Module 1: Introduction to

Data Protection
1. Understanding Personal Data and Privacy
Personal Data:
Personal data refers to any information that relates to an identified or
identifiable individual. This includes, but is not limited to:

● Names, email addresses, phone numbers

● IP addresses and device identifiers

● Biometric data (e.g., fingerprints, facial recognition)

● Financial and health information

● Location data
Privacy:

Privacy is the right of individuals to control how their personal information

is collected, used, stored, and shared. In the context of data protection,
privacy is about:
● Informational self-determination

● Transparency in data usage

● Protection against misuse or unauthorized access

Importance of Data Protection:

With the increasing digitalization of services and the vast amounts of

data collected daily, ensuring data privacy and protection is critical for:
● Safeguarding individual rights

● Building consumer trust

● Preventing data breaches and cybercrime

● Ensuring legal compliance

Global Trends in Data Protection and Why It Matters
Key Global Trends:
Expansion of Privacy Laws: Many countries have introduced or updated
their data protection regulations to align with global standards (e.g.,
Brazil's LGPD, India’s DPDP Bill, etc.).

Data Localization: Some countries now require data about their citizens to
be stored within national borders.

Cross-Border Data Transfer Regulations: Increased scrutiny of how data is

transferred between countries, especially between the EU and the US.
Enforcement and Penalties: Regulators are becoming more aggressive in
enforcing data protection laws, with large fines for non-compliance.

Public Awareness and Demand for Transparency: Consumers are more

informed about their privacy rights and expect greater accountability from
organizations.
Why Data Protection Matters:
Protects fundamental human rights and freedoms

Mitigates risks of identity theft and data misuse

Enhances organizational reputation and trust

Ensures compliance and avoids hefty penalties

Encourages ethical data handling practices

Overview of Key Privacy
Frameworks
a. General Data Protection Regulation (GDPR) – European Union

● Came into effect: May 25, 2018

● Applies to: Any organization processing the personal data of EU citizens,

regardless of location

● Key principles: Lawfulness, fairness, transparency, purpose limitation, data

minimization, accuracy, storage limitation, integrity, and confidentiality

● Individual rights: Right to access, rectification, erasure (right to be forgotten),

restriction, data portability, and objection

● Enforcement: Severe fines – up to €20 million or 4% of global annual turnover

b. Nigeria Data Protection Regulation (NDPR) – Nigeria
● Came into effect: January 25, 2019

● Applies to: All Nigerian citizens and residents, and entities that process
such data

● Key principles: Similar to GDPR, with added local context

● Rights: Access, rectification, erasure, data portability, etc.

● Enforcement: Led by NITDA (National Information Technology

Development Agency), now regulated under the Nigeria Data Protection
Commission (NDPC)
c. California Consumer Privacy Act (CCPA) – United
States
Came into effect: January 1, 2020

Applies to: For-profit businesses that do business in California and meet

certain thresholds (e.g., revenue, amount of data processed)

Rights: Right to know, delete, opt-out of sale of personal data, and

non-discrimination for exercising these rights

Enforcement: California Attorney General and the California Privacy

Protection Agency (CPPA)
Key Differences and
Similarities Between
GDPR and NDPR
VIEW KEY DIFFERENCES
Similarities:
● Emphasis on consent and transparency

● Recognition of data subjects' rights

● Mandate for Data Protection Officers (DPOs) under certain

conditions

● Requirement for data breach notifications

Conclusion
Understanding data protection is critical in today’s data-driven
world. With personal information becoming a valuable asset,
ensuring its protection through robust legal and ethical
frameworks is not just a regulatory necessity, but a business
imperative. Frameworks like GDPR, NDPR, and CCPA set the
stage for responsible data practices globally, emphasizing the
need for transparency, accountability, and respect for privacy
rights.
ASSESSMENT
VIEW ASSESSMENT LINK
Module 2: Deep Dive into
GDPR
1. Historical Context and Legal Basis

Historical Context:
● The GDPR (General Data Protection Regulation) replaced the Data
Protection Directive 95/46/EC and came into force on May 25, 2018.

● It was designed to harmonize data protection laws across EU

member states, strengthen individual privacy rights, and address
modern data processing challenges in the digital era.

● Motivated by growing concerns over digital privacy, data misuse,

and inconsistent protection across the EU.
Legal Basis:
● Rooted in Article 8 of the Charter of Fundamental Rights
of the European Union, which guarantees the right to
personal data protection.

