In our previous newsletter, we highlighted the key provisions of the recently signed Nigeria Data Protection Act 2023 (NDPA 2023). Following the passage of the NDPA 2023, as well as the Nigeria Data Protection Regulation 2019, it is vital that companies that process the data of their customers assess their data processes in view of the NDPA. This is to ensure good data protection practices and to avoid penalties which could be as high as 1-2% of their annual revenue. In this newsletter, we write about some steps companies should take to ensure proper compliance with the NDPA 2023.
1. Seeking Consent
Companies are responsible for proving that their customers gave their consent for their personal data to be processed. The following about consent must be noted:
- Consent must be freely and intentionally given, and it cannot be a condition for fulfilling a contract or providing a service if it is not necessary for that purpose.
- Silence inactivity does not count as consent;
- The customer must be informed of their right to withdraw their consent before giving
it, and withdrawing consent does not affect the lawfulness of any processing that happened before the withdrawal;
- Consent must be given in an affirmative manner, not through pre-selected
confirmation, and can be provided in writing, orally, or through electronic means;
- requests for consent must be in clear and simple language and in an accessible
- minors or persons lacking capacity to consent – if a customer is a child or lacks the legal capacity to consent, a company must obtain consent from the parent or legal guardian before relying on consent under the NDPA 2023. The company must use appropriate mechanisms to verify age and consent, such as presenting governmentapproved identification documents. However, this requirement does not apply if the processing of person's data is necessary to protect the vital interests of the child or person lacking legal capacity, is carried out for education, medical, or social care purposes by a professional or similar service provider with a duty of confidentiality, or is necessary for court proceedings relating to the individual.
2. Appointing a Data Protection Officer
Any company that meets the following criteria is expected to appoint a Data Protection
Officer (DPO) within 6 months of commencing operation. If the company:
- processes personal information of over 10,000 Nigerians;
- processes sensitive personal information in the regular course of its business;
- processes critical national information; or
- is a government agency or ministry.
The DPO is to be knowledgeable in data protection and will be responsible for monitoring compliance with the NDPA 2023; advising the management, employees and third-parties privy to personal information; and acting as the primary contact person for the Nigeria Data Protection Commission (NDPC). Companies may outsource the duties of a DPO to a Data Protection Compliance Organization (DPCO).
3. Conducting Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is a process carried out by the DPO to assess and minimise the possible risk to a data processing activity. For a company launching a new business process or activity which would involve the use of sensitive information or heavy use of personal information of individuals, it is advisable for the DPO of the company to carry out a DPIA to identify, evaluate and minimize possible data protection risks. This will help the company address the risks in the processes and ensure continuous compliance with the NDPA. Where the result of a DPIA indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject, the company must inform the NDPC before processing personal data.
4. Carrying Out Regular Internal Audit
Companies may monitor their data protection compliance level by carrying out periodic internal audits of their data protection practices to map, identify faults and improve protective practices.
5. Data Processing Agreements with Third Parties
The NDPA 2023 provides that there must be a written data processing agreement between a company which collects the data of their customers and third parties which process the customers' data at the company's request (i.e., data processors). The NDPA 2023 also imposes a duty on such a company to ensure that third party processors abide by its provisions.
6. Conducting Periodic Due Diligence on Third Parties
Companies will be responsible for the actions of its data processors. Consequently, companies are expected to conduct due diligence on these data processors to ensure their data processing practices are in line with the NDPA 2023
7. Yearly Data Audit Submission
All companies that collect or process the personal information of over 1,000 individuals are required to submit to a yearly data protection audit by a DPCO. The DPCO will review the data protection documentation of the company, assess the systems and practices of the company and assess the knowledge of the staff before providing recommendations. The DPCO will thereafter submit a summary of the audit to the NDPC not later than the 15th of March of the following year. Penalty Fees Under the NDPA 2023 Where a company breaches the provisions of the NDPA 2023, the NDPC may issue and enforcement order requiring it to pay a penalty fee. The following penalty fees under the NDPA will apply:
- For 'Data Controllers and Data processors of Major Importance', a fine equal to 2% of their annual gross revenue of the previous year or a sum of ?10 million, whichever is greater.
- For 'Data Controllers and Data Processors Not of Major Importance', a fine equal to 2% of their annual gross revenue of the previous year or a sum of ?2 million, whichever is greater. Data Controller and Data Processor of Major Importance means:
- A company that is based, lives, or operates in Nigeria and processes or plans to process the personal data of a certain amount of data subjects which is more than the number of data subjects within Nigeria (as determined by the NPDC); or
- one that processes personal data of particular value or importance to Nigeria's economy, society, or security (as designated by the NDPC).
In conclusion, it is important for companies to continuously monitor their data protection practices to ensure they are compliant with the NDPA 2023 and to avoid penalties. Just as importantly, doing this protects the data rights of their customers, builds trust with them,and helps the company maintain a strong reputation of data compliance within its industry.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.