Learn Privacy

Know Your Privacy Obligations

Want to check which privacy laws apply to you

Take Privacy Quiz

Check out our quick privacy quiz

Why (DBoM) Data Bill of Materials

The Data Bill of Materials (DBoM) records the ownership, sharing history, storage and collection purpose of a unit of data.

Blogs

Get latest information on data security,
data protection, and data privacy.

Events

Meet us in person or virtually in
upcoming events!

News

Be the first to catch our latest news,
happenings and more.

Follow Us

Products

Privacy Automation

TurtleShield PA (Privacy Automation) automates and streamline privacy-related processes and tasks.

Data Inventory

TurtleShield DI (Data Inventory) automates data asset inventory and performs realistic data mapping.

Privacy Intelligence

TurtleShield PI (Privacy Intelligence) applies the unique oil drilling-like approach to data discovery across the entire data footprint and not just a subset of data.

Data Minimization

TurtleShield DM (Data Minimization) helps you reduce the data and focus on enterprise-centric data.

Assured Deletion

With TurtleShield AD (Assured Deletion) businesses are empowered to comply with mandatory deletion of personal data.

Consent Management

TurtleShield CM (Consent management) is the process of obtaining, tracking, and managing individuals' consent for the collection and processing of their personal data.

Responsible AI

TurtleShield RA (Responsible AI) enables organizations to assess AI risk for internal applications and Third Party softwares utilizing AI.

Training and Awareness

TurtleShield TA (Training and Awareness) provides modern & engaging awareness solutions focused on effective privacy implementations that reach the last mile in your organization.

Solutions
Build Consumer Trust

Responsibility to protect customer data, opportunity to build brand value

Robust Enterprise Security

Implement a data-centric security approach which is aligned to your business-critical data.
Case Study / Use Cases

Fintech/BFSI

E-Commerce

Insurance

Banking

Data Protection (UK)

Heathcare Use Case

Edutech Use Case

TMT Use Case
Privacy Profit Center

Transform privacy from cost center to profit center

Data Minimization

Minimize data, and reduce business risk with data minimization

Industry

Fintech/BFSI

Privacy and meaningful data centric security for your Fintech/BFSI

Healthcare

Importance of data privacy in healthcare organizations

E-commerce

Safeguarding data privacy in E-commerce Industry

Insurance

Navigating data privacy regulations in the Insurance Industry

Edutech

Data protection in EduTech Industry is the need of the hour

Technology, Media &
Telecommunications (TMT)

The importance of data privacy in the TMT Industry

Compliance
Privacy

Data privacy compliance

India (DPDPA)

USA - United States (UCPA)

Europe (GDPR)

Australia - Privacy Act

Bahrain - (PDPL)

Brazil - (LGPD)

Angola - (PDPL)

Ukraine - (PDP)

California - (CCPA)

China - (PIPL)

Colorado - (CPA)

Connecticut - (CTDPA)

Ghana - (DPA)

Irish - (DPA)

Kenya - (DPA)

UK - (DPA)

Russia Fedral Law

Nigeria - (DPA)

Honkong - (PDPO)

Indonesia - (PDP)

Japan - (APPI)

Kuwait - (DPPR)

Malaysia - (PDPA)

Oman - (PDPL)

Philippines - (DPA)

New Zealand Privacy Act

Qatar - (PDPP)

Saudi Arabia - (PDPL)

Singapore - (PDPA)

South Africa - (POPIA)

South Korea - (PIPA)

Srilanka - (PDPA)

Thialand - (PDPA)

Uganda - (DPPA)

Virginia - (CDPA)
Security

Data security compliance

Cyber Security - IRDAI

Reserve Bank - RBI
Sectoral

Sectoral compliance

COPPA

FERPA

HIPAA

Telecom TRAI
Company

About us

Ardent is on a mission to help enterprises implement meaningful security and privacy programs aligned to their business mission; building trust, and protecting data assets.

Pricing

Get pricing aligned to your business needs. Stay data protected with best plans tailored to your needs.

Contact us

Contact us to know more about how Ardent can help you implement a robust privacy program.

Nigeria Data Protection Regulation (NDPR)

Nigeria Data protection Regulation (NDPR)

In 2019, pursuant to its powers under the NITDA Act of 2007, the National Information Technology Development Agency (NITDA) issued the Nigeria Data protection Regulation (NDPR). It is the principal regulation for data protection in Nigeria. In 2020, NITDA also issued an Implementation Framework in respect of the NDPR and also Guidelines for the Management of Personal Data by Public Institutions in Nigeria to regulate personal data processing within public institutions.

Key Obligation and Consequences

Applicability

This regulation is applicable in following cases:

Applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.
Applies to all transactions intended for the processing of Personal Data, to the processing of Personal Data.

