Privacy & Data Protection
10th September 2020.
Understanding Nigerian Data Protection Compliance Requirements and Managing Breach
The dawn of the Nigerian Data Protection Regulation (NDPR)2 on 25th January 2019 sent waves across the various sectors of the Nigerian economy, creating awareness of data protection and privacy issues and an appreciation of the means of regulating the collection and processing of data in the process. The NDPR was established to regulate those who have access to and control people's data. Prior to the NDPR, there existed provisions in a few laws which protected certain information or data from unlawful use.3 However, unlike the NDPR, these provisions were ambiguous, inadequate, and ineffective in imposing sanctions and ensuring compliance in the event of a data breach. Thus, the introduction of the NDPR by the National Information Technology Development Agency (NITDA) was a well needed opium in data protection in Nigeria.
Although a subsidiary legislation, the NDPR is currently Nigeria's most comprehensive law on data protection. It contains various provisions regulating the collection and processing of data in Nigeria. Nevertheless, having laws is one thing; ensuring compliance is another. With regards to the latter, NITDA has been quite proactive, in subsequently releasing the Nigeria Data Protection Regulation 2019: Implementation Framework (the Draft Framework) in July 2019 to help organizations comply with the NDPR.
Also, the conspicuously stringent activities of NITDA in ensuring compliance has made them one of the most feared government agencies across various sectors. For instance, after postponing the deadline for mandatory Data Compliance Audit from July 2019 to October 2019, NITDA issued non-compliance notices to 100 defaulting companies in December 2019.4 The various investigations of LIRS,5 Immigration, Banks, Telcos and TrueCaller6 by NITDA for breach, evidences NITDA's seriousness in enforcing the NDPR. Due to the stringent penalties and expensive costs to be incurred because of data breaches and non-compliance, it is necessary that organizations involved in data collection and processing comply effectively with NDPR and NITDA directives.
Compliance under the NDPR and the Draft Framework
Compliance with data protection laws improves the trust between businesses and their customers. It also prevents the company from incurring expensive costs in forms of fines, litigation expenses, public embarrassment, and a bad reputation. Data protection compliance involves understanding not only a company's policies, contracts, and legal engagements, it also requires an understanding of the company's information technology, security, audit, and operational system.7
The NDPR imposes several responsibilities on data controllers and processors to enable them lawfully obtain and process data. The draft framework further explicates the procedures to employ for a successful compliance. For a data controller or processor to successfully comply with the provisions of the NDPR, they must take into cognizance the following:
A data subject's consent is arguably the most integral requirement to obtain and process data. To lawfully do this, data controllers and processors must first seek the consent of the data subject without undue influence, fraud, and coercion.8 Usually, consent is obtained through clear, unambiguous data privacy policies to which the data subject has consented. Consent should be clearly given as implied consent is no consent. Furthermore, these data are obtained subject to certain rights granted to the data subject.9
b) Data Protection Audit
The NDPR mandates all organizations that process the personal data of more than 1000 data subjects in a period of 6 months and 2000 Data Subjects in a period of 12 months to submit a Data Protection Audit report to NITDA not later than 15th March every year.10 This involves the organization's audit of its data privacy and protection practices. Audits are meant to show that the data controller or processor complies with the law. The audit should state:
- The data the organization collects on its employees and members of the public
- The purpose for which such data is collected
- Notice given to individuals regarding the collection and use of their personal information
- The access given to individuals to review, amend, correct, supplement, or delete such data
- Whether or not the consent of these individuals was obtained before collecting, using, transferring, or disclosing these data; and the methods employed to obtain consent.
- The policies and practices of the organization for the proper use and security of these data.
- Organization policies and procedures for privacy and data protection.
- The policies and procedures of the organization for assessing the impact of technologies on the stated privacy and security policies.11
Data Controllers should also audit third party processor contracts which require the transfer of personal data to such third parties.
Flowing from the above, it is obvious that compliance is not a one-off obligation but a continuing activity for data controllers and processors in Nigeria. Failure to file these returns to NITDA is deemed a breach of the NDPR.12 A complete data protection audit results in the synchronization of all the company's processes to align in a way that ensures that every data that comes through its system is treated without affecting data integrity and infringing on the privacy of the data owners.13
The draft framework provides an audit template. To effectively comply with this provision, organizations may seek the help of a licensed Data Protection Compliance Officer (DPCO).14
Please note that every Data Audit Report (DAR) must be accompanied by a Verification Statement by the DPCO.15
c) Data Protection Compliance Organisations (DPCOs)
DPCOs are a new crop of data protection professionals established by the NDPR.16 They are very integral in ensuring compliance to the NDPR amongst organizations. According to the draft framework, DPCOs are licensed professionals to provide auditing and compliance services for data controllers. Apart from law firms, Professional Service Consultancy Firms, IT Service Providers, and Audit Firms may apply to NITDA to be licensed as DPCOs once they can show that they have Data Protection Certification or experience in Data Science, Data Protection and privacy, Information Privacy, Information Audit, Data Management, Information security, Data protection legal services, Information Technology Due Diligence, EU GDPR implementation and compliance, Cyber Security/Cyber Security law, Data Analytics, and Data Governance.
