Introduction
The Nigeria Data Protection Commission ("NDPC" or the "Commission"), exercising its statutory powers under Sections 1(a), 6(c), 61, and 62 of the Nigeria Data Protection Act ("NDPA" or the "Act") 2023, has issued the General Application and Implementation Directive ("GAID").
The GAID seeks to provide certainty of legal obligations in the face of technological advancements, and critical guidance on the practical implementation of the NDPA, outlining fundamental principles and guidelines that govern compliance with the Act's provisions.
By issuing the GAID, the NDPC aims to facilitate a more detailed understanding of the NDPA's requirements and to ensure that data controllers and processors adhere to the statutory framework, thereby promoting a culture of data protection and privacy in Nigeria. The GAID serves as a complementary instrument, offering further specificity and detail on the Act's provisions, and is poised to play a pivotal role in shaping the country's data protection landscape.
Key Provisions of the GAID
Extraterritorial Application of the Nigeria Data Protection Act
Article 1(2) of the GAID clarifies the scope of the application of the provisions of the NDPA, specifically Section 2(c) of the NDPA, to include data controllers or processors not domiciled in Nigeria but processing personal data of Nigerian data subjects or targeting them. This means that foreign entities who do not have a physical presence in Nigeria will also be caught under this net if they process the personal data of those considered to be data subjects under the GAID and the NDPA.
To provide further clarity on the above, Article 1(4) of the GAID describes 4 categories of data subjects who may enjoy data subjects' rights under the NDPA, and to whom data controllers and processors owe an obligation to preserve their privacy rights as follows:
i)Data subjects who are within Nigeria, regardless of nationality or migration status, data subjects within Nigeria's territory are protected;
ii)Data subjects whose data have been transferred to Nigeria;
iii)Data subjects whose data are in transit through Nigeria; and
iv)Nigerian citizens abroad who fall within this scope by virtue of the application of the universal right of privacy under the United Nations Universal Declaration of Human Right (UDHR) and the International Covenant on Civil and Political Right (ICCPR).
Supremacy of the NDPA, Statutory Hierarchy, and Repeal of the NDPR
Article 3 of the GAID reinforces the NDPA's supremacy over other laws and enactments regarding personal data processing. Section 63 of the NDPA establishes a clear hierarchy, ensuring consistency and clarity in applying data protection regulations.
The NDPA's prevalence over other laws means that in cases of inconsistency or conflict, the Act's provisions take precedence over any laws or enactments related to personal data processing. This hierarchy positions the GAID as subordinate to the NDPA, requiring that the Act's provisions prevail in conflicts.
Furthermore, the issuance of the GAID marks the end of the Nigeria Data Protection Regulation (NDPR) 2019 as a legal instrument for regulating data privacy and protection. However, actions taken under the NDPR before the GAID's issuance remain valid, facilitating a smooth transition to the new regulatory framework.
Mandatory Compliance Measures for Data Controllers and Data Processors
Article 7 of the GAID sets out mandatory compliance requirements for data controllers and processors under the NDPA, focusing on structured data governance, transparency, and accountability. Data controllers and processors are required amongst others to:
i)register with the NDPC if they fall within the classification of data controllers or data processors of major importance;
ii)conduct annual compliance audits;
iii)submit compliance audit returns to the NDPC if they fall within the ultra-high or extra-high level categories;
iv)identify their obligations under the NDPA, and create a schedule for compliance with these obligations;
v)maintain detailed reports on data processing activities within their organisations. This report should have details of processing activities done by the organisation within 6 (six) months. Having an up-to-date record of processing activities (RoPA) will help with compliance with this requirement;
vi)develop policies/schedules and systems to monitor and maintain data security, and implement company-wide sensitisation programs to foster a culture of compliance within the organisation;
vii)appoint a data protection officer (DPO), and associate DPOs/privacy champions if needed. The DPO ensures full compliance with the NDPA's requirements, and will also be liaison between the organisation and the NDPC, and data subjects;
viii)draft and have periodic reviews of their privacy policies, and ensure that they are easily accessible, transparent (in that there is full disclosure on the purpose for processing and how data will be processed) and in compliance with the NDPA. To this end, the organisation is expected to display the privacy notices and cookie notices on the homepage of its website, and other platforms where data subjects can access the organisation's services or where data processing is taking place;
ix)conduct data protection impact assessments (DPIAs) when required. By virtue of Section 28(1) the NDPA, a DPIA is required where processing of personal data may likely result in high risk to the rights and freedom of the data subject. As a result of this likelihood of risk, the DPIA is to be conducted prior to the processing. Schedule 4 to the GAID shows a template for the conduct of the DPIA. It provides certain questions and parameters for determining the necessity of processing, potential vulnerabilities/risks associated with such processing, recommendations to mitigate such identified risks, etc.
x)report personal data breaches within 72 hours and notify data subjects if necessary;
xi)update agreements with third party processors to ensure compliance with the NDPA; and
xii)establish clear complaint resolution mechanisms.
Introduction of Standard Notice to Address Grievance (SNAG)
The GAID introduces the Data Subjects' Standard Notice to Address Grievance (SNAG), empowering data subjects to demand remedial action from data controllers and processors without prior notification to the Commission. This initiative is in furtherance of the power granted the Commission by Section 61(1)-(2)(b) of the NDPA, and this enables data subjects to assert their rights to data privacy.
