.

Examples:

• Name
• Email address
• Phone number
• Home address
• IP address
• National ID number
• Bank details
• Biometric data (fingerprints, face scan)

If data can identify someone directly or indirectly, it is personal data.

What Is GDPR?

General Data Protection Regulation (GDPR) is a European Union law that took effect in 2018.

Even if a company is not in Europe, GDPR still applies if it:

• Offers goods/services to EU residents
• Collects data from people in the EU

Main Goals of GDPR:

• Give people control over their personal data
• Make companies responsible for protecting it
• Standardize data protection across Europe

Key Principles of GDPR (Simplified)

GDPR is built on important principles:

1. Lawfulness, Fairness & Transparency

You must tell users:

• What data you collect
• Why you collect it
• How it will be used

2. Purpose Limitation

Collect data only for a specific reason.

3. Data Minimization

Collect only what you need — nothing extra.

4. Accuracy

Keep data correct and updated.

5. Storage Limitation

Don’t keep data longer than necessary.

6. Integrity & Confidentiality

Protect data with proper security measures.

Rights of Individuals Under GDPR

People have powerful rights, including:

• Right to access their data
• Right to correct incorrect data
• Right to delete data ("Right to be Forgotten")
• Right to data portability
• Right to object to processing

Companies must respond to these requests within a specific time (usually 30 days).

What Is NDPR?

Nigeria Data Protection Regulation (NDPR) is Nigeria’s data protection regulation introduced in 2019.

It is similar to GDPR but applies primarily within Nigeria.

NDPR Applies To:

• Organizations processing data of Nigerian citizens
• Companies operating in Nigeria

NDPR Key Requirements

NDPR requires organizations to:

• Obtain consent before collecting data
• Publish a privacy policy
• Secure personal data
• Report data breaches
• Conduct data protection audits

Organizations must also appoint a Data Protection Officer (DPO) if they process significant amounts of data.

What Is Consent?

Consent means:

• It must be clear
• It must be voluntary
• It must be informed
• It must be specific

Bad example:

• Pre-checked boxes
• Hidden consent in long text

Good example:

• Clear checkbox asking permission

Example:

[ ] I agree to the processing of my personal data for marketing purposes.

The user must actively check it.

Data Breach Requirements

A data breach happens when personal data is:

• Leaked
• Stolen
• Accessed without authorization

Under GDPR:

• Must report within 72 hours

Under NDPR:

• Must notify appropriate authority and affected individuals

Penalties for Violations

These laws are serious.

GDPR Fines:

Up to €20 million or 4% of global annual turnover (whichever is higher).

NDPR Penalties:

Fines based on percentage of annual revenue.

This ensures companies take privacy seriously.

Real-World Enforcement Example

Companies like Meta and Google have faced large GDPR fines for privacy violations.

This shows the law is actively enforced.

Practical Example: Compliant Data Collection (Simple Code)

Below is a very basic example of how to properly collect user data with consent in a web application.

Example (Python Flask Web App – Simplified)

from flask import Flask, request, render_template_string

app = Flask(__name__)

html_form = """
<form method="POST">
    Name: <input type="text" name="name"><br><br>
    Email: <input type="email" name="email"><br><br>

    <input type="checkbox" name="consent" required>
    I agree to the processing of my personal data.<br><br>

    <input type="submit" value="Submit">
</form>
"""

@app.route("/", methods=["GET", "POST"])
def collect_data():
    if request.method == "POST":
        name = request.form.get("name")
        email = request.form.get("email")
        consent = request.form.get("consent")

        if consent:
            return f"Data received for {name}. Consent recorded."
        else:
            return "Consent is required."

    return render_template_string(html_form)

if __name__ == "__main__":
    app.run(debug=True)

Why This Is Compliant (Basic Level):

• User must actively check consent box
• Consent is required before submission
• Clear statement of agreement

In a real system, you would also:

• Store timestamp of consent
• Encrypt stored data
• Provide privacy policy link
• Allow users to delete their data

Compilation of All Code Blocks (Single Combined Code)

from flask import Flask, request, render_template_string

app = Flask(__name__)

html_form = """
<form method="POST">
    Name: <input type="text" name="name"><br><br>
    Email: <input type="email" name="email"><br><br>

    <input type="checkbox" name="consent" required>
    I agree to the processing of my personal data.<br><br>

    <input type="submit" value="Submit">
</form>
"""

@app.route("/", methods=["GET", "POST"])
def collect_data():
    if request.method == "POST":
        name = request.form.get("name")
        email = request.form.get("email")
        consent = request.form.get("consent")

        if consent:
            return f"Data received for {name}. Consent recorded."
        else:
            return "Consent is required."

    return render_template_string(html_form)

if __name__ == "__main__":
    app.run(debug=True)