Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Nigeria - Data Protection Overview
workspace-icon
Back
Flag - under review

Under Review

Based on Draft Data Protection Bill 2022

Nigeria - Data Protection Overview

June 2022

1. Governing Texts

In Nigeria, data protection is a constitutional right founded on Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) ('the Constitution'). The Nigerian Data Protection Regulation, 2019 ('NDPR') is the main data protection regulation in Nigeria. The NDPR was issued by the National Information Technology Development Agency ('NITDA'). The NDPR expounded the concept of data protection under the Constitution. The NDPR makes provision for the rights of data subjects, the obligations of data controllers and data processors, transfer of data to a foreign territory amongst others. Although, other legislations, as mentioned below, have some provisions on data protection, the NDPR is the starting point for understanding Nigeria's data protection landscape.

1.1. Key acts, regulations, directives, bills

The following laws and regulations contain provisions on data protection:

In addition, the Draft Data Protection Bill, 2020 ('the Bill') is currently going through the legislative process.

1.2. Guidelines

In addition, the National Information Technology Development Agency ('NITDA') has issued the following guidance:

Furthermore, the Nigerian Data Protection Bureau has published Data Protection Compliance Organisation ('DPCO') criteria.

1.3. Case law

Incorporated Trustees of Laws and Rights Awareness Initiative v. Zoom Video Communications Inc (FHC/AB/CS/53/2020)

This suit was instituted in 2020 by the Incorporated Trustees of Laws and Rights Awareness Initiative against Zoom Video Communications Inc for non-compliance of Zoom's privacy policy with the NDPR. The suit is currently before the court, and a decision is yet to be made.

Digital Rights Lawyers Initiative v. National Youth Service Corps (NYSC) (FHC/IB/98/2020)

This suit was instituted in 2020 by the Digital Rights Lawyers Initiative against the National Youth Service Corps ('NYSC'). The claimant asserted that the NYSC published and sold a yearbook containing Corp members' personal details without consent and is seeking a declaration that the processing of the photos and other personal data of the Corp members violates Section 37 of the Constitution and Section 2.1(a) of the NDPR. The suit is currently before the court, and a decision is yet to be made by the court.

2. Scope of Application

2.1. Personal scope

Generally, these laws and regulations are applicable to anyone or entity that collects, stores, uses, or shares the data of individuals or consumers.

The NDPR applies to all transactions intended for the processing of personal data, and to the processing of personal data notwithstanding the means by which the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria.

The Bill would apply to the collection, storage, processing, and use of personal data relating to persons residing in Nigeria and persons of Nigerian nationality, by automated and non-automated means.

2.2. Territorial scope

The NDPR also applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.

2.3. Material scope

The above laws and regulations generally apply to the processing of data. However, Section 35 of the Bill would provide certain exemptions.

Section 35(1) of the Bill provides that the privacy of personal data would be exempt from the provisions of the Bill for the purposes of:

  • public order;
  • public safety;
  • public morality;
  • national security;
  • public interest;
  • the prevention or detection of crime;
  • the apprehension or prosecution of an offender;
  • the assessment or collection of a tax or duty or of an imposition of a similar nature; or
  • publication of a literary or artistic material.

Additionally, Section 35(3) of the Bill stipulates that the Bill would not apply to the processing of personal data for the protection of members of the public:

  • against loss or malpractice as it relates to:
    • banking;
    • insurance;
    • investment;
    • other financial services; or
    • management of a body corporate;
  • against dishonesty or malpractice in the provision of professional services;
  • against the misconduct or mismanagement in the administration of a non-profit making entity;
  • to secure the health, safety, and welfare of persons at work; or
  • to protect non-working persons against the risk to health or safety arising out of or in connection with the action of persons at work.

Moreover, Section 35(6) of the Bill provides that 'the processing of personal data shall be exempt from the provisions on non-disclosure where the disclosure is required by law or by the order of a court'.

Furthermore, Section 35(8) of the Bill provides that personal data is exempt from the data protection principles if it consists of a reference given in confidence by the data controller for the purposes of:

  • education, training, or employment of the data subject;
  • the appointment to an office of the data subject; or
  • the provision of any service for the data subject.

Section 35(9) of the Bill states that personal data is exempt from the subject information provisions where the application of the provisions is likely to prejudice the combat effectiveness of the Armed Forces of the Federal Republic of Nigeria.

