STAYING AHEAD OF THE CURVE: NAVIGATING NIGERIA'S DATA PROTECTION COMPLIANCE LANDSCAPE
Introduction
The Nigeria Data Protection Act 2023 (NDPA) is the primary legislation that governs the privacy and protection of Personal Data of natural persons in Nigeria. Modelled in many respects after the General Data Privacy Regulation (GDPR) of the European Union, the NDPA and the subsidiary legislations such as the Nigeria Data protection Regulations (2019) establish substantial compliance requirements for organisations or persons that control and process Personal Data.
In this Newsletter we summarise some of these regulatory compliance requirements.
What are the Key Concepts in Data Privacy?
A Data Controller is a person or entity that determines the purposes and means of processing Personal Data. A Data Controller usually has a direct relationship with the Data Subject and is accountable for the protection and privacy of the Personal Data of a Data Subject. Examples of Data Controllers may include Government agencies; e-commerce businesses typically in custody of customer data; healthcare providers with patient data; educational institutions with student data etc.
A Data Processor is a person that processes Personal Data on the instruction of a Data Controller. Processing activities include a range of activities like collection, storage, use, disclosure, arrangement and structuring, modification etc. Example of Data processors may include marketing agencies, financial service companies, e-learning platforms, telecommunication service providers, and courier service providers who process Personal Data on the instruction of a Data Controller. A Data Controller may also be a Data Processor.
Personal Data refers to any information that relates to an identified or identifiable natural person (human being) and may include name, address, contact information, identification numbers, biometric data. The natural person who the information relates to is known as the Data Subject.
Key Regulatory Compliance Requirements for Data Controllers and Processors
1. Annual Data Protection Compliance Audits:
The NDPA mandates Data Controllers and Processors that process the Personal Data of more than 2,000 Data Subjects within a 12-month period (or more than 1000 Data Subjects within a 6-month period), to conduct annual data protection audits not later than the 15th of March of the following year. Such audits must be conducted by a Data Protection Compliance Organisation (DPCO) licensed by the Nigeria Data Protection Commission (NDPC) and must be completed and filed by the deadline stated by the NDPC. Upon the filing of an audit and after a satisfactory review by the NDPC, Trustmarks are issued to the compliant organizations to entities that have complied with this provision.
2. Registration as Data Controller/Processor of Major Importance
A Data Controller/Processor qualifies as Data Controller/Processor of Major Importance (DCPMI) and is required to register with the NDPC within six (6) months, if it meets any of the following criteria:
- has access to a filing system and processes Personal Data of more than 200 Data Subjects in a six (6) month period; or
- provides commercial Information Communication Technology (ICT) services on any digital storage device with a storage capacity owned by another; or
- processes Personal Data in the financial, communication, aviation, tourism, oil and gas, import and export, education, health, insurance and electric power industries; or
- is in a fiduciary relationship with a Data Subject, pursuant to which it is expected to keep confidential information on the Data Subject's behalf.
The categories of DCPMI are:
- Major Data Processing-Ultra High Level
- Major Data Processing-Extra High Level
- Major Data Processing-Ordinary High Level
3.Data Protection Impact Assessment
Data Controllers must conduct Data Protection Impact Assessment (DPIA) to assess and identify any security risk associated with their data processing activities. This assessment should be conducted regularly on their processes, services and technology to ensure that they remain compliant with data protection laws.
DPIA is typically required where there is a change in processing activities involving automated decision-making with legal or significant effects on the Data Subject rights; evaluation or profiling; sensitive Personal Data; systematic monitoring; application of new technological solutions of deployment of innovative processes; and processing of Personal Data in relation to vulnerable Data Subjects.
4.Designation of a Data Protection Officer
A DCPMI must appoint a Data Protection Officer (DPO) with knowledge of data protection and privacy laws who will carry out the tasks prescribed under the NDPA. The DPO may be an employee of the organization or engaged by a service contract.
5. Data Breach Notification
Data Controllers must notify the NDPC within 72 hours of becoming aware of a breach of Personal Data which is likely to impact the privacy rights of individuals. Data Subjects should also be notified of such breach.
6. Management of Data Subject Rights
Data Controllers and Processors must implement mechanisms to adequately respond to Data Subjects' requests and ensure that such mechanisms are effective. The NDPA outlines specific rights of Data Subjects, which include the right to access, rectification, erasure, and portability of their Personal Data.
7. Implementation of Data Security Measures
Data Controllers and Data Processors must implement adequate technical and organizational measures to protect the Personal Data of Data Subjects from unauthorized access, loss, or alteration. These measures may include encryption, regular security assessments, and training of employees to safeguard data breaches and other vulnerabilities.
8. Keeping Record of Processing Activities
Data Controllers and Processors must maintain detailed records of their processing activities. This includes documenting the purposes of data processing, categories of Personal Data, and third parties with whom Personal Data is shared. This record should be available for inspection by the NDPC upon request.
9. Conduct of Regular Staff Training and Awareness Programmes
Data Controllers and Processors must provide regular data protection training for employees, particularly those involved in data processing activities. This will help to foster a culture of privacy and ensure all staff are aware of their obligations under the NDPA.
Penalties for Non-Compliance
Non-compliance with the NDPA can result in significant penalties:
- For DCPMIs: Fines up to 2% of annual gross revenue or NGN 10,000,000, whichever is greater.
- For Data Controllers and Processors that are not DCPMIs: Fines up to NGN 2,000,000 or 1% of their annual gross revenue, whichever is greater.
Additionally, violations may result in imprisonment for up to one year. Both fines and imprisonment may be applied either alternatively or together upon conviction.
Conclusion
As businesses and organisations engage in data processing activities, compliance with data privacy and protection regulations is crucial. Adherence to the NDPA ensures that entities protect the Personal Data of individuals and avoid potential sanctions from the Nigeria Data Protection Commission (NDPC), the regulatory authority for data privacy and protection in Nigeria. It is essential for businesses to assess their compliance status regularly and take proactive measures to meet the requirements of the NDPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