SNAG serves as a standardised template for demanding internal remediation within organisations and can be issued by aggrieved data subjects, their representatives, or civil society organisations acting in the public interest. It can be served through various means, including physical address, telephone messaging, email, courier service, or other reasonable correspondence methods.
Where a data controller or processor receives a SNAG, it is required to communicate its decision on the SNAG to the NDPC through an electronic platform that the NDPC may create to track SNAGs.
Filing Of Compliance Audit Reports (CAR)
Data controllers or processors of major importance (DCPMIs) must file their CARs annually with the NDPC. The filing deadlines are as follows:
i)for DCPMIs established before June 12, 2023: March 31st of each year; and
ii)for DCPMIs established after June 12, 2023: within 15 months of establishment, and subsequently, on or before March 31st each year.
Late filing of the CAR will incur an administrative penalty fee, which is 50% of the applicable filing fee.
It is important to note that the GAID has provided revised CAR filing fees and has made applicable fees dependent on the category of DCPMIs the organisation belongs to. The filing fees are as follows:
| S/No | DCPMI | Tier | Fee (N) |
| 1. | Ultra-High Level (UHL) | a. 50,000 data subjects and above | 1,000,000 |
| b. 25,000-49,999 data subjects and above | 750,000 | ||
| c. below 25,000 data subjects | 500,000 | ||
| 2. | Extra-High Level (EHL) | a. 10,000 data subjects and above | 250,000 |
| b. 5,000-2,500 data subjects | 200,000
|
||
| c. below 2,500 data subjects | 100,000
|
Requirements for Deploying Emerging Technologies in Personal Data Processing
Article 43 of the GAID provides that data controllers/processors deploying emerging technologies (AI, IoT, and blockchain) for processing personal data must:
i)comply with the provisions of the NDPA, public policy, the GAID and other regulations issued by the NDPC;
ii)ensure that emerging technology (ET) tools are designed with data protection principles integrated from the start, in line with the "data protection by design and by default" approach. The design of the ET tools are expected to take into account the data subject's rights not to be subject to automated decision-making, right to be forgotten, safeguards for sensitive personal data and children's rights, and regulation of cross-border data flows;
iii)conduct DPIAs in line with the provisions of the GAID and the NDPA, and test ETs in low-risk environments where it may serve public interest for a reasonable period in other to observe outcomes of use; and
iv)continuously monitor and evaluate ETs post-deployment.
Data controllers/processors are also required to document technical/organisational parameters and file with the Commission.
Introduction of Legitimate Interest Assessment (LIA)
One of the lawful basis for the processing of person data provided under Section 25 of the NDPA includes consent, legitimate interest, contractual obligation, etc. Often, organisations are constrained to relying on consent and contractual obligation as a basis for processing. This may be attributed to the fact that organisations are unable to accurately assess what constitutes legitimate interest and when it (and other lawful basis) applies.
The GAID introduces a Legitimate Interest Assessment (LIA) framework, providing a structured approach for data controllers and processors to evaluate whether their legitimate interests can serve as a lawful basis for processing personal data, as outlined under the NDPA.
Data controllers/processors are required to be cautious when relying on legitimate interest as a lawful basis for processing data, as they will be required to show the basis for the preference of legitimate interest in processing data during compliance audit.
Schedule 8 to the GAID provides an LIA template which is designed to help organisations assess and document their legitimate interests, ensuring compliance with data protection regulations and safeguarding individuals' rights.
A Broader Mandate for Data Protection Officers (DPOs)
The GAID expands the responsibilities of DPOs to include compiling and submitting semi-annual data protection reports to the designated officer of the data controller or processor, which will be integrated into the Record of Processing Activities (RoPA). This report shows the compliance status of the data controller/processor, will be verified by the Data protection compliance officer during the annual compliance audit.
Furthermore, the Commission will conduct an Annual Credential Assessment (ACA) of DPOs, subject to verification upon payment of the requisite fees, to ensure their ongoing competence and adherence to regulatory standards.
Provisions on Cross-Border Transfer of Data
The NDPA provides that a data controller/processor shall not transfer data to a recipient in another country unless such recipient is subject to a law, binding corporate rules, contractual clauses or other mechanisms that affords an adequate level of protection for the data being transferred.
Further to the above, the GAID for guidelines that will be used in evaluating the countries for the purpose of ascertaining their level of adequacy and other grounds for cross-border transfer of data as provided under the NDPA.
Conclusion
The provisions of the NDPC GAID are poised to have far-reaching implications for Nigeria's data protection landscape, yielding multifaceted effects on various stakeholders, including data subjects, controllers and processors.
These effects may manifest in enhanced data privacy and security, increased accountability and compliance, and the promotion of best practices in data protection. However, the GAID's provisions may pose challenges for small and medium-sized enterprises especially with respect to the registration and filing fees.
The GAID's success will depend on effective enforcement, stakeholder engagement, and ongoing evaluation to ensure that its provisions remain relevant and effective in protecting the rights of data subjects and promoting a culture of data protection in Nigeria.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