Section 35(10) of the Bill provides that the Data Protection Commission ('Commission'), the national authority for data protection which the Bill seeks to establish, may make regulations and guidelines to prescribe exemptions for the processing of personal data to assess a person's suitability for employment by government or appointment to a public office.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

At the moment there is no specific regulator for data protection in Nigeria. Thus, the regulatory body for each sector has been responsible for protecting data. For instance, the Central Bank of Nigeria ('CBN') oversees matters relating to protecting financial data and the Nigerian Communications Commission ('NCC') regulates data collected or processed by internet service providers and telecommunications companies.

Moreover, under the NDPR, the NITDA can set up an administrative redress panel to investigate breach of the NDPR and issue administrative orders.

As mentioned above, the Bill seeks to establish the Commission, which would be responsible for data protection in Nigeria.

3.2. Main powers, duties and responsibilities

If the Bill is passed into law, the Commission will exercise regulatory powers.

Section 9 of the Bill provides that the functions of the Commission is to:

  • protect the personal data and privacy of data subjects by regulating the processing of personal information;
  • provide the process to obtain, store, process, use, or disclose personal information;
  • ensure that data controllers and data processors adhere to the data protection principles as provided for by the Bill in order to protect the fundamental rights and freedoms, particularly privacy of natural persons in relation to the processing of their personal data;
  • assist the facilitation of the free flow of personal data through consultation and cooperation with other relevant agencies in compliance with established data security best practices;
  • act as the supervisory authority, and exercise regulatory, powers to:
    • advise and approve risk management processes and systems for data controllers and data processors in order to ensure compliance with the provisions of the Bill;
    • issue directives in the event that their operations are likely to infringe the provisions of the Bill;
    • receive and process complaints from data subjects whose rights have been infringed;
    • order the rectification, completion, or deletion of personal data and impose a temporary or definitive limitation, including a ban, on processing operations; and
    • impose administrative fines or sanctions where data controllers and data processors infringe any provision of the Bill;
  • act with complete independence and impartiality in performing its functions and exercising its powers;
  • promote public awareness of the rights of data subjects and the exercise of their rights and shall inform data controllers and data processors of their duties and responsibilities and shall share best practices in order to ensure the free flow of personal data;
  • be consulted on proposals for any legislative or administrative measures which relate to the processing of personal data;
  • provide relevant regulations, guidelines, and policies relating to transfers of personal data provided for under the Bill, or any other legislation;
  • make regulations for the licensing and certification of data protection compliance officers and organisations;
  • muster the resources necessary for the effective performance of its functions and the exercise of its powers; and
  • prepare and publish its reports annually, outlining its activities which shall be submitted to the President.

4. Key Definitions

Personal data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. This can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, and others (Section 1.3(xix) of the NDPR).

Sensitive data: Means (Section 66 of the Bill):

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • genetic data;
  • biometric data for the purpose of uniquely identifying a natural person;
  • data concerning health;
  • data concerning a natural person's sex life;
  • personal data concerning the data of a child who is under the age of 16 years; or
  • such other personal data that may be designated as sensitive data by guidelines made by the Commission.

Data controller: A person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed (Section 1.3(x) of the NDPR).

Data processor: The natural or legal person, public authority, service, Commission or any other body which, alone or jointly with others processes personal data on behalf of the data controller (Section 66 of the Bill).

Data subject: An identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity (Section 1.3(xiv) of the NDPR).

Biometric data: There is no specific definition of biometric data in the law. However, the Bill includes biometric data within its definition of sensitive personal data.

Health data: There is no specific definition of health data in the law. However, both the Bill and the NDPR include data relating to an individual's health within their definitions of sensitive personal data.

Pseudonymisation: There is no specific definition of pseudonymisation in the law.

The Nigerian Cloud Computing Policy classifies data into the following categories:

  • official, public, or non-confidential data: Refers to data publicly available and non-sensitive;
  • confidential, routine government business data: Includes health and financial information of natural person and is regarded as data of moderate sensitivity;
  • secret, sensitive government, and citizen data: Applies to data of both natural and juridical persons. This data is classified as sensitive because its loss may be serious and have material effects on the data subject or related entities; and 
  • classified or national security information: This data is considered sensitive to national security and thus requires additional safeguards.