● GDPR is a regulation, not a directive—meaning it is

directly applicable in all EU member states without
requiring national legislation.
2. Key Definitions
● Data Subject: The individual whose personal data is being
processed.

● Personal Data: Any information related to an identified or identifiable

natural person.

● Processing: Any operation on personal data (collection, storage,

use, erasure, etc.).

● Data Controller: The person or organization that determines the

purposes and means of processing personal data.
● Data Processor: The person or organization that processes data on
behalf of the controller.

● Supervisory Authority: Independent public authority responsible for

monitoring GDPR compliance (e.g., CNIL in France, ICO in the UK).

● Consent: Freely given, specific, informed, and unambiguous indication

of the data subject's wishes.
3. Principles of Data Processing Under GDPR
Outlined in Article 5, the GDPR sets out seven core principles:

1. Lawfulness, Fairness, and Transparency

2. Purpose Limitation – Data collected for a specific purpose should not be reused for another.

3. Data Minimization – Only data necessary for the purpose should be collected.

4. Accuracy – Data must be accurate and kept up to date.

5. Storage Limitation – Data should not be kept longer than necessary.

6. Integrity and Confidentiality – Data must be secured against unauthorized access.

7. Accountability – The controller is responsible for demonstrating compliance.

4. Lawful Bases for Processing Personal Data (Article 6)
GDPR identifies six lawful bases for data processing:

1. Consent

2. Contract – Necessary for performance of a contract

3. Legal Obligation – Required by law

4. Vital Interests – To protect someone’s life

5. Public Task – Official authority or public interest

6. Legitimate Interests – For the controller’s interests, unless overridden by the data subject’s
rights
5. Data Subject Rights (Articles 12–23)
GDPR grants the following eight rights to data subjects:
1. Right to be informed

2. Right of access

3. Right to rectification

4. Right to erasure (right to be forgotten)

5. Right to restrict processing

6. Right to data portability

7. Right to object

8. Rights related to automated decision-making and profiling

6. Roles and
Responsibilities
Data Protection Officer (DPO):
● Required for public authorities or organizations involved in
large-scale processing of sensitive data.

● Must act independently and report to the highest

management level.

● Responsible for monitoring compliance, training, and

cooperation with supervisory authorities.
Data Controller:

● Decides why and how data is processed.

● Ensures compliance with GDPR principles.

● Must establish contracts with processors.

Data Processor:
● Processes data on behalf of the controller.

● Must follow controller’s instructions and ensure

security.

● Must notify controller in case of a data breach.

7. Data Breach Response and
Reporting
Definition of a Data Breach:

A security incident that leads to the accidental

or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to
personal data.
Obligations:
● Notification to Supervisory Authority: Within 72 hours of
becoming aware.

● Notification to Data Subject: Without undue delay, if the breach

is likely to result in a high risk to their rights and freedoms.

● Maintain a data breach register even if notification is not

required.
8. International Data Transfers
and Adequacy Decisions
Transfers Outside the EU/EEA:

● Only allowed under strict conditions

to ensure protection of personal
data.
Mechanisms for Transfer:

● Adequacy Decisions: Recognizes a third country as having

adequate protection (e.g., Japan, Switzerland).

● Standard Contractual Clauses (SCCs)

● Binding Corporate Rules (BCRs)

● Derogations for specific situations (e.g., explicit consent)

9. Fines, Penalties, and
Enforcement
Two Tiers of Administrative Fines:

Tier 1: Up to €10 million or 2% of global annual turnover (whichever

is higher)
For violations such as failure to notify breaches, maintain records,
or ensure security.

Tier 2: Up to €20 million or 4% of global annual turnover

For severe violations such as breach of data subject rights, unlawful
processing, or lack of consent.
Enforcement:

● Each EU member has its Supervisory Authority

(SA) to enforce GDPR.

● SAs can conduct investigations, issue warnings,

impose fines, and restrict processing.
Conclusion
The GDPR has become the global benchmark for data protection. Its
comprehensive approach emphasizes transparency, individual control,
accountability, and security. Understanding its structure—from principles to
penalties—is essential for any organization handling personal data within or
beyond the EU.
ACCESS MENT
VIEW MODULE 2 ASSESSMENt