What is the Nigeria Data Protection Regulation
(NDPR) & how does it impact your Business?

What Is the Nigeria Data Protection Regulation (NDPR)?

The Nigerian Data Protection Regulation, 2019 (‘NDPR’) is the main data protection regulation in Nigeria. The NDPR was issued by the National Information Technology Development Agency (‘NITDA’). The NDPR advances the constitutional right, aiming amongst other things to safeguard the rights of natural persons to data privacy.

Who Must Comply With the NDPR?

The Nigerian Data Protection Regulation has derived some of its terminology from the EU’s GDPR – the world’s strictest data privacy law. Let’s take a look at how the NDPR defines specific terms we have come to know from the existing data privacy laws.

Personal Data

The NDPR defines “personal data” as any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; it can be anything from name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.

Controllers

Most of the requirements are on “Data Controllers” – a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed. The NDPR only applies to controllers or processors that conduct business in Nigeria or target Nigeria residents with their offers of goods or services.

What Rights Does the NDPR Grant for Consumers?
The rights provided under the NDPR are identical to those provided by the GDPR and include:

Right to object: the NDPR gives individual or data subject right to object to the processing of their personal data or information in certain circumstances.

Right to information: the NDPR gives individuals a right to be informed about the collection and use of their personal data, which leads to a variety of information obligations by the controller.

Right to access: the NDPR gives individuals or data subject right to access and receive a copy of their personal information or data, and other supplementary information.

Right of Rectification: the NDPR gives individuals or data subject right to have personal data rectified. You can rectify personal data if it is inaccurate or incomplete.

Right to erasure: the NDPR gives individuals or data subject right to ask organizations to delete their personal data. The NDPR governs how personal data must be collected, processed, and erased.

Is Anyone Exempt From the NDPR?

The NDPR does provide exceptions to the application of data privacy and protection. For example, the NDPR does not apply to:

  • the use of personal data in furtherance of national security, public health, safety and order by
    agencies of the Federal, State or Local government or those they expressly appoint to carry out
    such duties on their behalf;
  •  the investigation of criminal and tax offences;
  • the collection and processing of anonymized data; and
  • personal or household activities with no connection to a professional or commercial activity (Art.2.1 of the NDPR Implementation Framework, 2020)
NDPR Enforcement

Nigeria has not established an independent regulator for data protection. Under the NDPR, the National Information Technology Development Agency (NITDA) can set up an administrative redress panel to investigate breach of the NDPR and issue administrative orders (Art. 4.2 (1)- (4) of the NDPR). However, it has been found that the Agency’s powers are not explicitly stated in the NDPR. The regulations require Data Controllers to designate a Data Protection Officer responsible for ensuring compliance with the Regulations and other applicable data protection directives. The data controller may outsource this responsibility to a verifiably competent firm or person.

NDPR Penalties and Fines

At this point, data breaches and penalties under NDPR for data controllers dealing with more than 10,000 data subjects, the violation can result in penalties up to 2% of the organization’s annual gross profit of the preceding year or payment of the sum of 10 million Naira, whichever is greater.

How to ensure your Business Meet the NDPR Requirements

Map your data

If you’ve determined that your company is not exempt from the NDPR, the next step is mapping your data. Data mapping ensures that controllers understand how data flows through their organization. You need to understand what data you are processing and for what purpose to fulfill data subject requests and determine how long you should keep that data in your systems.

Data mapping is an ongoing process, so you should conduct regular reviews of the personal data you process and update the documentation accordingly. It is strongly advised to always document your processing activities in writing in a granular way with links between the different pieces of information. To stay compliant, you’ll need to understand where your information comes from and how it’s used.

Revise your privacy policies

To comply with the NDPR, you should revise and update your privacy policies to include personal data processing activities, new rights available to consumers, and identify the mechanisms for consumers to exercise those rights.

Assess your data protection

It is also recommended that companies carry out data protection assessments regularly. These assessments should evaluate how your company utilizes and processes any private information and, more importantly, the risks involved with processing that data.

Appoint a data protection officer

Appoint a data protection officer to lead regular training programs to ensure that employees can handle consumer inquiries in a timely and consistent manner that fulfills the NDPR’s requirements. The data protection officer will also make sure your company’s data privacy policy is fully compliant with the law.

Staying Compliant With the NDPR

The NDPR can profoundly affect businesses and trying to navigate this complex network of rules will only get more complicated.

At Techedge Legal Advisory, we focus on data privacy regulation and best business practices for the modern digital professional and make compliance with these regulations simpler and more economical. Contact our team today to help get your company on the right track.

Tags:
Last updated on December 12, 2021
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *