The importance of personal data in the world today cannot be over-emphasized. This has seen an increase in the meticulousness often associated with its use and a staunch increase in the enactment of data protection legislation in the world. Often regarded as the new oil, individuals, organizations, corporate bodies, corporations, etc now process data in line with the extant laws on same so as to avoid data breach incidences and the attendant fines and sanctions.
The vast development and increase in the adoption of a data protection law to govern processing activities also extended to Nigeria with the release of the Nigeria Data Protection Regulation (NDPR) in January 2019 which till today is the only comprehensive piece of legislation on the subject matter.1
In this piece, an examination of the benefits an organization in Nigeria tends to derive by being data protection compliant shall be examined in detail.
WHAT ARE THE COMPLIANCE OBLIGATIONS REQUIRED BY AN ORGANIZATION
Data privacy and protection in Nigeria is regulated by the Nigeria Data Protection Bureau (NDPB).2 The legal framework governing data privacy and protection in Nigeria is the NDPR, 2019, the Nigeria Data Protection Regulation Implementation Framework, 2020, and a host of other general and sector-specific legislations.
Under the NDPR and the Implementation Framework, any organization that processes personal data is mandated to be compliant. To show compliance, such an organization has to ensure that the following3 compliance metrics are implemented and put in place:
- Filing of annual data protection audit with the Nigeria Data Protection Bureau (NDPB) through a licensed DPCO;
- Processing data only on a legally justifiable basis as provided under Article 2.2 of the NDPR;
- Preparing and publishing a privacy policy on every medium of personal data collection in line with Article 2.5 of the NDPR;
- Having a privacy policy on the organization's website and
informing the data subjects accordingly of developments requiring
new or different consent. Please note that publicity of the privacy
policy may be fulfilled through any one or combination of the
following:
- publication on the website;
- publication in
- the Data Subject; or
- publication in any public media
- Designing and maintaining systems to be data protection compliant as provided under Article 2.6 of the NDPR;
- Undertaking continuous capacity building for members of staff, contractors, vendors, and relevant third parties;
- Developing and circulating an internal data protection strategy or policy to help members of staff and vendors to understand the organization's direction in connection with the collection and processing of personal data and outlining the steps being taken to ensure the organization's direction is achieved and maintained;
- Conducting a Data Protection Impact Assessment ('DPIA') in accordance with the provisions of the NDPR;
- Notifying the NDPB of Personal Data breaches within 72 (seventy-two) hours of becoming aware of the breach;
- Updating agreements with third-party processors to ensure compliance with the NDPR;
- Designing systems and processes to make data requests and access seamless for Data Subjects;
- Designing systems and processes to enable data subjects (customers) easily correct or update their Personal data;
- Designing systems and processes to enable data subjects easily transfer data to another platform or person (natural or artificial) at minimal costs;
- Training members of senior management and employees that collect and/or process personal data in the course of their duty, on Nigerian data protection laws and practices on a biennial basis;
- Clearly communication to Data Subjects of the process for objecting to the processing of their Personal Data; and
- Outlining the procedure for informing data subjects and for protecting their rights, where an automated decision is being made on their personal data, etc.
BENEFITS OF COMPLIANCE
By complying with the NDPR, 2019, the NDPR Implementation Framework, 2020, and other extant laws and regulations on data protection in Nigeria, an organization tends to reap the following benefits:
- Avoidance of fines by the regulator: By being compliant, an organization in Nigeria will be saved from being awarded penalties for non-compliance under the NDPR.4
- Inclusion on the NDPB's Website as a Compliant Organization: A visit to the NDPB's website will reveal a list of compliant organizations. This list contains organizations who have filed their annual data audit on or before March 15 or such other date as may be prescribed by the regulator. By being compliant, a compliant organization will be listed on the list for the year.
- Increase in clientele: Data protection compliance also helps an organization to increase its clientele as people tend to give more patronage when they realize that their data is safe with the organization.
- Inclusion on the Nigeria Data Protection Adequacy Program (NADPAP) Whitelist: This is a list of organizations in Nigeria that have met the standard required for a compliant organization.
- Customers trust: Data protection compliance facilitates and boosts the trust the data subject would have in the organization and give such an organization a competitive edge.
- Legal Compliance: By being compliant, an organization is able to process personal data lawfully, and avoid sanctions, fines, and penalties for non-compliance.
- Reduced Risk of Data Loss: By being compliant, an organization is able to implement adequate technical and organizational measures for data security which facilitates a reduction of the risk of data loss or breach.
CONCLUSION
Data protection awareness is on the rise in Nigeria with special attention being paid to non-compliant organizations as more people are becoming more data protection conscious. Therefore, the need for data controllers to ensure necessary measures are in place to forestall data breach incidences cannot be over-emphasized.
Footnotes
1 Prior to the release of the NDPR in 2019, several general and sector-specific legislations on data protection existed which include The Consumer Code of Practice Regulation, 2007, The consumer Protection Regulations, 2019, The Regulatory Framework for the Use of USSD, 2018, The Credit Reporting Act, 2017, The National Health Act, 2014, Freedom of Information Act, 2011, etc.
2 This used to be the responsibility of the Nigeria Information Technology Development Agency (NITDA) until the creation of the NDPB in February 2022 to solely focus on data privacy and protection in Nigeria.
3 See generally Paragraph 3.2 of the NDPR Implementation Framework, 2020
4 The penalties for breaching a data subject's rights are enshrined in Paragraph 2.10 of the NDPR
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.