The Nigeria Data Protection Act 2023 (the "NDPA" or the "Act") creates certain compliance obligations for data controllers and data processors. While some of the compliance requirements stipulated under the Act are already being implemented, concerted and preparatory efforts are being made by the sector regulator for full implementation of other compliance requirements. These preparatory efforts include setting up structures for enforcement, design and deployment of online platforms, issuance of guidelines etc. This piece analyses compliance requirements of data controllers and data processors for the year 2024 vis a vis the provisions of the NDPA and the implementation drive of the Nigeria Data Protection Commission (NDPC or the Commission).
Data Protection Compliance Requirements for the Year 2024
The NDPA creates a distinct category of data controllers and data processors known as data controllers of major importance (DCMI) or data processors of major importance (DPMI). According to the NDPC, the criteria for determining organisations that could be categorized as DCMIs or DPMIs will be enumerated in the NDPA General Application and Implementation Directive (NDPA GAID) soon to be issued by the Commission . Based on information obtained from the NDPC, it is expected that the threshold for audit filing stipulated under Art. 4.1(5) and (6) of the Nigeria Data Protection Regulation (NDPR) will play a minimal role in determining the designation of any organization as a DCMI or DPMI under the NDPA GAID. Rather, the nature of personal data processed by such organizations and the purpose for such processing activities will constitute the key determinant factors.
Depending on the nature and volume of processing activities of any organization, key compliance requirements for such an organization for year 2024 are highlighted below:
1. Registration of Data Controllers and Data Processors
Section 44 of the NDPA creates an obligatory requirement for registration of DCMIs and DPMIs. Any organisation that operates as a DCMI or a DPMI is required to register with the NDPC within the timeframe to be communicated by the NDPC as indicated above. As part of preparatory steps towards enforcement of compliance requirements stipulated under the NDPA, the NDPC, on the 11th of January 2024, held a stakeholders' workshop with Data Protection Compliance Organizations (DPCOs) concerning the registration of DCMIs and DPMIs.
Upon deployment of the registration platform by the NDPC, DCMIs and DPMIs may individually proceed with the registration or secure the assistance of a DPCO for that purpose.
DPCOs will also be required to register as Data Controllers/Processors of Major Importance with the NDPC in fulfillment of their obligations under the NDPA and the Code of Conduct for licensed Data Protection Compliance Organizations issued by the NDPC in December 2023.
2. Designating a Data Protection Officer with Requisite Skill and Expertise
DCMI and DPMI will be required to submit the names and data privacy certifications of their Data Protection Officers as a requirement for registration. This aligns with section 32(1) of the NDPA which provides that "a data controller of major importance shall designate a Data Protection Officer with expert knowledge of data protection law and practices, and the ability to carry out the tasks prescribed under this Act and subsidiary legislation made under it".
Based on information obtained from the NDPC, there are indications that the NDPC is working on standardizing the certification process for Data Protection Officers in Nigeria and that certain international privacy certifications will be acceptable for this purpose.
3. Data Protection Compliance Audit and Filing of Audit Returns For 2023 cycle
As part of the data protection regulatory compliance requirements in Nigeria, data controllers and processors are required to conduct periodic and comprehensive audit of their privacy and data protection framework and practices.
The annual filing of Data Protection Compliance Audit Returns (CARs) is a legal obligation for data controllers and data processors under the NDPR (see also Article 6.1 of the NDPR Implementation Framework). This statutory obligation is preserved under the NDPA by virtue of section 64(2)(f) of the said act, which provides that "all orders, rules, regulations, decisions, directions, licenses, authorizations, certificates, consents, approvals, declarations, permits, registrations, rates, or other documents that are in effect before the coming into effect of this Act and that are made or issued by the National Information Technology Development Agency or the Bureau shall continue in effect as if they were made or issued by the Commission until they expire or are repealed, replaced, reassembled, or altered."
Thus, all data controllers and data processors who meet the prescribed minimum thresholds under the NDPR are statutorily obligated to conduct data protection audit and file audit report in the manner stipulated under the NDPR. Data controllers and data processors that meets the prescribed minimum thresholds are as follows:
a. Organizations that process the data of more than 1000 data subjects in a period of 6 months. Such organizations are required to file compliance audit returns with the NDPC.
b. Organizations that process the personal data of more than 2000 data subjects within a period of 12 months. For this category, there is a legal obligation to file CARs annually and the deadline for filing is the 15th day of March each year.
Data Protection Audit can be carried out through a licensed DPCO. Upon completion of the audit, the DPCO will issue an audit report, endorse same with an Audit Verification Statement and file it with the NDPC.
Data Protection Audits are targeted at identifying gaps in the data privacy and protection compliance framework of your organization, and providing practical solutions for remediation of such gaps and process improvement. It is important to arrange for a data protection audit for your organization today in order to ensure full compliance with the NDPR and NDPA and avoid sanctions that may be imposed by the sector regulator and other regulatory consequences.
4. Compliance Memorandum
In the Guidance Notice issued by the NDPC on the 15th day of November 2023, the NDPC stated that data controllers and processors may outline a time bound intention to regularize their data processing activities in line with the NDPA in a Memorandum. The memorandum could be sent to the NDPC as part of the CAR not later than 31st of March, 2024. The time permitted to file the Memorandum is however, not an extension of the time to file CARs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
