Navigating Data Privacy Laws & Protection in Nigeria: A Guide for Businesses
Nigeria, like many countries, has recognized the significance of safeguarding personal information and has implemented regulations to govern the handling of data.
The Nigerian Data Protection Act, 2023 (NDPA) and the Nigerian Data Protection Regulation (NDPR): The Framework for Data Security
The enactment of the Nigerian Data Protection Regulation (NDPR) in 2019 underscores Nigeria’s dedication to fostering responsible and legal processing of personal data.
The Nigerian Data Protection Regulation extends its applicability to a broad spectrum of entities, encompassing both public and private sectors. Businesses, government agencies, and various organizations engaged in the collection, processing, or storage of personal data fall within its purview.
Complementing the provisions of the Nigerian Data Protection Regulation (NDPR) established in 2019, the Nigerian Data Protection Act (NDPA) emerged in June 2023 as an enactment by the National Assembly.
The Nigerian Data Protection Act was enacted to reinforce and give enhanced credibility to the regulations outlined in the NDPR. Consequently, this signifies a substantial step towards fortifying the framework for data protection in Nigeria.
Key Provisions of The Nigerian Data Protection Regulation and The Nigerian Data Protection Act:
Data Subject Consent
The Nigerian Data Protection Regulation and the Nigerian Data Protection Act place a strong emphasis on obtaining valid consent from data subjects before processing their personal data. Businesses must clearly communicate the purpose for collecting data and obtain explicit consent. This consent must be direct and unequivocal.
Data Protection Impact Assessment (DPIA)
Section 28 of the NDPA provides that before embarking on high-risk data processing activities, businesses are required to conduct a DPIA to assess and mitigate potential risks to data subjects.
Data Security Measures
The Nigerian Data Protection Regulation and The Nigerian Data Protection Act mandates the implementation of appropriate technical and organizational measures to ensure the security of personal data.
This includes measures to prevent unauthorized access, disclosure, alteration, and destruction of data such as regular security assessments, encryption protocols, and employee training on cyber hygiene.
Data Subject Rights
Sections 34, 35 and 36 of the NDPA provides that individuals in Nigeria have certain rights over their personal data, including the right to access, correct, delete, or object to the processing of their information. Businesses must establish processes to address these requests.
Personal data under the NDPA refers to any information that could be used directly or indirectly identify a person such as their name, email address, mobile number, genetic composition, contact address etc.
The Nigeria Data Protection Commission
The Nigeria Data Protection Commission (NDPC), established by Section 4 of the Nigeria Data Protection Act 2023, stands as the nation’s authoritative body overseeing data protection matters.
Tasked with enforcing and monitoring compliance with the Act, the NDPC plays a pivotal role in safeguarding individuals’ privacy rights and promoting responsible data handling practices across public and private entities.
With a commitment to upholding the highest standards of data protection, the commission serves as a cornerstone in shaping Nigeria’s digital landscape into one that values and protects the privacy of its citizens. Some of the roles of the NDPC are stated below.
The Role of the Nigeria Data Protection Commission (NDPC):
Ensuring Compliance: The NDPC, established as the regulatory authority for data protection in Nigeria, plays a pivotal role in overseeing compliance with the Data Laws. It was set up to promote a safe and secure environment for the processing of personal data.
Enforcement and Penalties: The NDPC has the authority to enforce compliance with the Data Laws. Non-compliance can result in severe penalties, including fines and legal actions. Businesses operating in Nigeria should be aware of their responsibilities under the NDPR and NDPA to avoid potential legal consequences.
Registration with NDPC: Certain categories of data controllers and processors are required to register with the NDPC. This includes entities with over 10,000 data subjects or those processing sensitive personal data. Registration ensures that businesses are accountable for their data processing activities.
Yearly Audits: One distinctive feature of data protection in Nigeria is the annual audit requirement imposed by the NDPC. Every data controller operating in the country is mandated to conduct a comprehensive data audit by March of each year. This annual assessment serves as a proactive measure to evaluate the effectiveness of an organization’s data protection measures and ensure ongoing compliance with the NDPR and the NDPA.
Data Protection Audit is a systematic investigation or examination of the records, processes and procedures of Data Controllers and Processors, to ensure that they follow the requirements of the NDPR and the NDPC.
The reasons for conducting a data protection audit include to:
- Assess the level of compliance with the NDPR and the NDPC;
- Evaluate compliance with the organization’s own data protection policy;
- Identify potential gaps and weaknesses in organization’s processes; and
- Give requisite advice and/or remedial actions for identified gaps.
To this end, the Commission has given licenses to certain business to carry out this Audits on its behalf including Berkeley Legal.
Practical Considerations for Businesses Entering Nigeria:
- Conducting a Data Mapping and Classification Exercise: Before collecting and processing data, businesses are advised to conduct a thorough data mapping exercise to identify the types of data they are likely to handle. Classifying data based on sensitivity is crucial for implementing appropriate security measures.
- Appointing a Data Protection Officer (DPO): Appointing a Data Protection Officer is a requirement under the NDPR for certain businesses. A DPO oversees data protection activities, ensures compliance, and acts as a point of contact for data subjects and the NDPC.
- Implementing Data Security Measures: Implementing robust cyber security measures is essential. This includes encryption, access controls, and regular security audits to safeguard personal data from unauthorized access or breaches.
- Ensuring adequate Training and Awareness: Employees should be educated on data protection principles and NDPA requirements. Training programs can help create a culture of awareness and responsibility within the organization.
Conclusion
In conclusion, navigating the data privacy landscape in Nigeria demands a comprehensive understanding of the NDPR and compliance with the guidelines set by the NDPC. Businesses that prioritize data protection are not only required to comply with regulatory requirements but also build trust with their customers.
As the digital landscape evolves, staying abreast of changes in data protection laws is key to the long-term success of the applicable businesses operating in Nigeria.
Berkeley Legal is a dedicated leading full-service business law firm in Lagos, Nigeria. We provide comprehensive and sophisticated range of specialized and personalized legal services that are designed to meet the various needs of a highly diversified local and international businesses.
If you would like to know more about data privacy in Nigeria, please contact info@berkeleylp.com
The information provided in this article is for general informational purposes only and does not constitute legal advice.
