The Nigeria Data Protection Regulation, 2019 ("NDPR") requires organisations that collect and process personal data of Nigerians and Nigerian residents to adopt appropriate systems and processes to ensure adequate protection of personal data and the rights of individuals. In order to achieve this, organisations are required to, among other steps:
- develop and maintain security measures, such as securing systems from hackers, setting up firewalls, secure storage of data with access restricted to specific authorized individuals, deployment of data encryption technologies, protection of emailing systems etc, to protect data;
- develop and maintain an organizational policy for handling personal data (and other sensitive or confidential data), which must be published on all media through which personal data is being collected or processed;
- undertake continuous capacity building for staff;
- designate a Data Protection Officer who will be responsible for ensuring adherence to the NDPR, relevant data privacy instruments and data protection directives of the organisation; and
- execute a data processing agreement with third party data processors.
In addition to the foregoing, companies which have processed the personal data of more than 2,000 persons in a period of 12 months are required to conduct annual data protection audits and file the report of such audit ("Audit Report") at NITDA by the 15th of March of the following year. However, the National Information Technology Development Agency ("NITDA") has recently extended the deadline for the submission of the Audit Report for this year till the 30th of June.
To ensure compliance with the foregoing obligations, NITDA has licensed Data Protection Compliance Organisations ("DPCO") to, among other services, assist companies in conducting annual audits and filing Audit Reports at NITDA.
Banwo & Ighodalo is a licensed DPCO, and we confirm our availability to assist your company with the conduct of its annual audits and filing of requisite Audit Reports at NITDA. We are also well positioned to provide other data protection advisory related services, such as, data protection impact assessment, data breach risk harm assessment, data breach remedial support, data protection training and data protection advisory.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.