NIGERIAN DATA PRIVACY LAW: COMPLIANCE AND CONSEQUENCES FOR BREACH

In an age of globalized information sharing, the importance of personal data privacy cannot be overstated. As such, countries around the world have enacted laws to protect the personal data of consumers. In Nigeria, the Data Protection Regulation 2019 (DPR) is a law that outlines the rules for collecting, processing, and storing personal data. Basically, the goal of the NDPR is to ensure that the personal data of Nigerian citizens are secure from unauthorized access or misuse.
The NDPR applies to any organization operating in Nigeria, regardless of its location, if such organizations process the personal data of Nigerian citizens. The regulation applies to any data processing activities, regardless of the industry or sector, and to data controllers and data processors.
SOME ESSENTIAL PROVISIONS OF THE NDPR, HIGHLIGHTING SECTIONS AND EXAMPLES OF HOW THEY APPLY:
1. Consent: The NDPR requires that data controllers obtain the express consent of data subjects before collecting, processing, or disclosing their personal information. It defines "personal data" as any information that identifies an individual, such as name, email address, national identification number, address, biometric data, financial information, and medical information. For example, if a company wants to collect customer data such as names, phone numbers, email addresses, and other personal information for marketing purposes, it must obtain the express consent of the data subjects before collecting or processing that information. This is in line with Section 2.1 (d) of the NDPR.
2. Data Protection Officer (DPO): The NDPR requires that data controllers appoint a DPO who will be responsible for ensuring that they comply with the NDPR. The DPO should have legal and technical knowledge of data protection and must be able to ensure compliance by the company or organization. For instance, a financial institution would be required to have a DPO who will oversee data protection matters, ensure that employees are trained and audited, and report to the appropriate authorities in the event of a breach. This is provided for in Section 2.2 (e) of the NDPR Guidance Notes for Data Controllers.
3. Data Protection Impact Assessment (DPIA): Under the NDPR, organizations are required to conduct a DPIA for data processing projects that may pose risks to data subjects' privacy rights. This assessment should identify potential data protection risks and recommend necessary measures to be put in place to mitigate such risks. For example, if a company collects and processes the health data of its clients, it must conduct a DPIA to identify the potential privacy risks involved and take necessary measures to mitigate those risks. This is contained in Section 3.3 of the NDPR.
4. Data Subject Rights: The NDPR recognizes the rights of data subjects regarding their personal data, and companies must respect and implement such rights.