DPCOs also provide data protection and privacy trainings, advisory services; draft regulation contracts, Data Protection Impact Assessment, etc.17 The list of licensed DPCOs can be accessed on NITDA website.
d) Data Protection Officers (DPOs)
The regulation also mandates every data controller to employ a Data Protection Officer within its organization or outsource this role to a verifiably competent firm or person. DPOs ensure adherence to the NDPR, relevant data privacy instruments and data protection directives of the data controller. The draft framework goes on to stipulate situations where a DPO is required.18
e) Privacy Policies (Notices)19
f) Database Security and Cyber-Defense
It is not enough for data controllers and processors to lawfully obtain data; they must also ensure that they develop standard security systems to protect the data in their possession. They should employ cyber-security experts to protect their database from hackers, firewall breaches, etc.20 They should also put structures in place to prevent their employees from mishandling client data.
g) Conduct Internal Data Protection Training
To ensure data protection compliance amongst their members of staff, organizations should ensure their members of staff are professionally trained in the field of data privacy and protection. They may organize data protection trainings for them, inviting DPCOs in the process. This way, their employees, especially those specifically responsible for processing data e.g., the H.R personnel would be enlightened on how to prevent data breaches.
h) Inventory Processing of Activities
This is aimed at achieving accountability and compliance. It is recommended that data controllers and processors keep an inventory of all personal data and state the processing it goes through or they may keep inventory of processing activities and the data involved in the processing.21
i) Data Protection Impact Assessment (DPIA)
Although not mentioned in the NDPR, the DPIA is mentioned in the draft framework. It is a procedural import from the EU GDPR. DPIAs are used where the processing of data is likely to result in a high risk to the data subjects.22 It is usually prepared by a DPCO for a data controller in order to identify and minimize the likely risks of processing data. Even though, unlike the EU GDPR, it is not mandatory, it is highly recommended.
A data breach is an accidental or unlawful incident that exposes confidential or protected information or results in the loss or theft of customers' bank accounts or credit card details, personal health information, passwords, or email. Non-compliance with the NDPR may also constitute a breach.
If you are data controller or processor who has endeavored to comply with the several laws, but a breach still occurs either due to your negligence or unforeseen circumstances, you need to take decisive remedial action.
Notify NITDA of Breach Immediately!
Where a breach occurs, it is essential you notify NITDA immediately. According to the NDPR, where a data breach is reported and the data controller is found guilty, they are liable to a payment of a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of N2,000,000 (whichever is greater) where the data controller deals with less than 10,000 data subject. On the other hand, where it is a controller of more than 10,000 data subjects, they are liable to a fine of 2% of the annual gross revenue of the preceding year or a payment of the sum of N10,000,000 (whichever is greater).23
However, where the data controller, self-reports the breach, it is a major consideration in determining the amount of fine to be levied. Report must be made within 72 hours from time of knowledge of the breach.24
Where a complaint of breach is filed,25 NITDA through an Administrative Redress Panel26 will commence an investigation. Investigation may be by way of a special audit check or "spot check", review of policies, procedures, or practices of the subject of complaint and the circumstance of alleged violation. Where there is prima-facie evidence of breach, NITDA would request a response from the violator stating the allegations against them. If NITDA is still satisfied that a breach has occurred, it will issue a Notice of Enforcement.27 NITDA may also issue an administrative fine or penalty. Depending on the circumstance at hand, NITDA may issue a public statement warning the public from dealing with the violator. The NDPR prescribes that this whole process must be concluded within 28 working days.28 If the violator fails to take steps to address the breach, NITDA may file a Petition or Notice of Prosecution to the Attorney General's office for the violator to be criminally prosecuted.
If unsatisfied with the decision of the Administrative Redress Panel, the alleged violator may challenge their decision in court.
Other remedial steps that should be taken in the event of a data breach involve the following:
- Engage DPOs and DPCOs for data protection professional advisories and to perform a system/data management investigation, and audit.
- Engage cybersecurity/information security professionals to conduct forensics, risk/impact analysis and to boost the company's cybersecurity.
- Engage security operatives and law enforcement agents to bring the cyber-criminals to book.
So far, following an active 2019 in the enforcement of the NDPR by NITDA, enforcement in 2020 has seemed slow and relaxed. This can be attributed to the prevailing public safety and health concerns occasioned by the global outbreak of the COVID-19 pandemic which has seen NITDA extend the deadline for requisite organisations to file the mandatory Data Protection Audit Report from 15th March 2020 to 15th May 2020 and subsequently 30th June 2020.29
Nonetheless, the importance of an organisation's compliance with the NDPR and other data protection laws transcends the statutory requirements for compliance. The value and reputation of the organization is equally at stake in the event of a data breach. Therefore, it is pertinent organizations take data protection compliance seriously.
More so, apart from preventing customers' data from falling into the wrong hands, compliance helps to maintain the investors and public's trust in the organization. For instance, according to a Ponemon Study commissioned by Centrify, 65% of persons whose personal data were breached lost trust in the organization that experienced the data breach.30
1 Associate Intern, SPA Ajibade and Co., Lagos, Nigeria.
2 A regulation made by NITDA pursuant to Section 6 of the NITDA Act, available on https://nitda.gov.ng/wp-content /uploads/2019/01/NigeriaDataProtectionRegulation.pdf accessed on 27th January 2020.
