Posted inClient-Centric Resources Legal Reviews

Data Protection and Privacy Compliance in Nigeria: A Practical Guide

No Comments

In an increasingly digital world, the protection of personal data has become a central concern for individuals, businesses, and governments alike. In Nigeria, data protection and privacy compliance is gaining critical importance as organizations collect, process, and store large volumes of personal information. The key legal framework governing data protection in Nigeria is the Nigeria Data Protection Regulation (NDPR), issued in 2019 by the National Information Technology Development Agency (NITDA).

This article provides a comprehensive overview of data protection and privacy compliance in Nigeria, including the legal framework, key compliance requirements, penalties for non-compliance, and practical steps for organisations.

1. Legal Framework for Data Protection in Nigeria

a. Nigeria Data Protection Regulation (NDPR) 2019

The NDPR is the principal regulation governing data protection in Nigeria. It was issued by NITDA pursuant to its enabling Act and is modelled after international standards such as the EU General Data Protection Regulation (GDPR).

b. Key Objectives of the NDPR

  • To safeguard the rights of natural persons to data privacy.

  • To regulate the processing of personal data.

  • To ensure organisations adopt international best practices in data handling.

  • To enhance Nigeria’s global competitiveness in digital trade.

c. Other Relevant Laws

  • NITDA Act 2007 – Establishes NITDA and gives it the authority to issue the NDPR.

  • Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 – Covers aspects of data security.

  • Freedom of Information Act, 2011 – Provides for public access to information held by public institutions, with exceptions for personal data.

  • Constitution of the Federal Republic of Nigeria, 1999 (as amended) – Provides for the right to privacy under Section 37.

2. Key Terms under the NDPR

  • Data Subject: A person whose personal data is collected or processed.

  • Data Controller: A person or entity that determines the purposes and means of processing personal data.

  • Data Processor: A person or entity that processes data on behalf of the Data Controller.

  • Personal Data: Any information relating to an identified or identifiable individual (e.g., name, address, email, phone number).

  • Sensitive Personal Data: Includes health records, religious or political beliefs, biometrics, and other data requiring higher protection.

3. Obligations of Organisations under the NDPR

a. Lawful Basis for Processing

Organisations must have a legal basis to process personal data, which may include:

  • Consent of the data subject.

  • Contractual necessity.

  • Legal obligations.

  • Protection of vital interests.

  • Legitimate interests of the controller.

b. Data Subject Rights

Organisations must uphold the rights of data subjects, including:

  • Right to be informed.

  • Right of access.

  • Right to rectification.

  • Right to erasure (“right to be forgotten”).

  • Right to data portability.

  • Right to object to processing.

  • Right to withdraw consent at any time.

c. Data Protection Policies and Notices

Organisations must adopt a data protection policy and provide clear privacy notices detailing:

  • What data is collected?

  • How and why it is processed.

  • Data retention periods.

  • Data subjects’ rights and remedies.

d. Appointment of a Data Protection Officer (DPO)

Organisations handling significant volumes of personal data are required to appoint a DPO to oversee compliance efforts.

e. Filing of Audit Reports

Data controllers are required to conduct and submit an Annual Data Protection Audit Report to NITDA if they process the personal data of more than 1,000 individuals annually.

f. Third-Party Contracts

Where third parties (e.g., cloud providers or IT service companies) process data, contracts must include clauses on data protection responsibilities.

See Also: Legal Compliance as a Competitive Advantage in the Nigerian Market

4. Registration and Licensing of DPCOs

To enforce compliance and assist organisations, NITDA licenses Data Protection Compliance Organisations (DPCOs). These are professional firms authorised to:

  • Conduct audits and assessments.

  • Offer compliance training.

  • Draft data protection documents and policies.

  • Assist with regulatory filings.

Only DPCOs recognised by NITDA are authorised to carry out official compliance activities.

5. Enforcement and Penalties

NITDA has the power to investigate and sanction violations of the NDPR. Penalties include:

  • ₦2 million or 1% of annual gross revenue (whichever is higher) for data controllers processing data of less than 10,000 subjects.

  • ₦10 million or 2% of annual gross revenue (whichever is higher) for data controllers processing data of more than 10,000 subjects.

  • Civil and criminal liability for breaches leading to harm or financial loss to data subjects.

Notable enforcement includes a ₦10 million fine imposed on Lagos-based firm Smednette in 2020 for NDPR violations.

6. Practical Steps for Compliance

To ensure compliance with the NDPR, organisations should:

  1. Conduct a Data Audit

    • Identify all personal data collected, how it is used, and where it is stored.

  2. Appoint a Data Protection Officer

    • Ensure accountability and ongoing compliance monitoring.

  3. Develop and Implement Policies

    • Draft internal policies, privacy notices, and consent forms.

  4. Train Staff

    • Raise awareness about data protection among employees.

  5. Engage a Licensed DPCO

    • For professional guidance, policy development, and audit report submission.

  6. File Annual Audit Report

    • Submit reports within the deadline (usually Q1 of the following year).

7. Future Outlook: The Nigerian Data Protection Act (NDPA)

In 2023, the Nigeria Data Protection Act (NDPA) was signed into law, creating the Nigeria Data Protection Commission (NDPC) as a successor to NITDA’s role under the NDPR. The NDPA consolidates and strengthens Nigeria’s data protection framework and aligns it more closely with international standards.

The NDPR remains in force pending full operationalization of the NDPA, but stakeholders are advised to align with the NDPA’s broader provisions.

Conclusion

Data protection and privacy compliance in Nigeria is no longer optional. With the NDPR in force and the emergence of the NDPA, organisations are under a growing obligation to respect the rights of individuals and ensure responsible data processing. By implementing robust compliance systems, appointing qualified officers, and staying informed of legal updates, businesses can avoid sanctions and gain the trust of customers in today’s digital economy.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *