By Jeremiah Onaolapo Esq., Principal Partner at Smart Tent and Trust LLP.

A. INTRODUCTION

In the modern digital economy, personal data has become a critical asset, yet its misuse poses significant risks. To address these challenges, the Nigeria Data Protection Regulation (NDPR) was introduced in 2019 under the enabling provisions of the National Information Technology Development Agency Act, 2007 (NITDA Act). The NDPR aims to provide a legal framework for data privacy, aligning with global standards like the EU’s General Data Protection Regulation (GDPR). This article examines the NDPR, its provisions, challenges, practical compliance tips, and judicial precedents that highlight its application, and I honestly hope it helps someone.

B. BACKGROUND

The NDPR was issued under Section 6 of the NITDA Act, 2007, which empowers the National Information Technology Development Agency (NITDA) to develop regulations for data protection in Nigeria. The NDPR ensures that Nigerians’ personal data is processed in line with global best practices. No personal data or information of anyone can be maliciously or negligently exposed to the detriment of the owner.

In the alignment with Global Standards, the NDPR incorporates GDPR principles such as consent, accountability, and data subject rights. This alignment is essential for Nigeria’s digital competitiveness and ensures the regulation’s applicability to cross-border data processing.

C. KEY PROVISIONS OF NDPR

1. SCOPE AND APPLICABILITY: The NDPR applies to Data Controllers and Processors, within or outside Nigeria, handling personal data of Nigerians. All sectors engaged in processing personal data, including finance, telecoms, e-commerce, and healthcare. Section 37 of the 1999 Constitution guarantees the right to privacy, forming the constitutional basis for data protection.

In a relatable case of Paradigm Initiative v. National Identity Management Commission (NIMC), a Nigerian NGO sued NIMC for failing to protect citizens’ data. The court emphasized the importance of data privacy, reinforcing the need for compliance with the NDPR.

2. RIGHTS OF DATA SUBJECTS: The NDPR can grants data subjects the following rights:

Right to Access: Individuals can request details of their personal data held by an organization.

Right to Rectification: Data subjects can correct inaccuracies in their data.

Right to Erasure: Individuals may request the deletion of their data if it is no longer necessary or if consent is withdrawn.

Right to Object: Individuals can object to the processing of their data for specific purposes.

3. OBLIGATIONS FOR DATA CONTROLLERS: Data controllers are required to:

Obtain Consent: Explicit consent must be obtained before collecting personal data.

Conduct Data Audits: Annual audits must be filed with NITDA.

Notify Breaches: Data breaches must be reported within 72 hours.

Legal Framework: Section 6(c) of the NITDA Act empowers NITDA to monitor compliance and enforce data protection rules.

4. PENALTIES FOR NON-COMPLIANCE: The NDPR imposes severe penalties on defaulters. For data controllers handling over 10,000 data subjects – 2% of annual gross revenue or ₦10 million (whichever is greater). And for data controllers handling fewer than 10,000 data subjects – 1% of annual gross revenue or ₦2 million (whichever is greater).

The court in the case of Truecaller v. NITDA, Truecaller faced scrutiny from the agency for unauthorized processing of Nigerians’ data. Though the matter was settled out of court, it highlighted the importance of compliance to avoid penalties.

D. CHALLENGES WITH NDPR IMPLEMENTATION

1. Lack of Awareness Among SMEs: Many small and medium enterprises (SMEs) remain unaware of their obligations under the NDPR, leaving them vulnerable to legal actions and penalties.

2. Limited Enforcement Mechanisms: NITDA’s enforcement capacity is constrained by limited resources, impacting the widespread adoption of the NDPR.

E. PRACTICAL TIPS FOR COMPLIANCE

1. Conduct Regular Data Audits: Organizations should evaluate their data handling practices to identify and address compliance gaps.

2. Train Employees on Data Protection Principles: Regular and continuous training ensures staff understands their roles in safeguarding data and complying with the NDPR.

3. Appoint a Data Protection Officer (DPO): A DPO oversees compliance efforts and acts as the point of contact for data protection issues in your organization

See Article 4.1(2) of the NDPR mandates the appointment of a DPO by organizations that process significant volumes of personal data.

F. CONCLUSION

The NDPR is a vital framework for safeguarding personal data and fostering trust in Nigeria’s digital economy. By understanding its provisions, organizations can avoid penalties, protect customer trust, and gain a competitive edge. Our courts have further emphasized the importance of compliance, ensuring that the rights of data subjects are upheld, and where they are not, right of action may arose; leading to award of damages where need be.

G. CALL TO ACTION

To ensure compliance with the NDPR, organizations must prioritize data protection by conducting audits, training staff, and appointing a DPO. Consult profession in this field to counsel and advice you or your business in this regard. There is safety in the midst of wise counsel.

H. AUTHOR

JEREMIAH ONAOLAPO is the lead partner at Smart Tent and Trust LLP, a distinguished law firm specializing in bespoke legal services tailored to meet the unique needs of its clients.

With a strong commitment to excellence, Jeremiah brings extensive experience and in-depth knowledge across a range of legal disciplines, delivering innovative and practical solutions to complex legal challenges. Dedicated to personalized service, he works closely with clients to understand their goals, ensuring strategic and effective outcomes.

At Smart Tent and Trust LLP, Jeremiah and his team continue to uphold the firm’s reputation for integrity, professionalism, and client-centric advocacy.

Email: [email protected], [email protected]
Phone: 07064506533