Given the attendant increase in the use and transfer of personal information of individuals and the need to protect the individual right to privacy, the National Information Technology Development Agency (NITDA) of Nigeria issued the Nigeria Data Protection Regulation (NDPR) in January 2019. [1]
This regulation imposes certain obligations on Technology- based companies and other sectors which collect certain kinds of personal information of individuals which is considered to be ‘sensitive’. The obligations may apply to e-commerce websites, banks, employers, hospitals, and other entities, if they collect the personal information of users.
The NDPR introduces major compliance obligations for Nigerian companies, which include audit checks, publication of data protection policies, filing of audit reports amongst others, and also stipulates stiff penalties for its breach. [2]
Regulatory compliance under the NDPR
Compliance with data protection regulations prevents the company from incurring expensive costs in the form of fines, litigation expenses, public embarrassment, and a bad reputation. Data protection compliance involves understanding not only a company’s policies, contracts, and legal engagements, it also requires an understanding of the company’s information technology, security, audit, and operational system. [3]
The NDPR imposes several responsibilities on data controllers and processors to enable them lawfully obtain and process data. The NDPR further explicates the procedures to employ for a successful compliance. For a data controller or processor to successfully comply with the provisions of the NDPR, they must take into cognizance the following:
Consent
In ensuring compliance with the NDPR, data controllers must obtain the consent of the data subject before processing the information of the data subject. This can be done by creating a privacy policy, such policy must be consented to by the data subject without fraud, undue influence or coercion, otherwise a data controller is prohibited from processing or using such information, any violation thereof attracts heavy penalty.
The request for consent shall be presented in a manner that is distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. [4]
Prior to seeking consent of the data subject, the Data Subject shall be informed of his right and method to withdraw his consent at any given time. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. [5]
The Regulation also provides that there shall be a written contract between the third party and the Data Controller in the event that a data controller decides to engage the service of a third party to process data. Accordingly, any person engaging a third party to process the data obtained from Data Subjects shall ensure adherence to the Regulation. [6]t your data. If a data breach occurs, you have the right to be informed promptly.
It is important to ensure compliance with the provision of this regulation as regards dealing with data of the data subjects. Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subjects shall be liable, in addition to any other criminal liability, to the following:
a. Payment of a fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater in the case of a Data Controller dealing with more than 10,000 Data Subjects.
b. In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of a fine of 1% of the Annual Gross Revenue of the preceding year
Audit
The NDPR mandates all Data Controllers that process personal data of more than 1000 Data Subjects within six months to conduct an audit on the data privacy policies of their organization by filing a soft copy of the summary of their audit to the NITDA. Similarly, Data Controllers that process personal data of more than 2000 Data Subjects within a period of 12 months are mandated to file a soft copy of the summary of their audit to NITDA, not later than 15 March of the following year. [8]
Compliance is not a one-off obligation but a continuing activity for data controllers and processors in Nigeria. [9] Failure to comply with the provisions of NDPR to file these returns to NITDA is deemed a breach of the NDPR. A complete data protection audit results in the synchronization of all the company’s processes to align in a way that ensures that every data that comes through its system is treated without affecting data integrity and infringing on the privacy of the data owners. [10]
CONCLUSION
Without a doubt, the NDPR constitutes a transformational attempt to radicalize the data privacy and protection regime in Nigeria. Corporations and individuals need to take cognizance of this regulation and observe a paradigm shift in the way they interact and process people’s data in their possession.
Leave a comment