Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
January 27, 2020

World Privacy Day

Manage Your Privacy, Safeguard Your Personal Data

Data Privacy Day is observed worldwide each year on January 28 to raise awareness around technology and privacy rights, including best practices for safeguarding personal information.

“As we continually share more data on our connected devices, businesses are collecting and using this personal information more than ever before. Just think about everything we do online – from healthcare and banking transactions to posting family vacation photos to pinpointing our location at any given time. Data Privacy Day provides an opportunity for everyone to encourage organizations to improve data privacy practices and inform consumers about the number of ways their information is being used. In short, privacy is good for business. If companies protect data and respect privacy, they will earn the trust of their customers. It is however, up to all of us to learn about and practice simple steps to help protect our personal information.” Kelvin Coleman, NCSA’s Executive Director

What does privacy mean?

Well, it depends on whom you ask. Broadly speaking, privacy is the right to be let alone, or freedom from interference or intrusion. Data privacy is the right to have some control over how your personal information is collected and used.

Data privacy is focused on the use and governance of personal data—things like putting policies in place to ensure that consumers’ personal information is being collected, shared and used in appropriate ways.

The advent of the Internet has ushered in new conveniences, increased opportunities and added diverse means to share, connect, socialize, shop and more. The integration of the Internet into almost every aspect of our lives has fundamentally redefined the way we operate. In our digitally connected world, many people lack the knowledge and instincts necessary to keep themselves safe and secure online. Use of smart devices are now the norm at homes, schools and workplaces. Unfortunately, we are not introduced to the threats we face while using these devices online.

In our modern times, most of us rely heavily on the internet for our work, commerce, entertainment, information, communications, and social networking. While our time spent on the Internet has, and continues to increase, the challenge to protect our online privacy and personal information also escalates. Privacy is an important but elusive objective, and it is difficult to manage the amount of information about ourselves that exists on the web. If you didn’t realize just how much of your data the Internet collects then you’re not alone[SI2] . There has been extensive research conducted regarding consumer awareness of the online data collected about them, revealing significant misconceptions about data and privacy protections.

Privacy and data protection have been a matter of concern to many online users. Personal information provides value to organizations; government departments or agencies, enterprises and their customers. However, its collection raises privacy concerns. Concerns arise over how a person’s details are collected, processed, stored and even the possibility of disclosure to a third party without their consent. Personal privacy is therefore concerned with the loss of privacy and the need for protection against unwarranted communication and use of personal information. Privacy is also a human right and therefore anything untoward that happens to it is an interference to the individual’s right to privacy.

Social media is used to share information with friends and family. However, the more information you share about yourself, the more a cybercriminal can learn about you and more effectively target you, either directly through hacking or indirectly through social engineering to leverage on your information to build a personalized attack, which tends to be more effective than a generic one.

The concept of privacy varies widely among countries, cultures and jurisdictions. It is shaped by public expectations and legal interpretations; as such, a concise definition is elusive if not impossible. Privacy rights or obligations are related to the collection, use, disclosure, storage and destruction of personal data. At the end of the day, privacy is about the accountability of organizations to people about whom they collect data, as well as the transparency to an organization’s practice around personal information. When users post personal information, they have the option to control who can see the posted content. However, their privacy is violated when unauthorized parties collect their personal data or information and use it without their explicit consent.

In our world today, nearly everyone’s computer has anti-virus software and quite some few people have basic understanding of Internet threats. Unfortunately, that same diligence and protection is lacking on social media channels, the foundation of most people’s identity online. This lack of security has made social media the target of cybercriminals and subsequently subject to massive data breaches, exposing valuable personal information. Since these digital channels are outside our protection perimeters, we can’t rely on traditional security methods or IT teams to provide the basic needed security – it is incumbent upon each of us to take ownership of protecting our digital identity.

Author: Emmanuel K. Gadasu (CEH, CHFI, Data Privacy Protection Supervisor, MSc Information Security [ongoing]) – (Curriculum Development Division, Institute of ICT Professionals, Ghana)

For comments, contact author ekgadasu@gmail.com

Published in the Business and Financial Times – Ghana (B&FT) on 27th January 2020 and on Institute of ICT Professionals Ghana (IIPGH)’s website.

Manage Your Privacy, Safeguard Your Personal Data

Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
January 28, 2020

Data Privacy Day, which lands annually on January 28, is “an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust”.

An individual can only enjoy privacy when the individual is aware of who has access to her data, the reason for which the data was collected, how long the data shall be stored, which people have access to the data among others.

Privacy is your right and you must do everything to safeguard it.

Personal Data is information relating to natural persons who:

(1)can be identified or who are identifiable, directly from the information in question; or

(2)who can be indirectly identified from that information in combination with other information.

Examples of personal data includes: name, phone number, email address, identification name,identification number, location data, an online identifier and so many more.

The person about whom data is collected is called the Data Subject.

The person or institution that collects data about another individual is called the Data Controller.

Due to the devastating impact breach of privacy has on the individual, countries have put in laws and regulations to protect the privacy of its citizens.

In Ghana, the Act 843 was enacted to give protection to people. THe act specifies the obligations of the Data Controller and rights to the Data Subject.

Act 843 (17) Privacy of the individual

A person who processes data shall take into account the privacy of the

individual by applying the following principles:

(a) accountability,

(b) lawfulness of processing,

(c) specification of purpose,

(d) compatibility of further processing with purpose of collection,

(e) quality of information,

(f) openness,

(g) data security safeguards, and

(h) data subject participation.

Act 843 (18)Processing of personal data

(1) A person who processes personal data shall ensure that the personal data is processed

(a) without infringing the privacy rights of the data subject;

(b) in a lawful manner; and

(c) in a reasonable manner.

Below are some of the rights of the Data Subject as enshrined in Act 843

1. Right of access to personal data Act 843 (35)
2. Exemption related to religious or philosophical beliefs of data subject Act 843 (38)
3. Right to prevent processing of personal data Act 843 (39)
4. Right to prevent procession of personal data for direct marketing Act 843 (40)
5. Rights in relation to automated decision-taking Act 843 (41)
6. Rights in relation to exempt manual data Act 843 (42)

Education and awareness is key to ensure everyone stays safe and enjoy their privacy

Connect with me to keep sharing vital tips on data protection and privacy

Facebook: https://web.facebook.com/emmanuel.gadasu

Twitter: @wahehejnr

Instagram: https://instagram.com/emmanuelgadasu

LinkedIn: https://www.linkedin.com/in/emmanuelgadasu/

Phone: +233 243913077

Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
January 18, 2021

I have a training session tomorrow and my team and I have quite a few final touches to complete. We have scheduled to work through to midnight in order to ensure everything works. However, I have to spend some time to write this piece because duty calls on me to do so to highlight the alarming rate of useless graduates all over the place.

