Data Protection In Nigeria.
The National Information Technology Development Agency (NITDA) was established by an Act of National Assembly in 2007 to implement the Nigerian Information Technology Policy and coordinate general IT development in the country. Their role involves developing and regulating IT in the country and it is against this backdrop that they are empowered to issue guidelines, regulatory standards and policies regarding IT governance in Nigeria.
In January 2019, NITDA issued the Nigeria Data Protection Regulation 2019 (the “Regulation”). Many concepts of the Regulation mirror the EU General Data Protection Regulation (“GDPR”).
The four-part Regulation stipulates conditions for obtaining and processing personal data of individuals (“data subjects”). The scope of the Regulation is wide and covers ALL transactions for the processing of personal data of natural persons resident in Nigeria, and Nigerian citizens resident abroad.
The key players under the Regulation are:
- The Data subject — the person whose identity/information is being obtained for the purpose of processing the same;
- The Data controller — any person/corporate who determines the purpose and manner for processing the information of the data subject; and
- The Data processor — any person/corporate who processes the data in any form e.g. storing, reproduction, modification etc.
Please note that a Data controller and a Data processor can be one and the same person/organisation.
Key provisions of the Regulation include:
- Application: The Regulation applies to all residents of Nigeria, all citizens of Nigeria residing outside of Nigeria and all Companies obtaining and processing personal data of such individuals.
- Data Processing Principles: Personal data may only be processed if at least one of these 5 legal bases are met: (1) the Data subject provides consent, or if the processing is necessary; (2) for the performance of a contract; (3) to meet a legal obligation; (4) to protect the vital interests of the Data Subject; or (5) for the performance of a task carried out in the public interest.
- Procuring Consent: There are specific requirements for obtaining the consent of the Data subject but the key point to note here is that no data shall be obtained except the specific purpose of collection is made known to the Data Subject. The consent of the Data subject must be freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
- Data Security: Organizations must develop security measures to protect personal data, including setting up firewalls, implementing access controls, encrypting personal data, and developing internal policies for handling personal data.
- Third-Party Contracts: A data controller must enter into a written contract with any third-party processing data on its behalf that requires adherence to the Regulation.
- Data Subject Rights: Data subjects have the right to (1) object to the processing of their personal data for marketing purposes; (2) access their personal data (and have their personal data transferred to another data controller where feasible); (3) obtain information about the processing of their personal data; (4) have their personal data deleted (where certain criteria are met); (5) have their personal data corrected; (6) restrict the processing of their personal data (where certain criteria are met); (7) withdraw consent to the processing of their personal data; and (8) lodge a complaint with the NITDA or another relevant regulator.
- Data Transfers: Transfers of personal data out of Nigeria may take place only if certain specified criteria are met.
- Transparency: Within three months of the issuance of the Regulation, all public and private organizations in Nigeria that process personal data must make available to the general public their data protection policies, which must comply with the Regulation.
- Appointment of a DPO: Every data controller must designate a Data Protection Officer (“DPO”) to ensure compliance with the Regulation.
- Privacy and Data Protection Audit: Within six months of the issuance of the Regulation, each organization subject to the Regulation must conduct a detailed audit of its privacy and data protection practices, in compliance with the requirements of the Regulation.
- Data controllers who processed the personal data of more than 1,000 data subjects in a six-month period must provide a soft copy of the audit summary to the NITDA.
- Data controllers who processed the personal data of more than 2,000 data subjects within a 12-month period must, not later than the March 15th of the following year, submit a summary of its audit to the NITDA.
- Penalties: The Regulation states that any entity found to be in breach of the privacy rights of any data subject will be liable, in addition to any other criminal liability, for the following:
- For data controllers “dealing with more than 10,000 data subjects,” a fine of 2% of the annual gross revenue of the preceding year or 10 million Naira, whichever is greater; or
- For data controllers “dealing with less than 10,000 data subjects,” a fine of 1% or 2 million Naira, whichever is greater.
NITDA is required to set up an Administrative Redress Panel to investigate and redress instances of the breach; however, this does not derogate from the data subject’s right to seek redress in a competent court.