    Where a data controller processes the personal data of more than 1000 data subjects in a period of six months, a soft copy of the summary of a required audit must be submitted to the NITDA, stating its privacy and data protection practices including:

  • personally identifiable information the organisation collects on employees of the organisation and members of the public;
  • any purpose for which the personally identifiable information is collected;
  • any notice given to individuals regarding the collection and use of personal information relating to that individual;
  • any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual;
  • whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent;
  • the policies and practices of the organisation for the security of personally identifiable information;
  • the policies and practices of the organisation for the proper use of personally identifiable information;
  • organisation policies and procedures for privacy and data protection;
  • the policies and procedures of the organisation for monitoring and reporting violations of privacy and data protection policies; and
  • the policies and procedures of the organisation for assessing the impact of technologies on the stated privacy and security policies (Article 4.1(5) and (6)).

  • Data controllers who process the personal data of more than 2000 data subjects in a period of 12 months are required to submit a summary of its data protection audit to the NITDA, not later than 15 March of the following year. The data protection audit must contain information as specified above (Article 4.1(5) and (7) of the NDPR).

    The Implementation Framework further specifies that a data protection audit must contain the following information (Section 6.6.1 of the Implementation Framework):

  • the identity and the contact details of the controller;
  • the contact details of the data protection officer;
  • the purpose(s) of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the legitimate interests pursued by the controller or by a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the NITDA;
  • period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a relevant authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data;
  • the existence of automated decision-making, including profiling and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
  • where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject with the basis for this further processing; and
  • where applicable, that the controller intends to transfer personal data to a recipient in a foreign country or international organisation and the existence or absence of an adequacy decision by the NITDA.

  • The NITDA registers and licenses DPCOs who monitor, audit, conduct training and data protection compliance consulting to all data controllers on its behalf (Article 4.1(4) of the NDPR).

    Audits submitted pursuant to Article 4.1 of the NDPR must be accompanied by a verification statement by a licensed DPCO (Section 10 of the FAQs and 6.8 of the Implementation Framework).

    Each controller is expected to pay the following filing fees for annual audit reports (Section 6.5 of the Implementation Framework):

  • NGN 10,000 (approx. €20) for a filing of report of less than 2,000 data subjects; and
  • NGN 20,000 (approx. €40) for a filing of report of 2,000 or more data subjects.

  • A standard template for the audit report is included in Annexure A of the Implementation Framework (Section 6.6.2 of the Implementation Framework).

Data Protection Impact Assessment: There is no definition of 'Data Protection Impact Assessment' in the Regulation. However, Section 3.2 (viii) of the Draft Implementation Framework defines a DPIA as a process to identify, evaluate, and minimise possible data protection risks in an existing or new business or organisational activity.

5. Legal Bases

5.1. Consent

Section 2.2(a) of the NDPR stipulates that processing shall be lawful where the data subject has given consent to the processing of personal data for one or more specific purposes.

The data controller must also demonstrate that the data subject has the legal capacity to consent (Section 2.3(2)(a) of the NDPR).

5.2. Contract with the data subject

Section 2.2(a) of the NDPR stipulates that processing shall be lawful where the processing of the data is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

5.3. Legal obligations

Section 2.2(c) of the NDPR stipulates that processing shall be lawful where the processing of the data is necessary for compliance with a legal obligation to which the data controller is subject.

5.4. Interests of the data subject

Section 2.2(d) of the NDPR stipulates that processing shall be lawful where the processing is necessary in order to protect the vital interests of the data subject or of another natural person.

5.5. Public interest

Section 2.2(e) of the NDPR stipulates that processing shall be lawful where the processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller.

5.6. Legitimate interests of the data controller

Please see section on public interest above. 

5.7. Legal bases in other instances

There are no specific legal bases under the NDPR for the processing of employee data or direct marketing.

A data subject has the right to object to the processing of their data where the data controller intends to process the data for marketing (Section 2.8(a) of the NDPR).

6. Principles

Transparency

A data controller has an obligation to take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and for any information relating to a child (Section 3.1(1) of the NDPR).

In addition, prior to collecting personal data from a data subject, a data controller has to inform the data subject of the purpose(s) of the processing for which the personal data is intended as well as the legal basis for the processing (Section 3.1(7)(c) of the NDPR).

Purpose and limitation

A data controller has an obligation to specify in its privacy policy the purpose of processing personal data (Section 2.5(c) of the NDPR).

Where a data controller intends to further process the personal data for a purpose other than that for which the personal data was collected, the controller shall provide the data subject prior to that further processing with information on that other purpose, and with any relevant further information (Section 3.1(7)(m) of the NDPR).

Limitation

The provisions of the NDPR are sacrosanct and no limitation clause in a privacy policy will exonerate a data controller from liability for violating the NDPR (Section 2.5(i) of the NDPR).

Accuracy

Personal data is expected to be accurate and without prejudice to the dignity of human person (Section 2.1(1)(b) of the NDPR). A data subject has the right to access and rectify their data (Section 3.1(7)(h) of the NDPR).

Storage Limitation

A data controller has to stipulate in its privacy policy the period for which personal data will be stored, or if that is not possible, the criteria used to determine that period (Section 3.1(7)(g) of the NDPR).

Confidentiality

A data controller is required to put in place data security apparatus in order to keep the collected data confidential and protect it against attacks (Section 2.6 of the NDPR).

Accountability

Anyone who is entrusted with personal data of a data subject or who is in possession of such data is accountable for its acts and omissions in respect of data processing, and in accordance with the principles contained in the NDPR (Section 2.1(3) of the NDPR).

7. Controller and Processor Obligations

Under the NDPR, a data controller must:

  • designate a data protection officer ('DPO') for the purpose of ensuring adherence to the NDPR, relevant data privacy instruments and data protection directives of the data controller - the data controller may outsource data protection to a verifiably competent firm or person (Section 4.1(2) of the NDPR);
  • ensure continuous capacity building for its DPOs and the generality of its personnel involved in any form data processing (Section 4.1(3) of the NDPR);
  • ensure that consent of a data subject has been obtained without fraud, coercion, or undue influence (Section 2.3(2) of the NDPR);
  • send a soft copy of the summary of the audit containing information about processed data to NITDA where it processes the personal data of more than 1,000 in a period of six months (Section 4.1(6) of the NDPR); and
  • submit a summary of its data protection audit to NITDA where it processes the personal data of more than 2,000 data subjects within 12 months by 15 March of the following year (Section 4.1(7) of the NDPR).

In addition, the Bill, if enacted, would require data controllers to (Section 30 and 31 of the Bill):

  • take all necessary measures, including technical and managerial measures to comply with, and be able to demonstrate, in particular to the Commission, that the processing of personal data is performed in accordance with the Bill;
  • ensure the processing of personal data is proportionate, the legitimate purpose pursued and having regard to the interests, rights, and freedoms of the data subject or the public interest;
  • take into consideration the risks arising from the interests, rights, and fundamental freedoms of data subjects, according to the nature, volume, scope, and purpose of processing the data;
  • subject to Regulations made by the Commission, appoint a DPO responsible for compliance with the obligations under the Bill;
  • examine the likely impact of the intended processing of personal data on the rights and fundamental freedoms of data subjects prior to the commencement of such processing;
  • design the data processing in such a manner, and integrate appropriate technical and organisational measures, as to prevent or minimise the risk of interference with those rights and fundamental freedoms;
  • perform such other duties as may be required by the Bill; and
  • be liable for the processing of personal data carried out on its behalf by a data processor.

Section 32(1) of the Bill provides that the duties of a data processor include to:

  • process personal data on behalf of a data controller only on the written instructions of the data controller;
  • not engage another data processor without the prior written authorisation of the data controller;
  • inform the data controller of changes concerning the addition or replacement of data processors;
  • inform the data controller of any legal requirement that may create risks to the rights and fundamental freedoms of data subjects, unless the law prohibits such notice;
  • take appropriate technical and managerial security measures pursuant to Section 34 of the Bill;
  • assist the data controller by putting in place the appropriate technical and managerial measures for the fulfilment of the data controller's obligations to respond to the rights under the Bill;
  • assist the data controller in ensuring compliance with its security obligations, including security breach notification;
  • at the request of the data controller, delete or return all personal data to the data controller at the end of the provision of services, and delete any copies of personal data unless prohibited by law; and
  • make available to the data controller all information necessary to assist the data controller in demonstrating compliance with its obligations under the Bill and facilitate audits conducted by the data controller or a third-party auditor determined by the data controller.

Section 4.1(3) of the NDPR provides that a data processor has to ensure continuous capacity building for its DPOs and the generality of its personnel involved in any form data processing.

