1.aI. Write out all the 7 GDPR principles
i. Lawfulness, fairness, and transparency: Personal data must be processed in a lawful, fair, and transparent manner.
Individuals must be informed of how their data is being used and must give their consent for it to be used.
ii. Purpose limitation: Personal data must be collected for specific, explicit, and legitimate purposes, and must
not be further processed in a way that is incompatible with those purposes.
iii. Data minimization: Personal data must be adequate, relevant, and limited to what is necessary for the purposes
for which it is processed.
iv. Accuracy: Personal data must be accurate and kept up to date.
v. Storage limitation: Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
vi. Integrity and confidentiality: Personal data must be protected against unauthorized or unlawful processing, accidental loss, destruction, or damage.
vii. Accountability: Organizations must be able to demonstrate their compliance with these principles.
They are responsible for implementing appropriate technical and organizational measures to ensure that personal data is processed in accordance with the GDPR.
II. Write out all the DPA of 2018
i. Transparency: The data processing agreement must be clear and easily understandable,
with a clear description of the types of personal data that will be processed and the
purpose for which it will be used.
ii. Lawfulness: The data processing agreement must comply with all relevant laws and regulations,
including the General Data Protection Regulation (GDPR) and any other applicable data protection laws.
iii. Purpose limitation: The data processing agreement must specify the specific, explicit, and legitimate
purpose for which the personal data will be used, and it must not be further processed in a way that is
incompatible with those purposes.
iv. Data minimization: The data processing agreement must ensure that personal data is adequate, relevant,
and limited to what is necessary for the purposes for which it is processed.
v. Accuracy: The data processing agreement must require the data controller to take all reasonable steps
to ensure that personal data is accurate and kept up to date.
vi. Storage limitation: The data processing agreement must limit the storage of personal data to what is
necessary for the purposes for which it is processed.
vii. Integrity and confidentiality: The data processing agreement must ensure that personal data is protected
against unauthorized or unlawful processing, accidental loss, destruction, or damage.
viii. Accountability: The data processing agreement must require the data controller to take responsibility for ensuring compliance with the principles of data processing agreement and to demonstrate its compliance with those principles.
III. Write out all Isah Pantami DPA principles
The Nigeria Data Protection Regulation (NDPR) of 2019, which was issued by the National Information
Technology Development Agency (NITDA), outlines several principles for the processing of personal data in Nigeria.
These include:
i. Transparency: Data controllers must inform data subjects of the types of personal data that will be collected
and the purposes for which it will be used.
ii. Lawfulness: Data controllers must ensure that the processing of personal data is carried out in accordance with
all relevant laws and regulations.
iii. Purpose limitation: Personal data must be collected for specific, explicit, and legitimate purposes and must not
be further processed in a way that is incompatible with those purposes.
iv. Data minimization: Personal data must be adequate, relevant, and limited to what is necessary for the purposes
for which it is processed.
v. Accuracy: Personal data must be accurate and kept up to date.
vi. Storage limitation: Personal data must be kept in a form that permits identification of data subjects for no longer
than is necessary for the purposes for which the personal data are processed.
vii. Integrity and confidentiality: Personal data must be protected against unauthorized or unlawful processing,
accidental loss, destruction, or damage.
viii. Accountability: Data controllers must be able to demonstrate their compliance with the principles of the NDPR and
take responsibility for ensuring that personal data is processed in a compliant and secure manner.
ix. Security: Data controllers must implement appropriate technical and organizational measures to protect personal
data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
x. Data subject rights: Data subjects have the right to access, rectify, erase, or restrict the processing of their
personal data, as well as the right to data portability and the right to object to the processing of their personal data.
xi. Data breaches: Data controllers must notify the relevant authorities and data subjects in the event of a personal data breach.
xii. International data transfers: Personal data must not be transferred to countries or territories outside of Nigeria
unless appropriate safeguards are in place.
xiii. Third-party processors: Data controllers must enter into written agreements with third-party processors to ensure
compliance with the NDPR.
xiv. Appointment of a Data Protection Officer (DPO): Data controllers must appoint a DPO to ensure compliance with the NDPR.
