By OLADAPO JOHN AYOTOMIWA

Introduction to the NDPR

The Nigerian Data Protection Regulation(“NDPR”) was introduced on the 25th of January, 2019 by the National Information Technology Development Agency (“NITDA”) to administer, regulate, control and protect against personal data breaches and also ensure Nigerian businesses remain competitive in international trade.[1] Despite being a subsidiary legislation, the NDPR is currently Nigeria’s most comprehensive law on data protection. It regulates the collection and processing of data in Nigeria.

The objectives of this Regulation are:

  1. a) to safeguard the rights of natural persons to data privacy;
  2. b) to foster safe conduct for transactions involving the exchange of Personal Data;
  3. c) to prevent manipulation of Personal Data; and
  4. d) to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which is in tune with best practice.[2]

The scope of the regulation extends to all transactions intended for the processing of Personal Data; natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria; and the Regulation shall not operate to deny any Nigerian or any natural person the privacy rights he is entitled to under any law, regulation, policy, contract for the time being in force in Nigeria or in any foreign jurisdiction.[3]

The Importance of Data Privacy and Protection in Nigeria

In considering the importance of Data Privacy and Protection it is pertinent to define the concept of data privacy and protection. Data privacy is concentrated on the use, administration and governance of personal data. This includes putting policies in place to ensure that individuals’ personal information are collected, shared and used in appropriate ways.[4] Data protection refers to means employed in ensuring that data is kept safe and secure, and guarded against unauthourized access.

The right of privacy is guaranteed under Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended) and this extends to the privacy of the data of Nigerian Citizens. This makes data privacy a fundamental right which must be secured and its sanctity kept.

When data that should be kept private gets in the wrong hands, bad things can happen. Data privacy and protection are important for several reasons:

  1. It helps to protect personal information
  2. It helps prevent identity theft
  3. It is essential to building trust between individuals and organization
  4. Failure to protect data and ensure privacy can cause reputational damage to individuals, organizations, and governments.
  5. Prevents disruption of business and is important for continuity of business.
  6. It is important for protecting personal privacy.
  7. It can drive innovation. This is by ensuring that personal data is protected, organizations and governments can develop new technologies and services that can rely on personal data while still respecting individual’s privacy.
  8. It helps to ensure international safety of personal data across jurisdictions.
  9. It is essential for protecting human right. It helps to ensure that individuals are not discriminated against based on their personal information.
  10. It promotes transparency in the way data is collected, used and shared.

Core Principles of the NDPR on Data Processing

In May 2021 the Director-General, National Information Technology Development Agency (NITDA), Mallam Kasihfu Inuwa Abdullahi stated that the NDPR is built on all the international principles of data protection such as accuracy, limitation of use, security, confidentiality, availability, and integrity of data and is a subsidiary law that limits abuse of power by data controllers as data subjects determine how their data should be handled.[5] This captures the core principles of the regulation.

The core principles are geared towards ensuring that data is shared, used, collected, stored and processed in a responsible and visibly transparent manner. The core principles of personal data processing are[6]:

  1. Data minimization: Data collection and processing should be limited to restricted to the minimum amount of personal data to achieve the specified purposes. This is intended to ensure that personal data is not collected in excess of what is necessary to achieve the purpose for which it is required.
  2. Lawfulness, transparency and legitimacy: Personal data should be processed in compliance to provisions of the law. It must be processed legitimately and with respect to the right of the data subjects.
  3. Accuracy: Personal data should be accurate, adequate and without prejudice to the dignity of human person.
  4. Storage Limitation: Personal Data should be stored only for the period within which it is reasonably needed. This is to ensure that personal data is not retained indefinitely or used in ways that can be harmful to individuals, governments and organization.
  5. Responsibility: Anyone who is entrusted with Personal Data of a Data Subject or who is in possession of the Personal Data of a Data Subject owes a duty of care to the said Data Subject.
  6. Accountability: Data controllers and processors should be accountable for complying with the NDPR principles. They are responsible for ensuring that the data stays protected. Anyone who is entrusted with Personal Data of a Data Subject or who is in possession of the Personal Data of a Data Subject shall be accountable for his acts and omissions in respect of data processing, and in accordance with the principles contained in this Regulation.

