Nigeria Data Protection Act (NDPA)

Who is excluded from Nigeria Data Protection Regulation compliance? 

The NDPA does not apply to “the processing of personal data to the extent it is carried out by one or more individuals solely for personal or household purposes” and in the following situations where personal data processing is

• “carried out by competent authorities for the purposes of the prevention, investigation, detection, prosecution or adjudication of criminal offenses or the execution of criminal penalties in accordance with any applicable law;
• carried out by competent authorities for the purposes of prevention or control of a national public health emergency;
• carried out by competent authorities as necessary for national security;
• in respect of publication in the public interest for journalism, educational, academic, artistic and literary purposes to the extent that such obligations and rights would be incompatible with such purposes; or
• necessary for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.”
  
  

How can I keep my organization NDPA compliant? 

Similar to other data privacy laws across the world, the NDPA sets out principles for personal data processing as follows: 

• personal data has to be processed “fairly, lawfully and in a transparent manner”;
• it has to be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes”;
• personal data has to be “adequate, relevant and limited to the minimum necessary for the purposes for which the personal data was collected or further processed”;
• it can be “retained for no longer than is necessary to achieve the lawful bases” for which it was collected or further processed;
• personal data must be “accurate, complete, not misleading and, where necessary, kept up to date having regard to the purposes for which the personal data was collected or is further processed”;
• personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and access against loss, destruction or damage and the data controller and data processor shall use appropriate technical and organizational measures to ensure the confidentiality, integrity and availability of the personal data.”

The lawful basis for processing of personal data is the consent of the data subject as well as the application of one of the following situations where processing is necessary:

• for the performance of a contract;
• for compliance with a legal obligation;
• for the purpose of protecting the vital interests of the data subject;
• for the performance of tasks in service of public interest or for the exercise of official authority;
• for purposes of legitimate interest of the data controller or data processor, unless exceptions to this apply.

It is your responsibility to prove that consent was obtained prior to data processing, and in the case of children, consent may be relied upon when provided by a child aged 13 years or more. 

Although this draft bill does not specifically mention the requirement of a privacy policy, unlike the 2019 version of the law, Article 28 sets out a series of details that your organization has to provide to the data subject before you collect personal data directly from them. These are as follows: 

• the name and address of your organization;
• the specific lawful basis for processing;
• the purposes of processing;
• if applicable, the details of any third party that would receive their personal data;
• the data subjects access rights available to them according to the law;
• the right to submit a complaint to the regulatory authorities;
• the existence of automated decision-making, i.e. profiling, the potential consequences of this, and the right to object to this type of processing.

According to Article 29, you are required to conduct a DPIA “where processing appears likely to result in high risk to the rights and freedoms of data subjects by virtue of its nature, scope, context and purposes”

Article 33 mandates that “data controllers of major importance shall designate a data protection officer with expert knowledge of data protection law and practices” but it does not impose this obligation on all other data controllers and processors, while according to Article 40, you are required to “implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful destruction, loss, misuse or alteration, unauthorized disclosure or access.” These measures may include pseudonymization, encryption, regular testing and regular updating of the security in place. In addition to this, if you are a data controller or a data processor “of major importance,” you are required to register with the Nigeria Data Protection Commission (NDPC) within 6 months of the enforcement of this law or of becoming one such data controller or processor. 

Last but not least, according to Article 41, data breaches referring to data being stored or processed by a data processor on behalf of another data processor or data controller have to be reported no later than 72 hours to the NDPC when this is likely to result in a risk to the individuals. If the data breach refers to data that was stored or processed by a data processor directly then these must be notified to any other data controllers or processors that may have come into contact with the data, as they might have to meet compliance requirements as well. 

What data access rights does the Nigeria Data Protection Act grant? 

Same as other data privacy regulations, the NDPA grants individuals the following rights: 

• Right to be informed
• Right to access data 
• Right to correct inaccurate data 
• Right to delete personal data 
• Right to restrict processing 
• Right to object to processing 
• Right to object to automated processing
• Right to the portability of data 

How to address data subject access requests under NDPA?

Unlike its preceding law, the NDPA is more vague when it comes to the deadline for answering a data subject request, determining that you must do so “without constraint or unreasonable delay.”

The personal data has to be provided to the data subject “in a commonly used electronic format except to the extent that providing such data would impose unreasonable costs on the data controller, in which case the data subject may be required by the data controller to bear some or all of such costs.”

While a data subject request is pending resolution, an objection has been raised by the data subject, or the establishment, exercise or defense of legal claims is pending a resolution, data processing is restricted.

Enforcement and penalties for Nigeria Data Protection Act

The regulating authority is the Nigeria Data Protection Commission (NDPC), which handles complaints submitted against a data controller or processor, including those submitted by a data subject. 

The NDPC can also initiate an investigation on its own where it has reason to believe that your organization is violating the law and may, for the purpose of the investigation, it can ask an individual to attend a meeting a specific time and place in order to be questioned regarding a complaint, to produce documentation required in the investigation - unless doing so would break any other written law - and to make a statement under oath “setting out all information which may be required under the order.” Other actions it may perform include issuing compliance orders to data controllers and processors that have either violated or are likely to violate the regulations, it may issue an enforcement order or impose a sanction. 

Penalties are split between data controllers and processors of major importance, and all other data controllers and processors as follows:

• in the case of a data controller or data processor of major importance, the higher maximum amount, meaning ₦10,000,000 (approx. $21,700) or “two percent of its annual gross revenue derived from Nigeria in the preceding financial year,” whichever is greater.
• in the case of a data controller or data processor other than a data controller or data processor of major importance, the standard maximum amount, meaning ₦2,000,000 (approx. $4,500) or “two percent of its annual gross revenue derived from Nigeria in the preceding financial year,” whichever is greater.

For criminal offenses, meaning failure to comply with the enforcement orders issued by the NDPC, the penalty may consist of the above fines for each type of data controller and processor, or imprisonment for up to 1 year, or both a fine and imprisonment.

Data Subject Rights - GDPR vs. NDPA