Let me tell you a little about my teaching experience so that you can appreciate what I am going to talk about. I have taught before and I continue to teach and train at different levels. I taught after completing the then Senior Secondary School (SSS) for six (6) months. After my first degree, I did my National Service at the then Students Records and Management Information System (SRMIS) at the University of Cape Coast. During my National Service, I was a Teaching Assistant to the then HoD of the Computer Science and IT Department. Even though that was not my official duty as a National Service Personnel, I handled a full course of more than 100 students. During this same period, I taught a course at the then Distance Education Center at Ho Campus (stationed at Ho Polyethnic). After my National Service, I taught at IPMC from 2009-2013 as a full-time job. During this period, I started teaching professional course at a Rhythex Consulting firm from 2011 till. For that past two years, I have also been teaching a module at GIMPA in Forensic Psychology Certificate course. My students come from the banks, insurance companies, and telcos, across the West African subregion and across the world. I love teaching because I get to learn more from the students that I give (in my point of view). And secondly, teaching puts me on my toes to update myself. I have seen military men, medical doctors, bankers, PhD holders and some professors in my class. There is no way I will never prepare again and again before standing before students, participants, etc. to teach.

I work with both international companies and local ones. I have consulted for some multinational companies, government, and small businesses. I am also an IT Entrepreneur and I have hired and fired and will continue to do that. I share my little experience with you from both sides.

Now why all these? Just to give you the assurance that what you are about to read is a real life experience I have had without any scientific research and I am speaking nothing but the truth.

Well, let us delve into my issue of concern. Graduates keep on complaining there are no jobs. Very annoying is the number of years of experience employers seek from new graduates. Yes, I have complained about the requirement of the number of years of experience. I asked myself who should train them to get the years of experience you demand? Until I started hiring, I did not know the value of experience.

What actually triggered this writeup is that: I am consulting for a company on a an international project. I am the Assistant Database Manager. Together with my team at my IT Company, we developed a mobile and a web application for the implementation of the project. Phase one was done successfully and we going to roll out the phase two. Ten (10) persons are needed to be stationed at designated offices in Accra and Tamale. As a requirement, these persons are to be females to balance the gender. Although it was a closed invitation to apply, it was a fair process.

The interviewer decided not to rely on the CVs/resumes of the applicants but rather to test their practical experience on the job. This is the job. Sit in the office. Registered customers will come to you. You search their names in a database. Verify their details and update them where necessary. Print a copy for them. It is this simple. The interviewer had two graduates from two top universities Ghana who could not use word to create a simple table. One lady started to even cry. I was extremely shocked at this. How could a university graduate not use common Microsoft Word to create a table? Oh, my oh my! The question is what did they learn for the entire duration of four years in the university? How did they do their assignments at school? They never used Microsoft Word to type assignment? They never did any course in ICT? Who taught them? Do they have laptops? What have they been using it for? So many mind bothering questions I could not answer. The more I thought about this the angrier I became.

I saw the problem from two points: the students themselves and the lecturer(s) who taught them. Let me explain. Our Ghanaian system (may be Africa as well) have over the years equated certificates to knowledge and skill. May be in the times of Dr. Kwame Nkrumah, Nelson Mandela, and Julius Nyerere’s time of old, that might have been the case. Hence individuals were then employed based on their certificates. Worse of all, without certificates, the government structures cannot place you on the appropriate payroll scale or level. The emphasis was on certificate with the assumption (presumably) that once the individual has the certificate, he/she automatically has the needed skills. It worked then probably.

However, what people (students and lecturers) have failed to appreciate is that we are in the era of the Bill Gates, Mark Zuckerberg, and Elon Musk. Your certificates mean nothing to them. It has no value to your employability. For Christ sake we are in the era of knowledge and skills. The emphasis is what you can do with the knowledge you acquired over the four years. It is not about first class or third class anymore. That era is over! Yes, it is over!

COVID-19 has taught many organizations that it is possible to work from home. I started working remotely since 2013. Without digital skills as simple as using Microsoft Word to create a table, how can such an individual work from home or remotely? I think it is of no use to even write in your CV/resume you can use Microsoft Word, Excel, or PowerPoint. Because it has become so basic in our modern times. It is expected that a degree holder should be able to use such modern tools or technology. Writing in CV/resume such ability to use the Internet is absolute useless to me! (Excuse my language).

Students are interested in gaining certificate hence are interested in getting higher scores at all cost and by all means possible. The focus is on the certificate and not the knowledge. Hence, they waste time on all manner of useless activities and when it is exams time, they maneuver their ways through to get questions from all sources by all means. How can such a person contribute meaningfully at the workplace? They lack concepts because they did not study at school. They went through the four years without any piece of knowledge. I was in Nigeria two years ago and my business partner complained of a new accounting graduate who could not create a simple balance sheet. Of course, he sacked her after two months. I have encountered master’s degree holders in IT who cannot use Microsoft Word. Whaaattt the **** (in the way Igwe 2Pac of Nigeria Comedy will say it).

I employed a lady as a Data Analyst not because I needed her services at that time but the approach, she used to get my attention. I came to the office and I was told a lady came seeking employment. She left her name and contact details. She stated clearly what her skills are and what she can do. I was impressed and called her for an interview right away. The interview was a discussion and she asked have we finished, and I said yes. How many graduates today can do this? All of them are waiting for their Uncle to connect them to somebody they know. A lot of graduates are even scared of going to look for jobs because they know they lack the skills to perform at that level.

Former President Mahama could not create enough jobs to employ every graduate. President Nana Akuffo Addo cannot create jobs to employ every graduate. Government will employ you based on certificate, party affiliations, who you know and who knows you. Private companies are chasing for knowledgeable and skilled persons and not certificates. Private companies are profit making ventures not NGOs. They are there to solve problems and get paid for the solutions they provide. They need people who can bring out solutions when hired.

And now, this is how the lecturers are helping to churn out useless graduates. I have been taught by very wonderful lecturers right from the University of Cape Coast through to Lulea University of Technology. I have experienced all of them in very different ways. We have lecturers who have passion for the work. They are knowledgeable in their field of research. They are on top of their game. They are in close collaboration with experts in industry and they are practitioners as well. They can teach without books or PPT and you leave the lecturer halls excited. We have other lecturers who have no clue on what they are teaching, and they come to class unprepared. They lack teaching skills, and they cannot teach or lecture without a Power Point they downloaded in 1992 after Ghana returned to democracy. They come to class as if it is a burden placed on them. They confuse students and worsen their confused minds. The students become worse of in their courses. They are the lecturers who sell handouts to students and woe betides you if you do not buy their book. They are too lazy to write books and shamefully keep on selling the same handout for the past five years and they are happy doing so. They are not in tune with modern methodologies or technology. They are the ones who cannot use Zoom or online tools to teach.

