Data protection has emerged as a paramount concern in this era marked by the rapid digitisation of information and the global exchange of personal data. In Nigeria, the legal framework for data protection has undergone significant developments, most notably with the enactment of the Nigeria Data Protection Act in June 2023 (“NDPA”/ “the Act”).
Consequently, this article appraises the principal data protection act in Nigeria, the NDPA, and other relevant laws, analysing the roles to be played by organisations in ensuring compliance with data protection.
Important Concepts in the Data Protection Act
For a more effective evaluation of the obligations imposed by the Act on businesses, there is a need to provide succinct explanations of some key terms used in the Act.
In the Act, “Personal Data” refers to identifiable information about individuals, while “Sensitive Personal Data” includes genetic, biometric, racial, health, and other Nigerian Data Protection Commission (NPDC)-prescribed information. A “Data Controller” collects data on the data subject and determines the purpose for which the data is to be processed.
In most instances, the data controller employs the services of a data processor in processing the data of a subject, while a “Data Processor” handles data on behalf of the Data Controller. A data controller can also be a processor, where the controller processes the data by itself. “Data Subjects” are individuals related to data. “Processing” involves various actions excluding the mere transit of foreign data.”
Obligation of Organisations to Ensure Compliance
Having briefly clarified key concepts used in the Act, we will now proceed to discuss below the obligations of organisations in ensuring data protection compliance in Nigeria:
a. Obligations of Data Controllers and Processors in Processing of Personal Data
Concerning the Data Protection Act, businesses need to know the category they fall under, that is, whether they are data controllers, processors, or both. Data controllers are responsible for collecting data and determining the purpose for which the collected data will be used and processed.
For example, telecommunication service providers that receive data from their customers are data controllers. A data processor processes the collected data on behalf of the data controller and often on the data controller’s directive. Again, a human resource management system service provider that has software used in managing the data of its clients’ employees by updating and optimizing the use of such data is a data processor.
In most instances, the data controller employs the services of a data processor in processing the data of a subject. As a result, the data controller being the one who collects the information of the data subject has a more vital obligation to protect the data of a subject and is held liable in case of breaches from the data processor’s actions.
In processing data, the NDPA mandates businesses that act as data controllers or data processors, or both to process the personal data of their clients and staff fairly, legally, and transparently. The Act provides that in doing this, there must be compliance with the six lawful bases for processing data, which are: consent, performance of contractual obligation, compliance with a legal obligation, Protection of vital interests, performance of a task carried out in the public interest, and legitimate interests pursued by the data controller or a third party.
In gathering the personal data of clients and staff, data controllers and processors are mandated by the Act to collect data for clear and legitimate purposes and ensure it is used for the intended purposes. This means that organisations are limited to collecting only the data required for the intended purpose.
For the data of children (persons under the age of 18), data controllers ought to verify the subject’s age and ensure that consent is obtained. In addition, organisations operating as data controllers or processors owe a duty of care to data subjects, such as their clients, to be accountable for every data collected and processed. Also, where an organisation requires a third party to process data, such an agreement should be governed by a written contract between the third party and the data
b. Registration with the Nigerian Data Protection Commission (NDPC)
The NDPA requires data controllers and data processors of Major Importance to register with the NDPC within six months after the commencement of the NDPA or on becoming data controllers and data processors of Major Importance.
c. Data Protection Annual Audit
The NDPR requires yearly privacy audits by controllers and processors processing data of over Two Thousand (2,000) subjects to NDPC by March 15 of the following year. The Applicable auditing fees are Ten Thousand Naira (NGN10,000) for fewer than Two Thousand (2,000) subjects and Twenty Thousand Naira (NGN20,000) for over Two Thousand (2,000) subjects.
d. Appointment of a Data Protection Officer (DPO)
Section 32 of the NDPA states that a Major Importance Data Controller must appoint a DPO with expertise in data protection laws capable of tasks under NDPA and its subsidiary regulations.
e. Sanctions For Failure to Register with the NPDC and Appoint a Data Protection Officer
The NDPC may impose fines regarding a breach of the provisions of the NDPA or issue enforcement orders, including payment of compensation to a Data Subject, referring the matter to the appropriate regulatory agencies for sanction and prosecution. The NDPC may also institute criminal proceedings where it has determined that an organisation is in breach of the provisions of the NDPA or NDPR.
The National Data Protection Act marks a significant stride toward safeguarding individuals’ privacy and promoting responsible data processing practices in Nigeria. As technology continues to shape lives, the NDPA provides a foundation for balancing innovation with protecting personal information. However, there should be more efforts to enhance awareness and facilitate compliance which are essential to realising the full potential of data protection laws in Nigeria.
Kenna Partners is a licensed Data Protection Compliance Organisation.