7.1. Data processing notification

Where a data controller processes the personal data of more than 1000 data subjects in a period of six months, a soft copy of the summary of a required audit must be submitted to the NITDA, stating its privacy and data protection practices including:

  • personally identifiable information the organisation collects on employees of the organisation and members of the public;
  • any purpose for which the personally identifiable information is collected;
  • any notice given to individuals regarding the collection and use of personal information relating to that individual;
  • any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual;
  • whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent;
  • the policies and practices of the organisation for the security of personally identifiable information;
  • the policies and practices of the organisation for the proper use of personally identifiable information;
  • organisation policies and procedures for privacy and data protection;
  • the policies and procedures of the organisation for monitoring and reporting violations of privacy and data protection policies; and
  • the policies and procedures of the organisation for assessing the impact of technologies on the stated privacy and security policies (Article 4.1(5) and (6)).

Data controllers who process the personal data of more than 2000 data subjects in a period of 12 months are required to submit a summary of its data protection audit to the NITDA, not later than 15 March of the following year. The data protection audit must contain information as specified above (Article 4.1(5) and (7) of the NDPR).

The Implementation Framework further specifies that a data protection audit must contain the following information (Section 6.6.1 of the Implementation Framework):

  • the identity and the contact details of the controller;
  • the contact details of the data protection officer;
  • the purpose(s) of the processing for which the personal data are intended as well as the legal basis for the processing;
  • the legitimate interests pursued by the controller or by a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the NITDA;
  • period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a relevant authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data;
  • the existence of automated decision-making, including profiling and, at least, in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
  • where the controller intends to further process the personal data for a purpose other than that for which the personal data were collected, the controller shall provide the data subject with the basis for this further processing; and
  • where applicable, that the controller intends to transfer personal data to a recipient in a foreign country or international organisation and the existence or absence of an adequacy decision by the NITDA.

The NITDA registers and licenses DPCOs who monitor, audit, conduct training and data protection compliance consulting to all data controllers on its behalf (Article 4.1(4) of the NDPR).

Audits submitted pursuant to Article 4.1 of the NDPR must be accompanied by a verification statement by a licensed DPCO (Section 10 of the FAQs and 6.8 of the Implementation Framework).

Each controller is expected to pay the following filing fees for annual audit reports (Section 6.5 of the Implementation Framework):

  • NGN 10,000 (approx. €20) for a filing of report of less than 2,000 data subjects; and
  • NGN 20,000 (approx. €40) for a filing of report of 2,000 or more data subjects.

A standard template for the audit report is included in Annexure A of the Implementation Framework (Section 6.6.2 of the Implementation Framework).

7.2. Data transfers

Pursuant to Section 2.11 of the NDPR, the transfer of data to foreign country falls under the supervision of the Honourable Attorney General of Federation ('HAGF'). For data to be transferrable to foreign countries or the international organisation must ensure an adequate level of protection, as determined by NITDA and the HAGF. In determining the adequacy of a third country or organisation, the following considerations will be born in mind:

  • the legal system of the foreign country notably as it relates to human rights protection, rule of law and relevant legislation;
  • implementation of such legislation;
  • the existence and effectiveness of an independent supervisory authority in the foreign country or to which an international organisation is subject responsible for compliance with data protection, assisting and advising the data subjects in exercising their rights and for cooperation with the relevant authorities Nigeria; and
  • the commitments of the foreign country or international organisation to data protection through conventions, instruments, and participation in multilateral or regional systems.

Under Section 2.12 of the NDPR, the exceptions to the above requirements are:

  • where the data subject has given their consent after being informed of the risk;
  • where the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
  • where the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • where the transfer is necessary for important reasons of public interest;
  • where the transfer is necessary for the establishment, exercise, or defense of legal claims; and
  • where the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.

The data subject has to be aware of possible violations of their rights in the foreign country.

Part X of the Bill sets out conditions for the transfer of personal data abroad, including mechanisms such as an adequacy assessment, ad-hoc or standardised safeguards, explicit data subject consent, prevailing data subject interests, and legitimate interests. The Commission would also have the authority to request information on transfers and that organisations evidence appropriate safeguards, as well as to prohibit transfers and to regulate onward data transfers beyond the initial recipient.