In the real world, the Internet can teach you more than any single lecturer can teach you. A former colleague at IPMC, who started as a programmer and now into finance, learnt how to make ice cream on YouTube. He made a lot of money from that and it has become a family business at Makola. I know a former student and now a friend from Congo Brazzaville who is a networking professional holding CCNP who learnt how to make cake and pastries from YouTube. He sold cake to almost every worker at the Ghana Airport. Yet we have Food and Nutrition or Home Economics students who cannot even mix gari and water to get the desired result, yet they have master’s in food and nutrition and are sitting at home unemployed.

A lot of lecturers have no practical experience of what they are teaching students and are mostly teaching outdated and useless stuff. At this age, a lecturer teaching students Web Design and all what they could teach is using Bill Gates Note Pad to create website. Shame unto you sir. No one in industry uses this anymore. Teach them WordPress, SEO, Google AdWords, AdSense, etc. They can employ themselves right after the course and not after the four years. A lecturer teaching fishery and aquaculture and you have not practicalize this. You do not have even a pond with two fishes, a crab, and a frog to demonstrate the concept into practice. What have you been doing for the past 10 years? Reading PPT to students is not the way to go. In every course, concepts can be translated to practical terms depending on who teaches it. At Lulea University of Technology, I was alarmed when one lecturer enrolled in a course with me and we ended up in the same group. I asked him few questions and he said this course is a new one and he needed to update himself in that. He attended all lectures and participated in all group discussions and did all assignments together with us. Do you think a Professor or PhD holder at Legon or University of Lagos (UNILAG) will bow himself so low to take the same course with his students? May be may be not.

Learning does not only take place in the classroom. The Internet offers the same resource to the Harvard students as well as the University of Cape Coast students.

I have interacted with so many HRs and hiring firms and they keep complaining they cannot get the right candidates for the job. What others have turned to do is to employ you on a condition; as an intern to learn for the first three months at best with half salary. You only get confirmed after six months when they are sure you can do something profitable and worth your salary.

When you meet someone with expertise or who is knowledgeable in any field, you will know after the first 10 minutes of talks on that subject area. Tell me this is not true. It is that simple. There are so many platforms to acquire knowledge from. I am on Facebook and I have joined relevant groups of my professional interest. On LinkedIn I have linked up with other subject matter experts and joined relevant groups. On Twitter I have followed almost every expert in my field. For example I have changed the course of my career (from programmer to information security professional and now to data privacy professional). I follow someone like Prof Daniel Solove and I have read almost every article by him. I have learnt a lot from him. He is an expert when it come to privacy issues. I have followed everyone that he follows and organizations that he has mentioned. I am enjoying it.

I have learnt a lot from my Bosses and students as well. At UCC, I learnt something from one of my Bosses. I was programming by then. He will never go home without going through the program we have written and ensuring that he has improved it. He is now Lawyer. I learnt from another Boss from Coca Cola to read something on my subject area everyday before coming to the office. I have followed that religiously since 2013. I am still the database designer and the product architect at my IT company, and I am practically involved in the development process. Just yesterday, a former student of mine at IPMC was teaching me Forex Trading via WhatsApp. I learn more from my students. I have learnt a lot of skills from Coursera, LinkedIn, Coursera, edX, FutureLearn, Udacity, Udemy, etc. My company developed a telehealth app for a client. I had to take an online course in health at Stanford University to beef up my knowledge. After the course when I met the client, he was wowed and instantly registered for the same course. I proofed to him that as a lecturer, consultant, programmer and product architect, I must have much knowledge in order to deliver value.

There are more places to learn a skill and not only from the classroom. Employers are becoming frustrated and continue to be disappointed after hiring seemingly people with good CVs/resumes. They have learnt lessons the hard way. They are smarter now in how they recruit. It is better to make the position vacant than to pay a useless graduate who in addition to demanding increment in salaries and asking for benefits, is adding to the stress of managing employees.

Dear students, learning does not only occur in the classroom. Degrees or certificates do not put food on the table and neither do they guarantee employment. Education now is not for employment anymore. Your lecturer is an employee of the University or the school. He will be paid whether you pass or fail. If you focus on first class or good scores only, you are the looser. The world out there is not interested in the number of degrees or certificates you have. Employers are smarter than the deceptive resumes or CVs that you have curated. Employers needs your skills and not certificates. Some people have multiple jobs and others are struggling to get even one. Why? Their skill is the differentiator.

Dear lecturers, update yourself with relevant skills and impact your students. Inspire confidence in them and get them ready for the job market. Employers are not interested in their scores in the quizzes, assignments, or exams. They need their skills and confidence. How they can translate the concept and knowledge to solve problems. Employees are paid to solve problems and what is their use if they cannot solve the problems for which they were employed.

I have employed quite a few people over the years. I have never advertised any job vacancy. One way I do this is to walk to the training institution or university campus and I request lecturers to give me five of their best students. I ask them to submit their practical works for review and then have discussions with them after which I pick one. Another way is to take contacts of students who ask good and practical questions during my presentation and I ask them to call me. The next thing I do is to ask them to send sample of their practical work. I proceed to have discussions with them, and then next thing is you are doing your National Service with me and after that you are employed. The third is this. I handle attachment training at Accra technical University and some other schools. During the trainings I hand pick the students who have demonstrated good understanding of concept and show passion for what they are studying. The fourth method I use is through recommendation from existing staff who can vouch for the recommended person. Currently, the Head of Mobile App Department in my company is a level two hundred student. I have three staff in that department and two are still in school. The head of Web Applications department is a dropout from the University of Ghana who found himself at IPMC. Their skill level is unmatched, they understand concept and I do not struggle to get them on board. I am always proud of them. Aren’t there graduates out there? Or is it cheap labour? None of the above please! Their skills brought them on board. We successfully developed our first world class app that took us three months. The second app to be launched in February took us one month. We have three other apps to be launched later in the year. We work day and night and they sleep in the office most times. We work remotely from home or physically at the office. They have team spirit and love what they do.

The trends have changed and the digital era does not recognize your certificate. Remember, certificates and degrees does not put food on the table and does not guarantee you job either. Employers are now smarter than your deceptive CV/resume. Go for knowledge and skill rather than grades for with the knowledge and skill you gain confidence, have the skill and employers will chase after you.

Emmanuel Gadasu

ekgadasu@gmail.com

Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
September 21, 2024

I have seen quite a few numbers of Social Media posts where persons who have received text messages from the main political parties in Ghana: the NDC and the NPP have raised serious concerns and questioned the audacity of the parties to dare send them messages. They have called on the Data Protection Commission (DPC) to exercise its mandate under the Section 2 of the Data Protection Act 843 to protect them.

