Navigating Nigeria’s Data Protection Landscape
In today’s digital age, data privacy is a critical issue for businesses operating in Nigeria. The Nigeria Data Protection Act (NDPA) 2023 builds on the Nigerian Data Protection Regulation (NDPR) of 2019 and the NDPR Implementation Framework of 2020 to align with international standards for data protection such as the General Data Protection Regulation (GDPR). This publication provides a comprehensive guide to compliance obligations and best practices under the NDPA.
Key Provisions of the NDPA
The NDPA, signed into law on June 12, 2023, addresses the limitations of previous regulations and brings Nigeria in line with international best practices. Key aspects include the establishment of the Nigeria Data Protection Commission (NDPC), stricter rules on cross-border data transfers, and mandatory reporting of data breaches within 72 hours of discovery.
Scope of Operation
Section 2 of the Act[i] provides the scope of application to cover the processing of the personal data of a data subject in Nigeria, whether or not the Data Controller/Processor is domiciled, resident or operating in the country.
Lawful Basis Governing the Processing of Personal Data
The NDPA also provides the lawful basis governing the processing of personal data to include:
- The data subject has freely given and not withdrawn his consent
- Such processing is necessary for the following reasons:
- for the performance of a contract to which the data subject is a party
- for compliance with a legal obligation to which the data controller or data processor is subject,
- to protect the vital interest of the data subject or another person,
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor, or
- for the purposes of the legitimate interests pursued by the data controller or data processor, or by a third party to whom the data is disclosed.
Classification of Data Controller and Processors of Major Importance
By a Guidance Notice (NDPC/HQ/GN/VOL.02/24) issued in February 2024[ii], the NDPC has classified Data Controllers and Processors of Major Importance into three (3) categories:
(a) Major Data Processing-Ultra High Level (MDP-UHL)
Amongst other things, it processes the personal data of over 5,000 data subjects through the means of technology under its technical control or through a service contract.
(b) Major Data Processing-Extra High Level (MDP-EHL)
Amongst other things, it processes the personal data of over 1,000 data subjects through the means of technology under their technical control or through a service contract.
(c) Major Data Processing-Ordinary High Level (MDP-OHL)
Amongst other things, it processes the personal data of over 200 data subjects through the means of technology under their technical control or through a service contract.
NOTE: A Data Controller and Processor are deemed to be of major importance if they process the personal data of a data subject which adds particular value or significance to the economy, society or security of Nigeria.
Compliance Obligations for Organizations
- Registration Requirements[iii]: Organizations designated as Data Controllers and Processors of Major Importance (DCMI/DPMI) must register with the NDPC to facilitate oversight and compliance.
- Appointment of a Data Protection Officer (DPO)[iv]: Organizations handling significant volumes of personal data must designate a qualified DPO with expertise in data privacy laws. This role ensures effective monitoring of compliance and implementation of data protection policies.
- Compliance Audit Returns[v] (CAR): Filing of CAR is mandatory for organizations actively processing the personal data of data subjects annually. These audits identify potential compliance gaps and offer recommendations for improvement. Results of these audits must be filed with the NDPC by March 15 each year.
Best Practices for Data Protection
- Develop Clear Privacy Policies: Organizations must maintain and publish comprehensive privacy policies that inform data subjects about how their data will be used, stored, protected, their guaranteed rights, as well as the grievance redress mechanisms where such a right is breached.
- Implement Security Measures: The use of mechanisms such as encryption, access controls, and regular risk assessments to protect data from unauthorized access, loss, and alteration in order to ensure its confidentiality, integrity, and security of personal data is of topmost priority.
- Training and Awareness Programs: Employees should undergo regular data privacy training to ensure compliance with regulations and reduce the risk of breaches.
- Collaborate with Data Protection Compliance Organizations (DPCOs): Partnering with accredited Data Protection Compliance Organizations (DPCOs) helps businesses align with the NDPA requirements and ensures regular compliance monitoring.
- Organizations actively processing personal data must ensure that they employ the services of a licensed Data Protection Officer (DPO) to oversee its affairs as it relates to the protection of personal data.
- Organizations must provide a list of agents or contractors being engaged by them for data processing and due diligence as to their training and general compliance with the NDPA.
Sanctions and Enforcement
Failure to comply with the NDPA can result in severe financial penalties, as demonstrated by fines imposed on entities like the Meta Platform (in conjunction with the Federal Competition and Consumer Protection Commission) and Fidelity Bank PLC for non-compliance. Beyond fines, violations may attract criminal sanctions[vi], reputational damage and legal liability, hence underscoring the need for proactive compliance strategies.
Conclusion
The NDPA represents a major milestone in Nigeria’s data privacy journey, providing a framework that enhances personal data security while fostering economic growth. To stay compliant, businesses must adopt proactive strategies, including regular audits, employee training, and collaboration with compliance bodies. These efforts will not only prevent sanctions but also build trust and improve customer relationships in a competitive market.
References
[i] The Nigeria Data Protection Act (NDPA) 2023
[ii] REGISTRATION OF DATA CONTROLLERS AND DATA PROCESSORS OF MAJOR IMPORTANCE NDPC/HQ/GN/VOL.02/24 (Pursuant to Sections 5d, 6(c), 44, 45 and 65 of the Nigeria Data Protection Act). Available at https://ndpc.gov.ng/Files/registration.pdf
[iii] Section 44 of the NDPA
[iv] Section 32 of the NDPA
[v] Section 33 of the NDPA
[vi] Section 61 of the NDPA
You’ve provided so much value in this one post, thanks!