Rights of Data Subjects under the NDPR

With the increasing amount of personal data being collected and processed by organizations and governmental agencies and institutions in today’s digital age, personal data has become an invaluable commodity. By parity of this, there Is a growing need for individuals to have control over their data and the provisions of the NDPR on the rights of data subjects come in handy. A few of the data rights under the NDPR are:[7]

  1. The right to be informed: The data controller has a duty to inform the data subject of the identity and contact details of the data controller; the contact details of the Data Protection Officer; the purpose(s) of the processing for which the Personal Data are intended as well as the legal basis for the processing; the legitimate interests pursued by the Controller or by a third party; what data is being collected about the data subjects, why it is being collected and how it will be used and every other relevant information allowed by law.
  2. The right of access: Individuals have the right to access their personal data that is processed by an organization. The data subject has a right to request any information relating to the processing of his data and the data controller has a responsibility to reply.
  3. The right to rectification: The Data Subject has the right to obtain from the Controller without undue delay the rectification of inaccurate Personal Data concerning him or her.
  4. The right to erasure: This is also known as the right to be forgotten. A Data Subject has the right to request the Controller to delete Personal Data without delay, and the Controller shall delete Personal Data where the Personal Data are no longer necessary in relation to the purposes for which they were collected or processed; the Data Subject withdraws consent on which the processing is based, the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing; the Personal Data have been unlawfully processed; and the Personal Data must be erased for compliance with a legal obligation in Nigeria.
  5. The right to restrict processing: Data subjects have the right to request that their personal data not to be processed for certain purposes such as where:
  6. a) The accuracy of the Personal Data is contested by the Data Subject for a period enabling the Controller to verify the accuracy of the Personal Data;
  7. b) The processing is unlawful, and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead;
  8. c) The Controller no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims; and
  9. d) The Data Subject has objected to processing, pending the verification whether the legitimate grounds of the Controller override those of the Data Subject.
  10. The right to Object: Individuals have the right to receive to object to the processing of their personal daughter in certain circumstances.
  11. The right to data portability: The Data Subject shall have the right to have the Personal Data transmitted directly from one controller to another, where technically feasible.
  12. The right to lodge a complaint: Data subjects have a right to lodge a complaint with the National Information Technology Development Agency (NITDA) or the Nigerian Data Protection Bureau (NDPB).

The Role of the Nigerian Data Protection Bureau (NDPB) in enforcing the provisions of the NDPR

On the 4th day of February, 2022, President Buhari announced the establishment of the Nigerian Data Protection Bureau which meant the going forward, the NDPB and not NITDA will be responsible for the enforcement of data protection regulations and the administration of all other protection related matters in Nigeria.[8] As a primary regulatory body, the NDPB plays an important role in ensuring that organizations comply with the NDPR and protect the privacy rights of individuals.  Here are some of the key ways in which the NDPB enforces the provisions of the NDPR:

  1. Registration and Audit: The NITDA requires organization that collect and process personal data to register with the agency and conduct regular audits of their data protection practices. This helps to ensure that organizations are observing the guidelines set out in the NDPR and taking appropriate measures to protect personal data.
  2. Compliance Monitoring: The NDPB monitors organizations for compliance with the NDPR and investigates any complaint or breaches of data protection laws. The agency has the power to impose fines and other penalties on organizations that fail to comply with the NDPR.
  3. Capacity Building: The NDPR provides training and capacity building programs to help organizations understand the importance of data protection and comply with the NDPR. This includes training on data protection and comply with NDPR. This includes training on data protection, privacy rights, and best practices for data management.
  4. Public Education: In addition to providing training and capacity building programs, the NDPB also engages in public education campaigns to raise awareness about data protection and encourage organizations and individuals to take data privacy seriously.

Consequences of Non-Compliance with the provisions of the NDPR

Non-compliance with the NDPR can result in serious consequences for individuals and organizations. These includes fines and penalties by relevant regulatory agencies. These fines can be high as 2% of the organization’s annual gross revenue or N10 million (whichever is greater). Furthermore, legal actions can be taken against the one who has failed to comply which can result in costly legal fees, damages and loss of reputation.