2. Object of the Commission. The object of the Commission is to

(a) protect the privacy of the individual and personal data by regulating the processing of personal information, and (b) provide the process to obtain, hold, use or disclose personal information.

You are not alone in receiving these messages. I have personally received such messages from both flagbearers; with the Sender IDs JohnMahama and DrMBAWUMIA.

I am excited as a professional in the field of data protection for the reason that Ghanaians are now aware of their privacy rights enshrined in Article 18(2) of the 1992 Constitution of Ghana and under the Data Protection Act 843 (Sections 32, 33, 35, 39, 40, 41, 42, 43, and 44). This sends the signal to other companies that processes personal data of people that they (the people) know their right and can therefore not be taken for granted!

From the very many concerns raised on Social Media that I have come across, these are the summary of the concerns raised by recipients:

1. how did the political parties get their phone number in the first place?
2. they have not given their CONSENT to receive messages from political parties
3. has the Electoral Commission (EC) of Ghana shared their phone numbers with the political parties without their CONSENT?

It is important to arm ourselves with the following definitions as they pertain to data protection to help readers comprehend this write up.

Data Subject

A data subject is an identifiable natural person whose personal data is being collected, stored, or processed.

Data Controller

A data controller is the entity (company, political party, etc) or person that determines the purposes and means of processing personal data. They are responsible for ensuring that data is processed in compliance with data protection laws and for protecting the rights of data subjects.

Data Processor

A data processor is an entity or person that processes personal data on behalf of the data controller, following the controller’s instructions. They do not own the data or decide how it is processed but must ensure that their processing activities comply with the contractual obligations set by the data controller and applicable laws.

Processing

Processing refers to any operation or set of operations performed on personal data, such as collecting, storing, modifying, transmitting, or deleting it. It encompasses both automated and manual handling of data, covering a wide range of actions performed on personal information.

Consent

To consent is to give permission for something to happen or agreement to do something. It must be freely given, specific, informed, and unambiguous agreement by a data subject for the processing of their personal data. For consent to be valid under data protection laws, it must be an active opt-in and revocable at any time by the data subject.

Most people have the erroneous understanding that CONSENT is the only basis by which a data controller (i.e. political party) can process your personal information. There are other legal bases by which your personal data can be processed by the political parties.

The following are the legal bases by which an entity including political parties (data controllers) could use (process) your personal information. Note this is evident in most of the data protection laws across the world – GDPR, CCPA, POPIA, DPDP, etc.

1. Consent

Processing is lawful if the data subject has given explicit, informed, and unambiguous consent for specific purposes. This requires a clear opt-in process, and the individual must be able to withdraw consent at any time. The consent must be freely given without any pressure or coercion.

2. Contractual Necessity

Processing is necessary when it’s required to fulfil a contract with the data subject, or to take steps before entering into a contract. This legal basis applies, for example, when providing services, delivering goods, or managing employment contracts. The data processed must directly relate to the contractual obligations.

3. Legal Obligation

Processing is lawful if it’s necessary for compliance with a legal obligation to which the data controller is subject. This basis applies when a law requires the processing of personal data, such as tax reporting or employment laws. It does not cover obligations imposed by a contract, but only those required by statutory or regulatory laws.

4. Vital Interests

Personal data can be processed if it’s necessary to protect the vital interests of the data subject or another person, typically in life-threatening situations. This basis is often used in emergencies where consent cannot be obtained, such as medical emergencies. It is limited to urgent and serious situations involving the protection of life or health.

5. Public Interest

Processing is lawful if it is necessary for performing a task carried out in the public interest or in the exercise of official authority vested in the data controller. This basis is often used by governmental bodies, public authorities, or organizations acting in the public’s interest, such as electoral registers or public health initiatives. It requires a legal basis, such as laws or regulations, to justify the public interest task.

6. Legitimate Interests

Processing is lawful if it’s necessary for the legitimate interests pursued by the data controller or a third party, provided those interests are not overridden by the data subject’s rights and freedoms. This basis requires a balancing test between the controller’s interest and the individual’s privacy rights. It’s commonly used in scenarios such as direct marketing, fraud prevention, or employee monitoring, as long as the impact on privacy is minimal.

From a data protection perspective, a political party can send SMS to citizens on the following legal bases:

1. Consent

Explicit Consent: The most straightforward and GDPR-compliant legal basis is obtaining explicit consent from individuals. Citizens must actively agree to receive SMS communications from the political party, typically through an opt-in process where they provide their mobile numbers and consent to such messages.

Conditions for Consent: The consent must be freely given, informed, specific, and unambiguous. Individuals should be able to withdraw consent at any time, and the process for doing so must be simple and clear.

2. Legitimate Interests

Legitimate Interests of the Political Party: Political parties may argue that sending SMS to citizens aligns with their legitimate interest to communicate with voters or promote democratic engagement, particularly during election campaigns. However, this basis requires a Legitimate Interests Assessment (LIA) to ensure that the party’s interests do not override the rights and freedoms of the individuals receiving the messages.

Balancing Test: The party must demonstrate that the communications are necessary for its purpose and that citizens’ privacy rights are not unduly impacted. Additionally, there must be an easy way for citizens to opt-out of further communication.

3. Public Interest

Tasks in the Public Interest: Some political communications can fall under tasks carried out in the public interest, such as promoting democratic participation or informing citizens about electoral processes. This legal basis may apply if the messages are essential to a public function or directly linked to democratic engagement.

4. Contractual Necessity

Service Information: In cases where citizens have signed up for membership or services with the political party, and SMS messages are necessary to fulfil contractual obligations, the party can rely on this legal basis. This would cover situations such as sending membership-related updates.

Other Considerations:

Transparency and Privacy Notices: Political parties must provide clear privacy notices detailing how personal data, including phone numbers, is collected, stored, and used. They should inform citizens of their rights, including the right to withdraw consent or object to processing.

Opt-Out Mechanism: Regardless of the legal basis, every SMS must provide a clear and easy way for recipients to opt out of receiving further messages.

Since the political parties have not sought the CONSENT of the individuals before sending the SMS, legitimate interest will be the primary legal bases for sending political SMS under data protection laws, with the party needing to ensure that they fully comply with the relevant provisions to avoid breaching data protection laws.

The next matter to deal with is how did the political parties get your number to send you the SMS? There are two potential sources from which political parties could get your personal data from the electioneering processes in Ghana:

1. By Law 2. Through the Registration Process
2. By Law

There two provisions in CI 91 that gives the Electoral Commission the power to share your Voters registration Details with the political parties: CI 91 regulation 5 (e) and regulation 22 (1) (2).

