logo
About Us
Our Projects
Resources
Join Our Community
Data
Policy

1. Introduction

TASCK is committed to protecting the personal data of its clients, employees, partners, and all other stakeholders. This Data Privacy Policy and Framework outlines our compliance with the Nigerian Data Protection Act (NDPA) 2023, the Nigeria Data Protection Regulation (NDPR) 2019, and other applicable laws. The policy ensures transparency, accountability, and security in handling personal data.

2. Scope

This policy applies to all data collected, processed, stored, and shared by TASCK in any format (electronic or paper) and covers all employees, contractors, vendors, and third-party service providers who interact with personal data.

3. Principles of Data Protection

TASCK adheres to the following data protection principles:
  • Lawfulness, Fairness, and Transparency: Data is collected and processed legally and transparently.
  • Purpose Limitation: Data is used for specified and legitimate purposes only.
  • Data Minimization: Only necessary data is collected
  • Accuracy: Data is kept accurate and up to date
  • Storage Limitation: Data is retained for only as long as required.
  • Integrity and Confidentiality: Data is processed securely to prevent unauthorized access.

4. Legal Basis for Processing Personal Data

TASCK collects and processes personal data based on the following lawful grounds:
  • Consent from the data subject.
  • Contractual necessity.
  • Compliance with legal obligations.
  • Legitimate business interests.
  • Protection of vital interests.

5. Data Subject Rights

TASCK respects the rights of data subjects, including:
  • Right to access personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure (‘Right to be forgotten’).
  • Right to restrict processing.
  • Right to data portability.
  • Right to object to processing.
  • Right to lodge complaints with the Nigerian Data Protection Commission (NDPC).

6. Data Collection, Processing, and Storage

  • Personal data shall be collected only for specific, explicit, and lawful purposes.
  • Data shall be stored securely and protected against unauthorized access, alteration, or loss.
  • Processing activities must comply with NDPA, NDPR, and international best practices.

7. Third-Party Data Sharing and Cross-Border Transfers

  • Data sharing is only allowed under contractual agreements ensuring compliance with NDPA and NDPR..
  • Cross-border transfers shall be conducted in accordance with Nigerian data protection laws and applicable international frameworks (e.g., GDPR adequacy standards)

8. Data Security Measures

TASCK adopts stringent security measures to safeguard data, including:
  • Encryption and pseudonymization of sensitive data.
  • Implementation of access control and authentication mechanisms.
  • Regular security audits and vulnerability assessments.
  • Employee training on data privacy and security best practices.

9. Data Breach Response Plan

In case of a data breach, TASCK shall
  • Identify and contain the breach immediately.
  • Assess the risk and impact of the breach.
  • Notify the affected parties and the Nigerian Data Protection Commission (NDPC) within the legally required timeframe.
  • Mitigate and implement corrective actions to prevent future breaches.
  • Document all findings and report to relevant stakeholders.

10. Compliance, Monitoring, and Enforcement

TASCK is committed to ensuring continuous compliance with data protection regulations through structured monitoring and enforcement mechanisms. The following breakdown details the execution steps:

  1. Appointment of a Data Protection Officer (DPO)

    • Designate a DPO responsible for overseeing compliance, monitoring data processing activities, and serving as a point of contact for regulators.
    • Ensure the DPO undergoes continuous training in data protection laws and practices.

  2. Internal Compliance Audits

    • Conduct periodic audits (quarterly or bi-annually) to assess compliance with NDPA, NDPR, and global standards.
    • Document audit findings and implement corrective measures for identified gaps.

  3. Steps for Conducting Internal Audits:

    • Audit Planning & Scope Definition

      • Define the audit objectives, scope, and key risk areas.
      • Determine which departments, data processes, and systems will be reviewed.
      • Identify the audit team, including internal compliance officers and external experts if needed.

    • Data Mapping & Inventory Review

      • Examine all personal data processing activities, data flows, and storage locations.
      • Verify whether data is being processed in line with documented policies and legal requirements.

    • Policy & Compliance Check

      • Assess compliance with NDPA, NDPR, GDPR (if applicable) and internal data privacy policies.
      • Review data protection impact assessments (DPIAs) conducted on high-risk processing activities.
      • Ensure that data retention policies align with regulatory requirements.

    • Security & Access Control Review

      • Evaluate physical and digital security measures, including encryption, access controls, and authentication.
      • Check for vulnerabilities in IT systems, third-party integrations, and cloud storage solutions.
      • Assess compliance with cybersecurity best practices.

    • Third-Party Vendor Assessment

      • Review contracts and agreements with external vendors handling personal data.
      • Verify if vendors comply with TASCK’s data protection standards and regulatory requirements.
      • Ensure data processing agreements (DPAs) are in place for all third-party relationships.

    • Employee Compliance & Awareness Check

      • Assess employee awareness and training effectiveness regarding data protection obligations.
      • Conduct spot checks or employee interviews to ensure adherence to policies.

    • Incident & Breach Handling Review

      • Evaluate previous incidents, responses, and lessons learned from data breaches or policy violations.
      • Ensure proper reporting mechanisms exist for suspected data breaches.
      • Verify that all incidents are documented and addressed according to policy.

    • Audit Report & Corrective Actions

      • Compile findings into a detailed audit report, highlighting compliance gaps and risks.
      • Provide recommendations for improvements, including timelines for remediation.
      • Assign corrective actions to relevant teams and monitor implementation progress..

    • Follow-up & Continuous Monitoring

      • Schedule follow-up audits to assess the effectiveness of corrective actions.
      • Implement automated tools for real-time monitoring of data protection compliance.
      • Update policies and procedures based on audit findings and regulatory changes.

  4. Data Protection Impact Assessments (DPIA)

    • Evaluate high-risk data processing activities to mitigate potential privacy risks.
    • Update risk mitigation strategies based on DPIA findings.

  5. Employee Training and Awareness Programs

    • Implement ongoing training sessions for employees on data protection policies and best practices.
    • Introduce role-based training to ensure each department understands its data protection responsibilities.

11. Execution Steps for Compliance

  1. Policy Implementation: Conduct training for employees and stakeholders.
  2. Data Mapping: Identify and document all personal data processing activities.
  3. Risk Assessment: Conduct a Data Protection Impact Assessment (DPIA) for high-risk data processing.
  4. Legal and Contractual Review: Update agreements with third parties to ensure compliance.
  5. Security Enhancement: Implement advanced security controls.
  6. Monitoring and Reporting: Establish a compliance reporting structure.

12. Review and Updates

This policy shall be reviewed periodically to align with regulatory changes and emerging best practices.

13. Contact Information

For questions or concerns regarding this policy, contact the Data Protection Officer at TASCK (dev@tasck.org).