7.3. Data processing records

Yes, there is an obligation to maintain data processing records. Section 4.1(5) of the NDPR requires data controllers to conduct a detailed audit of its privacy and data protection practices with at least each audit stating:

  • personally identifiable information the organisation collects on employees of the organisation and members of the public;
  • any purpose for which the personally identifiable information is collected;
  • any notice given to individuals regarding the collection and use of personal information relating to that individual;
  • any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual;
  • whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent;
  • the policies and practices of the organisation for the security of personally identifiable information;
  • the policies and practices of the organisation for the proper use of personally identifiable information;
  • organisational policies and procedures for privacy and data protection;
  • the policies and procedures of the organisation for monitoring and reporting violations of privacy and data protection policies; and
  • the policies and procedures of the organisation for assessing the impact of technologies on the stated privacy and security policies.

7.4. Data protection impact assessment

As part of its audit, a data controller is required to specify the policies and procedures of the organisation for assessing the impact of technologies on its privacy and security policies (Section 4.1(5)(j) of the NDPR). In addition, Section 4.1(5) of the Regulation, provides that within six months after the date the Regulation has been issued, each organisation must conduct a detailed audit of its privacy and data protection practices, detailing the following information:

  • personal identifiable information ('PII') the organisation collects on employees of the organisation and members of the public;
  • any purpose for which the PII is collected;
  • any notice given to individuals regarding the collection and use of personal information relating to that individual;
  • any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual;
  • whether or not consent is obtained from an individual before PII is collected, used, transferred, or disclosed, as well as any method used to obtain consent;
  • the policies and practices of the organisation for the security of PII;
  • the policies and practices of the organisation for the proper use of PII;
  • the policies and procedures of the organisation for privacy and data protection; and
  • the policies and procedures of the organisation for monitoring and reporting violations of privacy and data protection policies.

Moreover, where data controllers process personal data of more than 1,000 data subjects in a period of six months, they must submit a soft copy of the audit to NITDA containing the information detailed in Section 4.1(5) of the Regulation (Section 4.1(6) of the Regulation).

Furthermore, data controllers processing personal data of more than 2,000 data subjects in a period of 12 months must submit a summary of the audit to NITDA on an annual basis containing the information detailed in Section 4.1(5) of the Regulation (Section 4.1(7) of the Regulation).

The Draft Implementation Framework

The Implementation Framework require that data controllers and processors conduct a DPIA in accordance with the provisions of the Regulation (Section 3.2 (viii) of the Implementation Framework).

Section 3.2 (viii) of the Implementation Framework states that data controllers and processors/administrators must conduct DPIAs as part of enhancing compliance and reducing liabilities, and within their compliance checklist, where applicable.

Where the organisation intends to embark on a project that would involve the intense use of personal data, a DPIA should be conducted to identify possible areas where breaches may occur and devise a means of addressing such risks. Organisations are expected to conduct a DPIA on their processes, services, and technology periodically to ensure continuous compliance) (Section 3.2 (viii) of the Implementation Framework).

Furthermore, NITDA may request the submission of a DPIA from any data controller or processor/administrator where such processing activities are deemed to be of high impact on data subjects. A DPIA may be required for the following types of processing (Section 4.2 of the Implementation Framework):

  • evaluation or scoring (profiling);
  • automated decision-making with legal or similar significant effect;
  • systematic monitoring;
  • when sensitive or highly personal data is involved;
  • when personal data processing relates to vulnerable or differently-abled data subjects; and
  • when considering the deployment of innovative processes or application of new technological or organisational solutions.

Annexure A of the Implementation Framework sets out the audit template for compliance with the Regulation as a guideline for data controllers and administrators to show evidence of compliance.

No 1.18 of the template requests a policy for conducting DPIAs on existing or potential projects.

No. 1.19 of the template asks, based upon Article 4.5 of the Regulation, whether the DPIA policy addresses issues such as:

  • a description of the envisaged processing operations;
  • the purposes of the processing;
  • the legitimate interest pursued by the controller;
  • an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • an assessment of the risks to the rights and freedoms of data subject; and
  • risk mitigation measures being proposed to address the risk.

Under Section 3.7 (c)(iv), a DPO must have requisite knowledge of how to advise on DPIAs and monitor its performance.