The registration Officer is mandated by CI 91 5(e) to provide the political parties with the details of those registered by what is commonly known as EOD: End of Day. The CI 91, regulation 5(e) states:

5. A registration officer shall

(e) at the end of each registration day of the national registration period make available to the political parties the names, ages, dates of birth, sex and residential addresses of the applicants registered at the centre and those whose registration have been challenged; and

In Regulation 22 of CI 91, it provides as follows:

22. Compilation of provisional register of voters

(1) The Commission shall, not later than three months from the end of the registration period, compile a provisional register of voters in the country, stating the name, age, sex, residential address and showing the photograph of each person whose application for registration was accepted at a registration centre.

(2) At the end of the compilation of the provisional register as provided in subregulation (1), a copy of the provisional register shall be given to each registered political party in the form determined by the Commission.

This means that by law, the Electoral Commission is mandated under CI 91 to provide all the registered political parties a copy of the provisional electoral register.

2. Through the Registration Process

During the Voter registration process, representatives of the political parties are present to also collate the names of people whose names have been enlisted in the Voters Register independently.

Although your phone number is captured in the system, this is not mandatory for registration hence some EC officers may choose to ignore it during the registration process. In most cases at the registration centres, the Political Party Representatives take phone numbers of the voters. Your residential address captured which is mandatory.

So, not only do the political parties have your phone number to send you SMS, but they can even pay you a visit in your residence because they have it and they can easily identify you because they have your picture!

If the EC has not officially given them your phone number as dictated by CI 91, how did they get it then? Maybe you might have offered it to them during the registration process or they could through other means get your phone number since they have your name!

Now the most important question is: are the political parties in violation of the Data Protection Act 843 in sending you SMS without your consent? As established, CONSENT is not the only legal basis for the political parties to send you SMS.

They may rely on their legitimate interest to inform you as a Ghanaian Registered Voter to inform you about their flagbearers vision, policies, etc to convince you to vote for them.

Ghanaians will decide on 7th December 2024 whether to RESET or UPGRADE and each side need to market their flagbearer to the voters including you! However, in sending their messages to you, they need give you the opportunity to OPT-OUT of receiving further messages from them! They will be in compliance of the Data Protection Act 843 even without your consent if they send you SMS with the option to OPT-OUT!

I wish all of us a peaceful Election 2024! Vote to either RESET or UPGRADE Ghana. Your Vote Is Your Power!

Author: Emmanuel K. Gadasu

(CEH, CDPS, CIPM, CIPP/E, BSc IT, MSc IT and Law, LLB*)

The writer is a Data Protection and Cybersecurity Consultant, Practitioner and Trainer! You can reach him for further comments by Call/WhatsApp/Telegram +233 24391 3077 or via email: ekgadasu@gmail.com.

LinkedIn: https://www.linkedin.com/in/emmanuelgadasu/

Facebook: https://web.facebook.com/emmanuel.gadasu/

Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
September 22, 2024

In today’s digital landscape, data protection is not just a regulatory obligation; it is a cornerstone of organizational integrity and customer trust. As companies increasingly rely on data to drive their operations, the need for comprehensive training on data protection practices becomes paramount. This training should extend to all levels of the organization, from the Board of Directors to the receptionists and even external suppliers. Each role contributes uniquely to the organization’s data security framework, and understanding these responsibilities is essential for compliance and risk mitigation.

1. The Board Role and Responsibilities The Board plays a critical role in setting the tone for data protection within the organization. Their responsibilities include establishing policies, overseeing compliance, and ensuring that data protection is integrated into the overall business strategy.

Need for Training:

Strategic Oversight: Training ensures that board members understand the legal and ethical implications of data handling.
Risk Management: Equipped with knowledge, the Board can better assess risks associated with data breaches and implement strategies to mitigate them.

2. Chief Executive Officer (CEO) Role and Responsibilities The CEO is responsible for the organization’s overall direction, culture, and compliance with laws and regulations.

Need for Training:

Leadership Example: A well-informed CEO can lead by example, fostering a culture of data protection throughout the organization.
Decision-Making: Understanding data protection laws enables the CEO to make informed decisions that align with regulatory requirements.

3. Human Resource Manager Role and Responsibilities The HR Manager oversees employee data management, including recruitment, payroll, and performance evaluations.

Need for Training

Employee Privacy: Training helps HR understand how to handle personal data responsibly and comply with data protection regulations.
Policy Development: HR can develop policies that protect employee data and ensure compliance with laws.

4. IT Manager Role and Responsibilities The IT Manager is responsible for the organization’s technology infrastructure and data management systems.

Need for Training:

Technical Security: Training is crucial for understanding how to implement technical measures that protect data from breaches.
Compliance Tools: IT Managers must be familiar with tools and technologies that ensure compliance with data protection regulations.

5. Information Security Manager Role and Responsibilities This role focuses on safeguarding the organization’s data from unauthorized access and breaches.

Need for Training

Risk Assessment: Training enhances the ability to conduct thorough risk assessments and develop effective security protocols.
Incident Response: Understanding data protection helps in formulating robust incident response plans.

6. Project Manager Role and Responsibilities Project Managers oversee projects that often involve handling sensitive data.

Need for Training

Data Handling Protocols: Training ensures that Project Managers implement data protection measures in project planning and execution.
Stakeholder Communication: Knowledge of data protection enables effective communication with stakeholders regarding data risks.

7. Customer Service Manager Role and Responsibilities Customer Service Managers interact directly with customers, often accessing personal information.

Need for Training

Data Handling Best Practices: Training equips them with the skills to handle customer data responsibly and respond to data inquiries appropriately.
Customer Trust: Understanding data protection can enhance customer trust and satisfaction.

8. Marketing Manager Role and Responsibilities Marketing Managers utilize customer data for targeted campaigns and market research.

Need for Training

Consent Management: Training ensures that marketing efforts comply with data protection laws regarding consent and data usage.
Brand Reputation: Knowledge of data protection helps safeguard the organization’s reputation by preventing data misuse.

9. Operations Manager Role and Responsibilities Operations Managers oversee daily operations, often involving data management.

Need for Training

Operational Efficiency: Training helps identify operational processes that require data protection measures.
Compliance: Understanding data protection laws ensures that operations run smoothly and legally.

10. Risk and Compliance Manager Role and Responsibilities This role is responsible for identifying, assessing, and mitigating risks related to data protection.

Need for Training

Regulatory Knowledge: Training provides insights into current data protection regulations and compliance requirements.
Risk Mitigation Strategies: Understanding data protection enhances the ability to develop effective risk mitigation strategies.

11. Finance Officer Role and Responsibilities Finance Officers manage sensitive financial data related to employees and customers.

Need for Training

Data Security: Training ensures that financial data is handled securely and in compliance with data protection laws.
Fraud Prevention: Knowledge of data protection can help detect and prevent fraud.

