With more organisations migrating their functionalities online, the Nigerian Data Protection Regulations ("NDPR") issued by the National Information Technology Development Agency ("NITDA") on the 25th of January 2019, could not have come at a more crucial time.
Further to the NDPR, and on recommendations by stakeholders, NITDA on 11th July 2019 released a draft implementation framework ("Draft Framework") informing individuals and corporations of the compliance requirements1.
We considered the NDPR in a previous article here and now examine some of the notable provisions of the Draft Framework below.
1. Appointment of Data Protection Compliance Organizations ("DPCOs").2
The NDPR requires organisations to carry out an audit of their data protection practices3. The Draft Framework has now provided that the audit would be conducted by the DPCOs who have been licensed by NITDA and are published on the NITDA website.
The DPCOs will also train, consult and render services and products, to aid compliance with the NDPR or any foreign data protection law or regulation that might affect Nigeria.
2. NITDA's Compliance Strategy4
The Draft Framework has hinted on the possible compliance strategy that NITDA might undertake in effecting compliance with the NDPR. NITDA will expect the cooperation of organisations and where required, it will provide technical assistance to organisations.5 Other strategies include proactive self-reporting by organisations to show compliance with the NDPR. NITDA will also monitor and evaluate data provided by organisations to identify patterns of non-compliance.6
3. NITDA's Enforcement of the NDPR7
NITDA will likely enforce the NDPR by surveillance – careful monitoring of organisations to identify a breach, investigation of complaints, imposition of administrative sanctions or the pursuit of criminal prosecution.
If a data breach affects national security, NITDA may seek a fiat of the Attorney General of the Federation (HAGF) or file a petition with any sanctioning authority in Nigeria.
4. Guidelines on Digital Consent
The Draft Framework attempts to specify the forms that digital consent may take, to ensure that Data Subjects are adequately protected at all times. The three types of consent identified are express, implied and opt-out consent.8 It is worthy to note that the guideline shuns the 'Opt-out' approach, as a type of consent.
The Draft Framework provides that express consent must be sought in respect of Cookies.9 It thereafter, states that while express consent is necessary, the continued use of a website that has met particular requirements would also suffice as consent.
5. Preparing a Data Audit Report10
Data Controllers processing over 2000 Data Subjects are expected to submit an audit report11 to NITDA annually, and the report is to be submitted on or before the 15th of March each year. A template of the audit report is provided in the draft framework.
6. Transfer of Data Abroad12
The Draft Framework provides that NITDA will be responsible for coordinating data transfer requests with the office of the Attorney-General of the Federation and compile and publish a 'white-list' of jurisdictions with adequate level of data protection.,
However, a Data Controller seeking to transfer to a jurisdiction outside of the white list must ensure that there is verifiable documentation of consent.
7. Reporting of Data Breach13
The NDPR requires organisations to carry out an audit of their policies and procedures for monitoring and reporting violations of privacy and data protection policies.14 On this note, Data Controllers and Administrators are required to self-report Data Breaches.
While the Draft Framework is a leap in the right direction, NITDA continues to welcome comments and contributions from stakeholders, ahead of the final draft.
It is our hope that the Agency will take these contributions into consideration, and ensure they produce a document that makes for easy enforcement and compliance.
1. Nigeria Data Protection Regulation 2019: Draft Implementation Framework
2. Article 2 (Compliance and Enforcement) Nigeria Data Protection Regulation 2019: Implementation Framework
3. Regulation 4.1 (5) of the Nigeria Data Protection Regulation
4. Article 3 and 3.1 Nigeria Data Protection Regulation 2019: Draft Implementation Framework
5. NITDA may provide technical assistance to concerned entities to help them comply voluntarily with the applicable provisions.
6. The compliance framework will ensure the proactive monitoring and evaluation of data provided by concerned entities by utilizing analytic tools to identify patterns that reflect non-compliance
7. Articles 5 and 6 Nigeria Data Protection Regulation 2019: Draft Implementation Framework
8. You are deemed to have given consent by failing to 'opt-out'
9. A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information about you, similar to a preference file created by a software application. While cookies serve many functions, their most common purpose is to store login information for a specific site.
10. Article 9 Nigeria Data Protection Regulation 2019: Draft Implementation Framework
11. The content of the data protection audit report is specified in Article 3.1(7) of the Regulation
12. Article 10 Nigeria Data Protection Regulation 2019: Draft Implementation Framework
13. Article 11 Nigeria Data Protection Regulation 2019: Draft Implementation Framework
14. Regulation 4.5(i) of the Nigeria Data Protection Regulation
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.