3 Some of these laws include the Constitution of the Federal Republic of Nigeria 1999 (as amended), Nigerian Communications Commission Act 2004, CBN Consumer Protection Framework 2016, Freedom of Information Act 2011, and the Cybercrimes (Prohibition, Prevention, etc.) Act 2015.
4 Nigeria Communications Week, "NITDA Issues 100 Firms Data Protection Non-Compliance Notice" (13th December 2019) available on https://www.nigeriacommunicationsweek.com.ng/nitda-issues-100-firms-data-protection-non-compliance-notice/ accessed on 14th March 2020.
5 Fakoyejo Olalekan, "LIRS Under Investigation After Dumping Taxpayers' Data Online" (28th December 2019) available on https://nairametrics.com/2019/12/28/lirs-under-investigation-after-dumping-taxpayers-data-online/ accessed on 14th March 2020.
6 NITDA, "Press Statement: NITDA Commences Investigation Into Potential Breach of Privacy Rights of Nigerians by the TrueCaller Service" (4th October 2019) available on https://nitda.gov.ng/press-statement-nitda-commences-investigation-into-potential-breach-of-privacy-rights-of-nigerians-by-the-truecaller-service/ accessed on 15th March 2020.
7 Enyioma Madubuike, "What Is Really Happening In The Nigerian Data Compliance Space" (21st November 2019) available on https://techpoint.africa/2019/11/21/ndpr-what-is-happening/ accessed on 14th March 2020.
8 Art.2.2 and 2.3 NDPR 2019.
9 Right to Information, Right to Access, Right to Rectification, Right to Erasure, Right to Restrict Processing, Right to Data Portability, Right to Object, Right Related to Automated Decision Making.
10 Art. 4.1 (5) and (6) NDPR 2019.
11 Art. 4.1 (5) NDPR 2019.
12 In December 2019, NITDA issued Non-Compliance Notices to 100 companies who defaulted in filing these returns at the prescribed time.
13 Enyioma Madubuike, "What Is Really Happening In The Nigerian Data Compliance Space" (21st November 2019) available on https://techpoint.africa/2019/11/21/ndpr-what-is-happening/ accessed on 14th March 2020.
14 As at the time the author wrote this paper, filing fees for less than 10,000 Data Subjects was N5000; for 10,000 -50,000 Data Subjects was N10,000 and for more than 50,000 Data Subjects, N20,000. Available http://taxtech.com.ng/download/NDPR-Overview-and-Business-Implications-by-Olufemi-Daniel-Desk-Officer-NDPR.pdf accessed 16th March, 2020.
15 Olufemi Daniel, "NDPR Overview and Business Implications" (September 2019) available on http://taxtech.com.ng/download/NDPR-Overview-and-Business-Implications-by-Olufemi-Daniel-Desk-Officer-NDPR.pdf accessed on 15th March 2020.
16 Although, similar professionals exist under the EU General Data Protection Regulation (GDPR).
17 Art. 4.1 (4) NDPR; Art. 3.1 Draft Framework 2019.
18 Art. 3.2 Draft Framework 2019.
20 Art. 2.6 NDPR 2019.
21 Olufemi Daniel, "NDPR Overview and Business Implications" (September 2019) available on http://taxtech.com.ng/download/NDPR-Overview-and-Business-Implications-by-Olufemi-Daniel-Desk-Officer-NDPR.pdf accessed on 15th March 2020.
22 Blazon Online, "Data Protection Impact Assessments – What, When and How?" (2nd February, 2020) available on https://blazon.online/privacy/data-protection-impact-assessments-what-when-and-how/ accessed on 15th March 2020.
23 Article 2.10 of the NDPR 2019.
24 Olufemi Daniel, "NDPR Overview and Business Implications" (September 2019) available on http://taxtech.com.ng/download/NDPR-Overview-and-Business-Implications-by-Olufemi-Daniel-Desk-Officer-NDPR.pdf accessed on 15th March 2020.
25 Art. 15.1.2 of the draft framework prescribes that such complaints must be filed in writing, either on paper or electronically. Such complaint must state the name of person that is subject of complaint and describe the acts or omissions that violated the provisions of the NDPR.
26 Art. 4.2 NDPR 2019.
27 This notice is to cite the specified breach and demand mandatory compliance within a specific time frame from the date of the service of notice.
28 Art. 4.2 NDPR 2019.
29 Andersen Tax, "NITDA Further Extends Deadline For Filing O Data Protection Audit Report To 30th June 2020" (12th May 2020) available on http://andersentax.ng/nitda-further-extends-deadline -for-filing-of-data-protection-audit-report-to-30th-june-2020/ accessed on 19th May 2020.
30 Ponemon Institute LLC, "The Impact of Data Breaches on Reputation and Share Value" (May 2017). Available on https://www.centrify.com/resources/the-impact-of-data-breaches-on-reputation-and-share-value/ accesssmall>
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.