12. Internal Auditor Role and Responsibilities Internal Auditors assess the effectiveness of the organization’s data protection measures.

Need for Training

Audit Preparedness: Training ensures that auditors know what to look for regarding data protection compliance during audits.
Reporting: Understanding data protection helps internal auditors report findings effectively to management and the Board.

13. Procurement Officer Role and Responsibilities Procurement Officers manage supplier relationships and contracts, often involving sensitive data.

Need for Training

Supplier Due Diligence: Training helps in assessing suppliers’ data protection practices and ensuring compliance.
Contractual Obligations: Understanding data protection can help negotiate contracts that safeguard data.

14. Head of Training Role and Responsibilities The Head of Training is responsible for developing and implementing training programs across the organization.

Need for Training

Curriculum Development: Training ensures that the Head of Training creates relevant and effective data protection training programs.
Awareness: Knowledge of data protection enhances the ability to raise awareness among employees.

15. Suppliers Role and Responsibilities Suppliers handle data on behalf of the organization and must comply with data protection standards.

Need for Training

Compliance Awareness: Training ensures that suppliers understand their responsibilities regarding data protection.
Risk Management: Suppliers equipped with data protection knowledge can better manage risks associated with data handling.

16. Receptionist Role and Responsibilities Receptionists often handle sensitive information from visitors and clients.

Need for Training

Data Handling Protocols: Training helps receptionists understand how to manage personal data responsibly.
First Point of Contact: Knowledge of data protection enhances their ability to protect the organization’s data from the outset.

17. Cleaners Role and Responsibilities Cleaners may have access to sensitive areas and information.

Need for Training

Awareness of Data Sensitivity: Training ensures that cleaners understand the importance of safeguarding data in their work environment.
Basic Protocols: Knowledge of basic data protection protocols helps prevent accidental breaches.

Conclusion

Data Protection is a collective responsibility that extends beyond a single department or individual within an organization. Each role, from the Board to the cleaners, plays a part in safeguarding sensitive information. Training all personnel on data protection principles not only ensures compliance with legal requirements but also fosters a culture of security and trust.

In an era where data breaches are increasingly common, organizations must prioritize comprehensive training programs that equip every employee with the knowledge and skills needed to protect sensitive data. By doing so, companies not only safeguard their information but also enhance their reputation and build stronger relationships with customers and stakeholders.

Author: Emmanuel K. Gadasu (CEH, CDPS, CIPM, CIPP/E, BSc IT, MSc IT and Law, LLB*)

The writer is a Data Protection and Cybersecurity Consultant, Practitioner and Trainer! You can reach him for further comments by Call/WhatsApp/Telegram +233 24391 3077 or via email: ekgadasu@gmail.com.

LinkedIn: https://www.linkedin.com/in/emmanuelgadasu/

Facebook: https://web.facebook.com/emmanuel.gadasu/

Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
October 8, 2024

Dear Electoral Commission of Ghana,

I am writing to express my concerns regarding the upcoming publication of the reviewed Electoral Register online, particularly in light of the data protection laws of Ghana. While the Constitutional Instrument – CI 127 – grants you the authority to publish the register, it is imperative that this action aligns with our nation’s data protection regulations.

Section 91 (1) of the Data Protection Act 843 states “This Act binds the Republic” and what this means is that every entity within the jurisdiction of Ghana is required to comply with the Data Protection Act including the Electoral Commission.

The same way the Electoral Commission is mandated by the 1992 Constitution to conduct elections, Act 843 Section 2 also mandates the Data Protection Commission to protect the privacy of every Ghanaian

2. Object of the Commission. The object of the Commission is to (a) protect the privacy of the individual and personal data by regulating the processing of personal information

Data Protection Concerns In 2020, the decision to publish the electoral register on Google Drive raised significant alarm among Ghanaians. Many citizens voiced their apprehensions that this approach contravened data protection laws, potentially exposing personal information without adequate safeguards. The implications of such exposure can lead to identity theft and misuse of personal data, undermining public trust in the electoral process. As you prepare to publish the updated register before the elections on December 7, 2024, it is crucial to prioritize the security and confidentiality of voters’ personal information. The Data Protection Act mandates that personal data must be processed in a secured manner.

As much as a constitutional duty is laid on the Electoral Commission to carry out its mandate by publishing the voter register, the data protection Act 843 Section 28 places the obligation on the EC to ensure that whichever means they deem fit to publish the voter’s register, it must be done securely.

Section 28 requires that the EC adopts “appropriate, reasonable, technical and organisational measures to prevent (a) loss of, damage to, or unauthorised destruction; and (b) unlawful access to or unauthorised processing of personal data.”

Again Section 28 (2) requires that the EC shall take reasonable measures to: identify reasonably foreseeable internal and external risks to personal data under that its possession or control; establish and maintain appropriate safeguards against the identified risks; and regularly verify that the safeguards are effectively implemented.

Potential Impact on Voters Failure to adhere to these principles has the potential of putting every Ghanaian Registered Voter at risk. The CI 127 mandates the EC to publish the Voter’s Register and the Data protection Act 843 provides guidance on how the EC should perform their constitutional mandate in a secured manner to ensure that every Ghanaian Registered Voter’s personal data is secured!

The EC has elections to conduct, and the Data Protection also has a mandate to protect Ghanaian Citizens!

The year 2020 was the first time the EC published the Voter’s Register online. There were mistakes and you took the measures to correct them – don’t forget the data was already accessed and the harm may have already been caused or the data could be used in future to harm others or infringe on their privacy or data protection rights.

The EC has the opportunity to publish the Voter’s Register again soon. The questions are: (1) What lessons did the EC learnt from the 2020 mistakes? (2) What security measures has the EC put in place or intends to put in place to protect and secure the data on the register?

(3) Have you consulted the Data Protection Commission (DPC), the Cyber Security Authority (CSA) National Information Technology Agency (NITA) and other relevant authorities for guidance?

And to all these states institutions, rise up to the call to fulfil your individual mandates – you owe it to every Ghanaian.

Recommendation for Compliance To ensure compliance with data protection laws while fulfilling your mandate, I recommend that the Electoral Commission:

1. Publish the register on a secure platform: Utilize your official website or a dedicated secure portal rather than third-party services like Google Drive. 2. Implement robust security measures: Ensure that access to the electoral register is restricted and monitored, and that all personal information is encrypted. 3. Communicate transparently with voters: Provide clear information on how their data will be protected and used, fostering trust and encouraging participation in the electoral process.

In conclusion, while CI 127 empowers you to publish the electoral register, it is essential that such actions are conducted in a manner that respects and upholds the data protection laws of Ghana.

Whatever happens, on 7th December, Ghanaians will either vote to RESET or UPGRADE Ghana.

