The introduction of the Nigeria Data Protection Regulation ('NDPR') issued by the National Information Technology Development Agency ('NITDA') in January 2019 has created a shift in how organisations process personal information. As most entities deal with natural persons, they must ensure compliance. To do that, we have listed specific steps that they must undertake in relation to data protection compliance:

Step One

Determine the processing activities of the organisation.

The NDPR1 has defined processing as any operation or set of operations which is performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Identify the type of personal data that are collected and the nature of processing. The identification would assist in determining the most effective means to comply with the NDPR.

Step Two

Ascertain whether the organisation is a data controller or a data administrator/processor.

A data controller is one who determines the purpose and manner in which personal data is to be processed.2 On the other hand, a data administrator simply processes data3.

Identify the circumstances where your organisation is a data controller or administrator/processor, as most obligations are imposed on the data controller. The data controller has the responsibility to ensure that the consent of the data subject is obtained without fraud, coercion or undue influence, and is liable for any breach of the NDPR.4 As such, the data controller will be liable for a violation done by a data administrator/processor. Also, depending on the circumstance, the data controller or the processor may be responsible for the actions and inactions of any third party.5

Step Three

Appoint a Data Protection Officer (DPO)

As a data controller, an organisation must appoint a DPO6. The DPO may be an individual or any entity. The duty of the DPO is to ensure that the organisation complies with the provision of the NDPR.

Step Four

Assess your organisation's processing activities

Conduct an assessment of the organisation's processing activities to determine the necessary steps to ensure alignment with the NDPR. Questions such as the following, should be addressed:

  1. How is data collected?
  2. Which department receives such data?
  3. Why does the organisation process such data?
  4. What will be the legal basis for processing such data?
  5. What are the security measures taken by the organisation to prevent data breach?

Step Five

Begin Implementation of the NDPR

To implement the NDPR, an organisation should adopt the following within the stated timelines:

  • Make available the data protection policies (such as the privacy policy) for the general public. This should have been carried out since 25th April, 2019.
  • Conduct an audit of the organisation's privacy and data protection practices on or before the 25th of July, 2019.
  • Where an organisation is a data controller and it processes personal data of more than 1000 people in 6 months, it should submit a summary audit to NITDA. No compliance timeline was indicated for this obligation in the NDPR.
  • Where an organisation is a data controller and it processes personal data of more than 2000 people in a year, it must submit an audit to NITDA on the 15th of March 2020 and the 15th March of every subsequent year.

In closing, it should be noted that the mass media and civil society have been given the right to uphold accountability and foster the objectives of the NDPR.7


1. Regulation 1.3 (r) of the NDPR

2. Regulation 1.3 (g) of the NDPR

3. Regulation 1.3 of the NDPR

4. Regulation 2.10 of the NDPR

5. Regulation 2.4 (b) of the NDPR, A third party is any natural or legal person, public authority, establishment or any other body other than the Data Subject, the Data Controller, the Data Administrator and the persons who are engaged by the Data Controller or the Data Administrator to process personal data.

6. Regulation 3.1.2 of the NDPR

7. Regulation 3.1.8 of the NDPR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.