7.5. Data protection officer appointment

Yes. Both data controller and processor are required to appoint a DPO. A data controller or processor can also outsource to a verifiably competent firm or person. There are no specific requirements in this regard. However, a data controller or processor has to ensure continuous capacity building for its DPO and its personnel involved in any form data processing. To comply with Article 4.1(3) of the NDPR, the Audit Template suggests the annual training of DPOs (Section 2.2 of the Audit Template).

The Implementation Framework specifies that a data controller is required to appoint a dedicated DPO within six months of commencing business or within six months of the issuance of the Implementation Framework itself, where one or more of the following conditions are present (Section 3.4.1 of the Implementation Framework):

  • the entity is a government organ, ministry, department, institution or agency;
  • the core activities of the organisation involve the processing of personal data of more than 10,000 data subjects annually;
  • the organisation processes sensitive personal data in the regular course of its business; and
  • the organisation possesses critical national information infrastructure (as defined under the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 or any amendment thereto) consisting of personal data.

The NDPR does not include provisions for the role of the DPO, however, the Implementation Framework and the Audit Template outline that to comply with Article 4.1(2) of the NDPR, a DPO must have verifiable professional expertise and knowledge of data protection to do the following (Section 3.7 of the Implementation Framework and Section 2.2 of the Audit Template):

  • inform and advise the business, management, employees, and third parties who carry out processing, of their obligations under the NDPR;
  • monitor compliance with the NDPR and with the organisation's own data protection objectives;                                                                                 
  • assignment of responsibilities, awareness-raising, and training of staff involved in processing operations;                                                                     
  • provide advice where requested as regards a Data Protection Impact Assessment and monitor its performance;                                                   
  • cooperate with NITDA; and
  • act as the contact point for NITDA on issues relating to data processing.

However, the Implementation Framework clarifies that, notwithstanding any contractual, civil or criminal liability, a DPO is not be personally liable for the organisation's non-compliance with applicable data protection laws (Section 3.6 of the Implementation Framework).

Prior to collecting personal data from a data subject, the controller must provide the data subject with the contact details of the DPO (Article 3.1(7) of the NDPR).

Multinational companies meeting one or more of the conditions under Section 3.4.1 of the Implementation Framework and with a subsidiary in Nigeria must appoint a country-based DPO (Section 3.5 of the Implementation Framework).

To comply with Article 4.1(2) of the NDPR, the Audit Template suggests evaluating the DPO's other professional responsibilities to confirm there is no conflict of interest and ensuring DPOs have sufficient access, support, and the budget to perform their role (Section 2.2 of the Audit Template).

Moreover, a DPO shall be chosen having regard to the nature of the processing activities and the data protection issues that arise within the organisation (Section 3.7 of the Implementation Framework).

Where NITDA has ascertained that an organisation is in breach of the NDPR, it may issue an order for compliance with relevant provisions to curtail further breaches and may prescribe an additional monetary sanction (Section 10.1.4 of the Implementation Framework).

7.6. Data breach notification

Section 21(1) of the Cybercrimes Act provides that any person or institution who operates system or a network, whether public or private, must immediately inform the Nigeria Computer Emergency Response Team ('ngCERT') of any stacks, intrusions, and other disruptions liable to hinder the functioning of another computer system or network, so that ngCERT can take necessary measures to tackle the issues.

Section 21(3) of the Cybercrimes Act provides that any person or institution who fails to report any such incident to ngCERT within seven days of its occurrence, commits an offence and shall be liable to denial of internet services. Such persons or institution shall, in addition, pay a mandatory fine of NGN 2 million (approx. €4,600) into the National Cyber Security Fund.

Section 17(3) of the Bill states that a data subject has the right to be notified of a data breach affecting them within 48 hours after notification to the Commission.

Banks and other financial institutions have an obligation to report such breach to the CBN while telecommunication companies and internet service providers are required to report to the NCC.

7.7. Data retention

Section 38(1) of the Cybercrimes Act provides that a service provider shall keep all traffic data and subscriber information as may be prescribed by the relevant authority (responsible for the regulation of communication services in Nigeria), for the time being for a period of two years.

Non-compliance is an offence, punishable upon conviction with imprisonment for a term of not more than three years of fine not more than NGN 7 million (approx. €16,000) (Section 38(6) of the Cybercrimes Act).

7.8. Children's data

Yes, there are specific provisions that regulate the processing of a child's data.

Section 8 of the Child Rights Act 2003 stipulates that every child has the right to privacy, family life, home, correspondence, telephone conversation, and telegraphic communications.