Thank you for considering these important matters.

Author: Emmanuel K. Gadasu (CEH, CDPS, CIPM, CIPP/E, BSc IT, MSc IT and Law, LLB*)

The writer is a Data Protection and Cybersecurity Consultant, Practitioner and Trainer! You can reach him for further comments by Call/WhatsApp/Telegram +233 24391 3077 or via email: ekgadasu@gmail.com. LinkedIn: https://www.linkedin.com/in/emmanuelgadasu/ Facebook: https://web.facebook.com/emmanuel.gadasu/

Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
October 11, 2024

A friend who lives in the UK currently posted this message on our professional platform: Institute of ICT Professionals Ghana (IIPGH) on the 7th October 2024.

I registered a company in obimanso (foreign land) about 3 months ago. Last week i got a letter from the obimanso (foreign land) “Data Protection office”. The interesting thing is the title of the letter: Pay the data protection fee. It’s the law – the title reads. The cost is £40/Year. Failure to pay can results in a fine of up to £4,000. I am wondering, @Emmanuel Gadasu. Is this something the data protection commission in Ghana can look into? Connect with registrar general and anytime a company is registered, they are looped in.

I believe the systems put in place and the collaborative efforts of the Information Commissioners Office (ICO) led to the message above. This will definitely lead to higher data controller/processor registration in the UK.

The Transitional provisions in the Data Protection Act 843 is clear through Section 97 subsections 1 and 2 when a newly incorporated business is required to register and when existing companies before the coming into force of this Act should register.

97 (1) A data controller incorporated or established after the commencement of this Act shall be required to register as a data controller within twenty (21) days of the commencement of business.

(2) A data controller in existence at the commencement of this Act shall be required to register as a data controller within three months after the commencement of this Act.

The above proviso in the Data Protection Act 2012 (Act 843) ideally will ensure that most companies are registered with the Data Protection Commission (DPC). This is however not the case in Ghana. There is a great number of companies that have not registered or renewed their data protection certificates with the DPC as required by Act 843. To ensure that most of these companies are registered and continue to renew their Data Protection Certificates every two (2) years (as stated in Section 50: A registration shall be renewed every two years.), I would like to propose a collaborative strategy to enhance compliance. To ensure that all companies register and renew their data protection status every two years, the DPC can liaise with several key institutions that regulate and interact with these companies.

Below are specific suggestions for collaboration with each institution:

1. Registrar General’s Department

The DPC can work closely with the Registrar General’s Department to create a seamless system where businesses are reminded about their data protection obligations at the point of registration and renewal of business licenses. This can be achieved by integrating data protection registration into the company incorporation and renewal process. Any business seeking to renew their license would be required to present proof of registration with the DPC before proceeding.

2. Public Procurement Authority (PPA)

The Public Procurement Authority can play a pivotal role in ensuring that companies participating in public contracts or bidding processes are compliant with the DPC’s requirements. By mandating proof of valid data protection registration and renewal as part of the criteria for eligibility in public procurement tenders, companies will be compelled to register or renew with the DPC before bidding on government contracts.

3. Ghana Revenue Authority (GRA)

The DPC can collaborate with the GRA to integrate data protection registration as part of the tax filing and clearance certificate processes. The GRA could require that companies provide evidence of compliance with the DPC before being issued tax clearance certificates. This would ensure that tax-compliant businesses are also compliant with data protection regulations.

4. Bank of Ghana

As a key regulatory body overseeing the banking and financial services sector, the Bank of Ghana can be instrumental in enforcing data protection compliance. The DPC could partner with the Bank of Ghana to mandate that all licensed financial institutions provide proof of registration with the DPC before their operational licenses are renewed or granted. This could also extend to ensuring that financial institutions only work with businesses that are registered with the DPC.

5. Banks/Financial Institutions

Financial institutions can help enforce compliance by making data protection registration a requirement for companies applying for loans, credit facilities, or other banking services. By incorporating this into their Know Your Customer (KYC) procedures, banks would ensure that any company seeking financial assistance must first present a valid data protection registration or renewal certificate.

6. Health Facilities Regulatory Agency (HEFRA)

Given the sensitive nature of data handled by health institutions, collaborating with HEFRA is crucial. The DPC could work with HEFRA to ensure that all healthcare facilities—both public and private—are required to register with the DPC before receiving operational licenses or permits from HEFRA. Renewal of these licenses could also be tied to proof of updated data protection registration.

7. National Insurance Commission (NIC)

The DPC could engage with the National Insurance Commission to make it mandatory for insurance companies to provide proof of valid data protection registration as part of their regulatory compliance. This requirement can be extended to insurance companies’ clients, ensuring that any business seeking insurance coverage is also registered with the DPC.

Implementation Strategy

Inter-institutional MoUs: The DPC can enter into formal Memorandums of Understanding (MoUs) with each of these regulatory bodies to clearly define roles and responsibilities.

Joint Communication Campaigns: The DPC and the respective institutions can carry out joint awareness campaigns to educate businesses about the importance of data protection and the mandatory nature of registration.

Centralized Database: Establish a centralized database where each regulatory institution can verify the compliance status of businesses seeking services, contracts, or licensing.

I believe these measures will create a stronger enforcement framework, ensuring that businesses in Ghana take their data protection obligations seriously. I am confident that through collaborative efforts, the DPC can achieve higher compliance rates and strengthen data privacy across the country.

Author: Emmanuel K. Gadasu

(CEH, CDPS, CIPM, CIPP/E, BSc IT, MSc IT and Law, LLB*)

The writer is a Data Protection and Cybersecurity Consultant, Practitioner and Trainer! You can reach him for further comments by Call/WhatsApp/Telegram +233 24391 3077 or via email: ekgadasu@gmail.com.

LinkedIn: https://www.linkedin.com/in/emmanuelgadasu/

Facebook: https://web.facebook.com/emmanuel.gadasu/

Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
October 12, 2024

The exemptions provided in Sections 60-74 of the Data Protection Act, 2012, while intended to serve important public interests, pose significant challenges to the rights of data subjects in Ghana. These exemptions, significantly impact the rights of data subjects.

Here’s an analysis of how these exemptions may affect individuals’ rights regarding their personal data.

1. Limitation of Access Rights

The exemptions allow data controllers to deny data subjects access to their personal data under certain circumstances, particularly in cases involving national security, crime prevention, or regulatory activities (Sections 60-63). This can hinder individuals’ ability to understand how their data is being used and whether it is being processed lawfully.

2. Reduced Transparency

Exemptions related to journalism, literature, and art (Section 64) can lead to a lack of transparency regarding how personal data is handled in these contexts. Data subjects may not be informed about the processing of their data for these purposes, undermining their right to be informed.

