Do you know that under the Nigerian Data Protection Regulations 2019 (NDPR), data controllers and processors who determine the processing and process the personal data of natural persons in Nigeria and/or citizens of Nigeria respectively, are required to file a data protection audit report on an annual basis but not later than the 15th of March each year, with the Nigerian Data Protection Bureau (NDPB)?
The data protection audit report is a systematic investigation or examination of the records, processes and procedures of data controllers and processors to ensure that they are in compliance with the requirements of the NDPR and their data protection policies. Under the NDPR, only a Data Protection Compliance Organisation (DPCO) duly licensed by the NDPB is authorised to conduct data protection audits and file same with the NDPB. In conducting the data protection audit, a DPCO shall among other responsibilities:
i. Evaluate the status of the organisation's compliance with the NDPR;
ii. Appraise the protection of the rights of the data subject;
iii. Assess the level of awareness by the organisation's top management, members of staff, contractors and customers of the NDPR;
iv. Identify current and potential non-compliance by the organisation with the NDPR; and
v. Drawing up a plan to remediate identified non-compliance with the NDPR.
In the event that a data controller or processor fails to file the data protection audit report, the NDPB may consider such failure as a breach of the NDPR which can expose the organisation to an administrative fine based on a number of considerations. The NDPB may also issue administrative orders that include: the suspension of the services pending further investigations; order of the parties to appear before an administrative panel to determine the liability of its officers; and public notice warning the public to desist from patronising or doing business with the organisation. In addition, criminal prosecution may be commenced against the officers of the organisation if the breach is determined to be one that affects the national security, sovereignty and cohesion of Nigeria.
Streamsowers & Köhn, being a licensed DPCO can assist both data controllers and processors comply with their obligation to file a data protection audit report at the NDPB. In addition, we are versed in all areas of data protection and information security compliance including matters of cross-border data transfers, data breach notifications, data subject access requests (DSAR) and data protection impact assessments (DPIA) under the NDPR and other applicable laws, and are able to work with clients to identify and resolve key compliance obligations that are critical for their ongoing business operations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.