N.B: Please note that this list may not be exhaustive and that the NDPR may be subject to change.
IV. Write a user story that follows the principle of Data minimization
As a user, I want to only provide the minimal amount of personal data necessary when creating a new account,
so that my privacy is protected.
When creating a new account, the system should only ask for the essential information needed to set up my account,
such as my name, email address, and password. Optional information, such as my address or phone number, should not be required.
As I interact with the system, I want to be able to control what personal data is shared and for what purpose.
This will allow me to make informed decisions about my data and ensure that my privacy is respected.
In the event that additional information is required for certain features or services, I want to be clearly
informed of the reasons for collecting this data and have the option to decline.
The system should also have measures in place to ensure that any personal data collected is accurate, up to
date and deleted or anonymized after it is no longer needed.
Overall, this user story is in line with the principle of Data Minimization, which is one of the core principles
of data protection which states that personal data should be adequate, relevant, and limited to what is necessary
for the purposes for which it is processed.
This helps to ensure that data controllers only collect the minimum amount of personal data necessary to achieve their
purposes and that the data is not kept for longer than necessary.
V. Write 10 differences btw GDPR and Isah Pantami's data protection principles
i. Jurisdiction: GDPR applies to the European Union (EU) and European Economic Area (EEA) while NDPR applies to Nigeria.
ii. Enforceability: GDPR is enforceable by the European Data Protection Board (EDPB) while NDPR is enforceable by the
National Information Technology Development Agency (NITDA) and other relevant authorities in Nigeria.
iii. Scope: GDPR applies to any company or organization that processes personal data of EU or EEA residents,
regardless of where the company or organization is based, while NDPR applies to companies or organizations
that process personal data of Nigerian residents.
iv. Penalties: GDPR provides for penalties of up to 4% of a company's annual worldwide turnover or €20 million
(whichever is greater) for non-compliance, while NDPR provides for penalties of up to NGN 10 million (approximately $27,000)
for non-compliance.
v. Data subjects' rights: GDPR provides data subjects with a right to be forgotten and a right to data portability
while NDPR only provides data subjects with the right to access, rectify, erase or restrict the processing of
their personal data
vi. Data breaches: GDPR requires data controllers to report data breaches to the relevant supervisory authority within
72 hours of becoming aware of the breach, while NDPR requires data controllers to notify the relevant authorities and
data subjects of data breaches.
vii. Data protection officer: GDPR requires certain organizations to appoint a data protection officer (DPO) while
NDPR only requires certain organizations to appoint a DPO if the organization processes personal data on a large
scale or processes sensitive personal data.
viii. International data transfer: GDPR requires data controllers to obtain specific authorizations for international
data transfers while NDPR only requires data controllers to ensure that appropriate safeguards are in place before
transferring personal data out of Nigeria.
iv. Definition of personal data: GDPR includes genetic and biometric data as personal data while NDPR does not.
v. GDPR has a more detailed and prescriptive approach on data protection while NDPR is less prescriptive and leaves
more room for flexibility.
b. Draw the model for your project (Jack Warehouse Inventory)
-
a. (Jack Warehouse Inventory) On a daily basis 5 10-ton trucks, 3 5-ton trucks and 2 2.75-ton truck
b. audit the entry and exit of 5 10-ton trucks, 3 10-ton trucks, 2.5 10-ton trucks using a random algorithm
In order to audit the entry and exit of the trucks, a random algorithm can be implemented this way: i. The algorithm can be set to randomly select a certain number of the 5 10-ton trucks, 3 5-ton trucks, and 2 2.75-ton trucks to be checked for accuracy. ii. The algorithm can be designed to randomly select a specific number of trucks, such as every 10th truck, every 5th truck, or every 20th truck irrespective of their carrying capacity. This ensures that all trucks are being tracked and accounted for, while also providing a level of randomness to the process to prevent any potential bias. iii. The selected trucks can then be checked for accuracy by verifying the entry and exit time, comparing it to the expected time, and ensuring that all shipments are accounted for. iv. Any discrepancies or issues found during the audit can be reported and addressed accordingly. v. The algorithm can be reviewed and modified as needed to ensure that the audit process is effective and efficient.