The trust of customers in organizations can be eroded, and organizations can suffer serious reputational damage and ultimately experience disruption in business. That is not all. Organizations who fail to comply can have their licenses revoked or get suspended. Non-Compliance can result in data breach. It can also result in organizations losing their competitive advantage as customers may choose to do business with competitors who are more compliant. Business relationships can become impaired as well, and non-compliance can also lead to heightened regulatory scrutiny resulting in additional cost and resource requirements for an organization.

Flowing from the several consequences stated above, it is clear that failure of data collectors to comply with the provisions of the NDPR can result in a range of dastard consequences.

Recommendations for improving compliance with the NDPR

It is pertinent for organizations to comply with the provisions of the NDPR to avoid the consequences stated above. Here are a few recommendations for improving organizational compliance with the provisions of the NDPR:

  1. Organizations should develop a comprehensive data protection policy that outlines how personal data is collected, processed, store and used. The policy should outline the organization’s commitment to complying with the NDPR.
  2. Organizations should appoint a Data Protection Officer (DPO) who will be responsible for overseeing the organization’s compliance with the NDPR. The DPO is expected to have the necessary skills and knowledge to carry out the role effectively.
  3. Organizations should conduct a data protection impact assessment to identify risks and vulnerabilities in their data processing activities. This assessment will help organizations implement appropriate measures to protect personal data.
  4. Organizations should implement appropriate technical and organizational measures to protect personal data from unauthourized access, disclosure, alteration, or destruction. These measures may include access controls, encryption, and regular data backups.
  5. Organizations should provide training and awareness programs to employees on data protection and the NDPR. This will help employees understand their responsibilities and obligations under the regulation.
  6. Organizations should conduct regular audits and review of their compliance with the NDPR. This will identify any gaps or areas for improvement.
  7. Organizations must place premium on obtaining the consent of individuals before collecting and processing their personal data. The consent must be volountary, specific, informed, and unambiguous.
  8. Organizations should conduct due diligence on third-party service providers to ensure that they have appropriate data protection measures in place.

Conclusion

The Nigerian Data Protection Regulation (NDPR) provides individuals with a comprehensive set of rights with respect to their personal data. These rights include the right to be informed, the right of access, the right of rectification, the right to erasure, the right to rectification, amongst a host of other rights.

The provisions of the NDPR although not a secondary legislation, has come a long way in redefining the scope of data privacy and protection. However, same cannot be said of the NDPB as I am aware of no landmark regulatory achievement yet made by the bureau. The public need to be made more aware of their data privacy rights as several organization and institutions continue to breach the data privacy rights of citizens.

There is tangible regulation, however, in my opinion, implementation and enforcement has not been in its best, and all key players need to be more proactive in playing their roles to improve the scope of data privacy and protection in Nigeria.

About the Authour

John A. Oladapo is an Associate in a leading Dispute Resolution law firm in Lagos, Nigeria. Outside work, you would either catch him playing chess, taking courses online, studying, researching or writing on tech related subjects and concerns surrounding Data Privacy, Cyber Security, Artificial Intelligence and Fintech.

Phone: +2348146006785

Mail: theoladapoesq@gmail.com

LinkedIn: http://www.linkedin.com/in/john-oladapo-282997244

[1] Data Protection Rights And Obligations In An Employer – Employee Relationship In Nigeria – Employee Rights/ Labour Relations – Nigeria (mondaq.com)

[2] Paragraph 1.1 of the Nigerian Data Protection Regulations, 2019 – NigeriaDataProtectionRegulation11.pdf (nitda.gov.ng)

[3] Paragraph 1.2, Ibid.

[4] What is Privacy (iapp.org)

[5] NITDA seeks full implementation of NDPR in Lagos (vanguardngr.com)

[6] Paragraph 2.1, Op Cit.

[7] Paragraph 3.1, Ibid.

[8] Data Protection Laws and Regulations Report 2022-2023 Nigeria (iclg.com)