Consent Requirement

Following are the consent required by this regulation

No data shall be obtained except the specific purpose of collection is made known to the data subject.
A data controller is under obligation to ensure that consent of a data subject has been obtained without fraud, coercion or undue influence.
No consent shall be sought, given or accepted in any circumstance that may give rise to direct or indirect propagation of atrocities, hate, child rights violation, criminal acts and anti-social conducts.
Data subjects must be informed of their rights to withdraw consent. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent given before its withdrawal.
Consent must be sought from the data subject before personal data is transferred to a third party for any reason whatsoever.

Data Security

The regulation provides that anyone involved in data processing or the control of data shall develop adequate security measures to protect data; such measures include but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.

Key Challenges in brief:

Data Protection Impact assessment (DPIA)

DPIAs are used where the processing of data is likely to result in a high risk to the data subjects.22 It is usually prepared by a DPCO for a data controller in order to identify and minimize the likely risks of processing data. Even though, unlike the EU GDPR, it is not mandatory, it is highly recommended.

Data Breach Notification

According to the NDPR, where a data breach is reported and the data controller is found guilty, they are liable to a payment of a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of N2,000,000 (whichever is greater) where the data controller deals with less than 10,000 data subject. On the other hand, where it is a controller of more than 10,000 data subjects, they are liable to a fine of 2% of the annual gross revenue of the preceding year or a payment of the sum of N10,000,000 (whichever is greater). Report must be made within 72 hours from time of knowledge of the breach.

Cross Border Data Transfer

In the absence of any directives by the agency or Attorney General of the Federation, the data controllers may proceed to transfer data subject’s personal data on either of the following instances.

The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers.
The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.
The transfer is necessary for important reasons of public interest.
The transfer is necessary for the establishment, exercise or defence of legal.
The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

Fulfillment of Data Subject Rights

The NITDA Regulation provide elaborately for the rights of the Data Subject and these rights include the minimum requirements for processing personal data, right of the Data Subject to be informed of appropriate safeguards for data protection, rights of the Data Subject to request deletion of personal data in appropriate cases and reiteration of the protection of fundamental rights as afforded by the constitution of the Federal Republic of Nigeria.

Solutions

Data discovery, inventory and mapping

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Third party Privacy Intelligence (monitors third party sharing)

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Data Minimization

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Right to be Forgotten (RTBF) with Assured Deletion

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Enable Data subject rights with cost savings and compliance in totality

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Key Obligations & Consequences

Applicability: The personal data protection law applies to.

The processing of personal data carried out by any person in the public sector, the private sector or the cooperative sector, namely, when the data controller is based in Angola.
The "data controller" is the entity that determines the purpose and means of the processing of personal data. "Personal data" is any information relating to an identified natural person or identification, such as name, address, telephone number, etc.

Collection and Processing:

In general terms, personal data collection and processing of personal data is subject to express and prior consent from the data subject and prior notification to the DPA. However, data subject consent is not required in certain circumstances provided by law.

With respect to sensitive data processing, collection and processing is only allowed where there is a legal provision allowing such processing or prior authorization from the DPA is obtained (please note that the authorization may only be granted in specific cases provided by law). If the sensitive personal data processing results from a legal provision, the same shall be notified to DPA.

There are specific rules applicable to the processing of personal data relating to:

Sensitive data on health and sexual life.
Illicit activities, crimes and administrative offenses.
Solvency and credit data.
Video surveillance and other electronic means of control
Advertising by email
Advertising by electronic means (direct marketing)
Call recording.

Specific rules for the processing of personal data within the public sector also apply.

The data subject shall be provided with.
The identity and address of the controller.
The purposes of the processing and of the creation of a file for such purposes.
The recipients or categories of personal data recipients.
The conditions under which the right of access, rectification, deletion, opposition and updating may be exercised.
The consequences of the collection of personal data without consent of the data subject.

Data Security:

The data controller must implement appropriate technical and organizational measures and to adopt adequate security levels in order to protect personal data against accidental or unlawful total or partial destruction, accidental loss, total or partial alteration, unauthorized disclosure or access (in particular where the processing involves the transmission of data over a network) and against all other unlawful forms of processing.

Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Specific security measures shall be adopted regarding certain types of personal data and purposes (notably, sensitive data, call recording and video surveillance).

Key Challenges in brief:

Data Breach Notification

Companies offering electronic communications services accessible to the public shall also keep an accurate register of data breaches, indicating the concrete facts and consequences of each breach and the measures put in place to repair or prevent the breach.

Cross Border Data Transfer

International transfers of personal data to countries with an adequate level of protection require prior notification to the DPA. An adequate level of protection is understood as a level of protection equal to the Angolan Data Protection Law. DPA decides which countries ensure an adequate level of protection by issuing an opinion to this respect.

International transfers of personal data to countries which do not ensure an adequate level of protection are subject to prior authorization from the DPA which will only be granted in case specific requirements are fulfilled. In case of transfers between the companies of the same group, the requirement of an adequate level of protection may be reached through the adoption of harmonized and mandatory internal rules on data protection and privacy.

Fulfillment of Data Subject Rights

Data subjects have the right to access, object to, rectify, update and delete their personal data.

Solutions

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.