Section 2.4(a) of the NDPR provides that no consent shall be sought, given, or accepted in any circumstance that may engender a child rights violation.

Section 3.1(1) of the NDPR requires a data controller to take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and for any information relating to a child.

Clause 26(1)(a) of the Bill states that unless otherwise provided by the Bill or any other extant legislation, a person shall not process personal data which relates to a child who is under parental or guardian control in accordance with existing law.

Clause 26(2)(b) of the Bill states that a data processor or data controller may process sensitive personal data where the data subject consents or in the case of a child under parental control, the prior consent of the parent or guardian is obtained before processing.

7.9. Special categories of personal data

No, there are no specific provisions regarding the processing of special categories of personal data, including criminal conviction data.

7.10. Controller and processor contracts

Section 2.4(b) of the NDPR provides that a data controller and processor have a duty take reasonable measures to ensure that a party to a data processing contract (other than the data subject) does not have a record of violating the rights of a data subject. Moreover, every data controller and processor shall be liable for the actions or inactions of third parties which handle the personal data of data subjects under the NDPR.

8. Data Subject Rights

Under the NDPR (Part 3) and the Bill (Part V), data subjects have the following rights:

  • right to be informed of the processing of data;
  • right to complain or send a request to the data controller;
  • right to obtain information about their data from the data controller free of charge except as otherwise provided by regulation or public policy;
  • right to know the details of the data controller;
  • right to withdraw consent;
  • right to access their personal data;
  • right to data portability;
  • right to data rectification;
  • right to restrict or object to the processing of their data;
  • right to be informed where their data is being processed for additional purposes;
  • right to be informed about the transfer of their data to another country;
  • right to complain to the relevant authority; and
  • right to data deletion.

8.1. Right to be informed

A data controller is required to take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and for any information relating to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means (Section 3.1(1) of the NDPR).

8.2. Right to access

A data subject has the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used and machine-readable format, and have the right to transmit that data to another data controller without hindrance from the data controller to which the personal data has been provided (Section 3.1(14) of the NDPR).

8.3. Right to rectification

A data subject has the right to be notified by the data controller of the rectification of data (Section 3.1(13) of the NDPR).

8.4. Right to erasure

A data subject has the right to the erasure of their personal data (Section 3.1(13) of the NDPR).

8.5. Right to object/opt-out

Under the NDPR, data subjects have the right to withdraw their consent to the processing of their personal data at any time. In addition, a data subject may choose to object to the processing of personal data relating to them which the data controller intends to process for the purpose of marketing (Section 2.8 of the NDPR).

8.6. Right to data portability

A data subject has the right to transmit personal data from one data controller to another without hindrance from the data controller (Section 3.17(h) of the NDPR).

8.7. Right not to be subject to automated decision-making

Prior to collecting personal data from a data subject, the data controller has to provide the data subject with information regarding the existence of automated decision-making (Section 3.17(l) of the NDPR).

8.8. Other rights

A data subject has the right to access and obtain personal data free of charge (Section 3.1(5) of the NDPR). However, where the requests from a data subject is manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either:

  • charge a reasonable fee considering the administrative costs of providing the information or communication or taking the action requested; or
  • write a letter to the data subject stating refusal act on the request and copy the NITDA on every such occasion through a dedicated channel which shall be provided for such purpose.

9. Penalties

Section 2.10 of the NDPR provides that any person subject to the NDPR who is found to be in breach of the data privacy rights of any data subject shall be liable, in addition to any other criminal liability, to the following:

  • in the case of a data controller dealing with more than 10,000 data subjects, payment of a fine of 2% of annual gross revenue of the preceding year or payment of the sum of NGN 10 million (approx. €22,900), whichever is greater; or
  • in the case of a data controller dealing with less than 10,000 data subjects, payment of a fine of 1% of the annual gross revenue of the preceding year or payment of the sum of NGN 2 million (approx. €4,600), whichever is greater.

The Bill provides for various offences and sanctions under Part XI, including fines of potentially NGN 10 million (approx. €22,900) or imprisonment for up to two years.

9.1 Enforcement decisions

Although the NDPR empowers NITDA to sanction data controllers and processors who violate the provisions of the NDPR, NITDA is yet to exercise its sanctioning powers against any data controllers and processors.

Privacy Law ConceptsPrivacy Law Reform

Company

Our Policies

Your Rights

© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.