3. Compromised Right to Erasure

The right to erasure (or the “right to be forgotten”) is limited by exemptions that prioritize public interest or regulatory needs over individual privacy (Sections 60-74). This means that even if a data subject wishes to have their data deleted, it may not be possible if the processing is deemed necessary for public safety or other exempted activities.

4. Impact on Accountability

Exemptions can weaken the accountability of data controllers. For instance, if a data controller is exempt from certain accountability principles when processing personal data for regulatory or national security purposes, it may lead to less stringent oversight and potential misuse of personal data without adequate recourse for individuals.

5. Balancing Interests

While the exemptions are designed to balance individual rights with broader societal interests—such as national security and public health—they can also create a scenario where individual rights are sidelined. This balance may disproportionately favor the interests of organizations or government entities at the expense of personal privacy.

6. Potential for Abuse

The broad nature of some exemptions could lead to potential abuse by data controllers who might invoke these provisions to avoid compliance with data protection obligations. This creates a risk that legitimate requests from data subjects could be unjustly denied under the guise of exemption.

7. Limited Scope for Legal Recourse

The exemptions delineate specific scenarios where rights may not apply, potentially limiting legal recourse for individuals seeking justice for violations of their rights. If a data subject feels their rights have been infringed upon but falls under an exemption, they may find it challenging to pursue legal action.

Conclusion

It is essential for legal practitioners and policymakers to carefully consider these impacts and strive for a balance that protects individual privacy without compromising public safety and other legitimate interests. Continuous monitoring and potential reform may be necessary to ensure that the rights of individuals are not unduly compromised by these exemptions.

Author: Emmanuel K. Gadasu

(CEH, CDPS, CIPM, CIPP/E, BSc IT, MSc IT and Law, LLB*)

The writer is a Data Protection and Cybersecurity Consultant, Practitioner and Trainer!

You can reach him for further comments by Call/WhatsApp/Telegram +233 24391 3077 or via email: ekgadasu@gmail.com.

LinkedIn: https://www.linkedin.com/in/ekgadasu/

Facebook: https://web.facebook.com/emmanuel.gadasu/

Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
October 20, 2024

Article content

5 Skills to Make You a Better Data Protection Officer

In the evolving landscape of data privacy, the role of a Data Protection Officer (DPO) is increasingly critical. To excel in this position, a DPO must cultivate a unique blend of skills that address both legal and operational challenges. Here are five essential skills that can significantly enhance your effectiveness as a DPO.

1. Legal Knowledge

A profound understanding of data protection laws is fundamental for any DPO. This includes familiarity with regulations such as the Data Protection Act 2012 of Ghana (Act 843), General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant frameworks. A DPO must not only know these regulations but also stay updated on any changes that could impact their organization’s compliance efforts. This legal acumen allows them to provide informed guidance on data handling practices and ensure that the organization meets its obligations.

2. Strong Communication Skills

Effective communication is crucial for a DPO. They must be adept at conveying complex legal concepts to diverse audiences, from operational staff to board members. This involves tailoring messages to suit different stakeholders, ensuring clarity and understanding across the organization[1][5]. Additionally, active listening skills are vital for grasping concerns from various departments and addressing them appropriately, fostering a collaborative environment around data protection[2][4].

3. Technical Proficiency

While legal knowledge is essential, a DPO must also possess a solid understanding of the technical aspects of data management. This includes knowledge of IT infrastructure, cybersecurity measures, and data governance frameworks. A DPO should be able to assess risks associated with new technologies and implement appropriate safeguards. Familiarity with technical tools and methodologies can enhance their ability to conduct privacy assessments and audits effectively.

4. Negotiation Skills

Negotiation is an often-overlooked skill for DPOs but is crucial for resolving conflicts that may arise between compliance requirements and business objectives. A DPO must negotiate effectively with various stakeholders—whether it’s convincing management of necessary compliance measures or mediating between departments with differing priorities. The ability to find common ground while advocating for data protection rights can lead to more effective implementation of privacy policies.

5. Independence and Credibility

A successful DPO must operate independently within the organization, free from conflicts of interest. This independence allows them to provide unbiased advice on data protection matters without external pressures influencing their decisions. Building credibility with both internal stakeholders and external regulatory bodies is equally important; this can lead to more effective cooperation during audits or investigations.

Conclusion

The role of a Data Protection Officer is multifaceted, requiring a combination of legal expertise, communication prowess, technical knowledge, negotiation capabilities, and independence. By developing these skills, aspiring DPOs can enhance their effectiveness in safeguarding personal data and ensuring compliance within their organizations. As the field continues to evolve, ongoing education and adaptation will be key in maintaining these competencies.

Author: Emmanuel K. Gadasu

(CEH, CDPS, CIPM, CIPP/E, BSc IT, MSc IT and Law, LLB*)

The writer is a Data Protection and Cybersecurity Consultant, Practitioner and Trainer! Email: ekgadasu@gmail.com

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
October 24, 2024

Under Data Protection Laws, the rights of data subjects can be categorized into absolute rights and qualified rights. Understanding this distinction is essential for both individuals and organizations to navigate the complexities of data protection.

Absolute Rights

Absolute rights under data protection laws are those that must be granted without exceptions, meaning that individuals can exercise these rights in all circumstances. Key examples include:

1. Right to Access: Individuals can request access to their personal data held by organizations, and this right must be honoured without conditions.
2. Right to Rectification: Data subjects have the right to request corrections to inaccurate or incomplete personal data, which organizations must comply with without exceptions.
3. Right to Object: Individuals have an absolute right to object to the processing of their personal data for direct marketing purposes, and organizations must cease processing upon such a request.

These rights are designed to empower individuals unequivocally, ensuring they can control their personal data without limitations.

Qualified Rights

Qualified rights, on the other hand, are subject to certain conditions or limitations. This means that while individuals have these rights, there may be specific circumstances under which organizations can refuse or limit their exercise. Examples include:

1. Right to Erasure (Right to be Forgotten): While individuals can request their data to be deleted, this right is not absolute. Organizations may deny such requests if the data is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.
2. Right to Restrict Processing: Individuals can request that processing be restricted under certain conditions (e.g., when contesting the accuracy of data). However, this right does not apply if the processing is necessary for legal claims or public interest.
3. Right to Data Portability: This right allows individuals to transfer their personal data between service providers but only applies when the processing is based on consent or a contract.

Conclusion

In summary, while Data Protection Laws provide robust protections for data subjects through various rights, there’s a distinction between absolute and qualified rights. Absolute rights must always be respected by organizations, whereas qualified rights may be subject to specific conditions or limitations. This framework ensures that while individuals have significant control over their personal data, organizations also retain certain protections and obligations under specific circumstances. Understanding this balance is crucial for effective compliance with Data Protection Laws and safeguarding individual privacy rights.