top of page
Search

NIGERIAN DATA PRIVACY LAW COMPLIANCE AND CONSEQUENCES FOR BREACH

Updated: Oct 12, 2023



In an age of globalized information sharing, the importance of personal data privacy cannot be overstated. As such, countries around the world have enacted laws to protect the personal data of consumers. In Nigeria, the Data Protection Regulation 2019 (DPR) is a law that outlines the rules for collecting, processing, and storing personal data. Basically, the goal of the NDPR is to ensure that the personal data of Nigerian citizens are secure from unauthorized access or misuse.


The NDPR applies to any organization operating in Nigeria, regardless of its location, if such organizations process the personal data of Nigerian citizens. The regulation applies to any data processing activities, regardless of the industry or sector, and to data controllers and data processors.


SOME ESSENTIAL PROVISIONS OF THE NDPR:


The NDPR requires that data controllers obtain the express consent of data subjects before collecting, processing, or disclosing their personal information. It defines "personal data" as any information that identifies an individual, such as name, email address, national identification number, address, biometric data, financial information, and medical information. For example, if a company wants to collect customer data such as names, phone numbers, email addresses, and other personal information for marketing purposes, it must obtain the express consent of the data subjects before collecting or processing that information. This is in line with Section 2.1 (d) of the NDPR.


2. Data controllers appoint a DPO (Data Protection Officer) who will be responsible for ensuring that they comply with the NDPR. The DPO should have legal and technical knowledge of data protection and must be able to ensure compliance by the company or organization. For instance, a financial institution would be required to have a DPO who will oversee data protection matters, ensure that employees are trained and audited, and report to the appropriate authorities in the event of a breach. This is provided for in Section 2.2 (e) of the NDPR Guidance Notes for Data Controllers.


Under the NDPR, organizations are required to conduct a DPIA (Data Protection Impact Assessment) the data processing projects that may pose risks to data subjects' privacy rights. This assessment should identify potential data protection risks and recommend necessary measures to be put in place to mitigate such risks. For example, if a company collects and processes the health data of its clients, it must conduct a DPIA to identify the potential privacy risks involved and take necessary measures to mitigate those risks. This is contained in Section 3.3 of the NDPR.


The NDPR recognizes the rights of data subjects regarding their personal data, and companies must respect and implement such rights. These rights include the right to access, the right to correction, the right to object, and the right to the erasure of their personal data where appropriate. For instance, if an individual believes that their personal data held by a company or organization is inaccurate, incomplete, out of date, or unlawfully obtained or processed, they have the right to correction, and the company or organization must ensure that such corrections are made promptly. This is included in Section 3.5 of the NDPR.


The NDPR requires that data controllers report any data breaches involving personal data to the relevant authorities within 72 hours of discovering the data breach. The data controllers must also inform the affected data subjects of such breaches promptly. For example, if a company's database containing personal data is hacked, and personal data is lost, stolen, or misused, the company must promptly report the breach to the official authorities and notify the affected individuals. This is provided for in Section 2.2 and Section 4.3 of the NDPR.


It is important to state that personal data may be transferred outside Nigeria subject to certain conditions. Express consent from the data subject should first be obtained before transferring their personal data outside Nigeria. The recipient country or organization must have similar or equivalent data protection laws and regulations as the NDPR. Data controllers must also execute a written agreement with the receiving party, stipulating the terms of the transfer and guaranteeing the protection of personal data according to the NDPR. The transfer must also be necessary for the performance of a contract or pre-contractual measures at the request of the data subject. Data controllers must be transparent with data subjects in terms of the transfer of their personal data and put in place measures to protect the data being transferred.


CONSEQUENCES OF BREACH.

The DPR imposes severe consequences for any company or individual that breaches its provisions. The penalties for the violation of the DPR include;


1. A fine of up to 2% of the annual gross revenue of the previous year or up to 10 million Naira (whichever is greater) and the possibility of criminal prosecution.


2. In the case of a second offense, a fine of up to 3% of the annual gross revenue of the previous year or up to 25 million Naira (whichever is greater) and the possibility of criminal prosecution.


These penalties underline the importance that the Nigerian government places on personal data privacy, and highlight the need for businesses to prioritize compliance.


COMPLIANCE WITH NIGERIAN DATA PRIVACY LAW: THE NECESSARY STEPS COMPANIES MUST TAKE.

1. Appoint a Data Protection Officer (DPO) who will be responsible for ensuring that the company complies with the data protection regulation.


2. Conduct a data protection impact assessment (DPIA) for any data processing activity that may pose a risk to the privacy rights of individuals. This assessment will identify potential data protection risks, resulting in necessary measures that can then be put in place to mitigate these risks. This requirement is stipulated in Section 3.3 of the NDPR.


3. Obtain the express consent of data subjects before collecting, processing or disclosing their personal information. This consent must be freely, specifically, and explicitly given, and data subjects must be informed of the purpose for which their data will be used. This is stated in Section 2.1 (d) of the NDPR.


4. Companies must respect data subject rights, including the right to access, correct, or delete their personal data. Data subjects also have the right to object to the use of their personal data and to restrict their data processing under certain conditions. This is provided for in Section 2.3 and Section 3.5 of the NDPR.


5. Companies must implement appropriate technical and organizational security measures to guarantee the confidentiality, integrity, and availability of personal data. This may include access controls, encryption, and secure storage. This requirement is stipulated in Section 2.2 and Section 2.3 of the NDPR.


6. Training and awareness sessions must be conducted for all staff members on the importance of data protection, the NDPR regulations, and the consequences of any violations. This is prescribed in Section 2.2 (k) of the NDPR Guidance Notes for Data Controllers.


7. Companies must report any unauthorized access or loss of personal data to the National Information Technology Development Agency (NITDA) within 72 hours of discovery. This helps enable timely remedial action and prevent potential data breaches. This requirement is provided for in Section 2.2 and Section 4.3 of the NDPR.


CONCLUSION

In conclusion, the Nigerian DPR cautions that non-compliance has serious consequences, including reputational damage, legal penalties, and compensation claims from affected individuals. By complying with the DPR and securing personal data, companies can protect their customers, maintain consumer trust and respect, and avoid legal penalties. Companies should prioritize compliance with the DPR to avoid legal risks.

31 views0 comments

Comments


bottom of page