The Nigerian Data Protection Regulation, 2019 (‘NDPR’) issued by the National Information Technology Development Agency (‘NITDA’) is the main data protection regulation in Nigeria. 

The NDPR protects the rights of data subjects through clearly defined obligations of data controllers and processors, and clearly defined rules for the transfer of data to foreign territory.

Most entities work with natural individuals, and this often requires the processing of personal data. Such entities must therefore ensure compliance with this regulation.

Compliance with data protection laws protects a company from penalties such as high fines, court costs, public embarrassment and a bad reputation.

Does your business need to comply with this regulation? And how to do it. Read below.

Nigeria Data Protection Regulation (NDPR) – scope of application

Personal NDPR range

This law, like other laws of this type (CCPA or GDPR), is applicable to any entity that collects, uses, stores, and shares information about individuals or consumers.

The NDPR Regulation applies to all transactions intended to process the personal data of natural persons in Nigeria. The law applies to the people resident in Nigeria and people of Nigerian nationality by automated and non-automated means.

Territorial NDPR scope

In terms of territorial scope, the NDPR applies to natural people residing or not residing in Nigeria, but who are citizens of Nigeria.

Exceptions to NDPR

The privacy of personal data will be exempted from the provisions of the law for the purposes of:

• public order and peace, public safety and public morality
• National security, public interest
• prevention or detection of crime, apprehension or prosecution of the perpetrator
• the assessment or collection of any tax or duty or imposition of a similar nature; or
• publication of literary or artistic material

 

Steps for NDRP-compliance

Step 1:

You should first determine the processing activities of the organization and identify the type of personal data collected and the nature of the processing.

Step 2:

Check whether your organization is a data controller or an administrator, i.e. a data processor.

• If it determines the purpose and method of processing personal data, then the organization is a data controller
•  If it only processes personal data, then it is a data administrator

This is important to determine because most of the obligations are intended for the data controller. And he is responsible for any violation of the regulation made by the data administrator.

Step 3:

Appoint a Data Protection Officer (DPO).

As a data controller, you are required to appoint an individual or any entity as the organization’s data protection officer (DPO). His duty will be to align the organization with the provisions of the NDPR.

Step 4:

Conduct an assessment of your organization’s processing activities to determine the steps to comply with the GDPR.

You do that by asking the following questions:

• How and why is the data collected?
• Which department receives such data?
• What is the legal basis for processing such data?
• What security measures are in place by the organization to prevent data breaches?

Step 5:

Start implementing the NDPR.

Make data protection policies available and conduct an audit of the organization’s privacy and data protection practices.

Bottom line:

The fine for non-compliance with the NDPR of a data controller working with over 10,000 is around 22,900 euros. While the non-compliant with the NDRP of a data controller who works with less than 10,000 data subjects amounts to around 4,600 euros.

So, if the Nigerian Data Protection Regulation covers your business, make sure that you comply with its provisions!