Comparing privacy laws: GDPR v. Nigerian Data Protection Regulation
This report was updated in June 2021.
The National Information Technology Development Agency (NITDA) released the Nigerian Data Protection Regulation (NDPR) on January 25, 2019. The NDPR is strongly influenced by the EU General Data Protection Regulation (GDPR) with several articles containing similar, and in some cases, identical language.
In Nigeria, data protection is a constitutional right found within the Constitution of the Federal Republic of Nigeria. The NDPR expounds on the concept of data protection under the Constitution and contains requirements for data controllers and data processors when processing personal data.
What is the Nigerian Data Protection Regulation?
The Nigeria Data Protection Regulation 2019 is the primary data protection law in Nigeria and is heavily based on the GDPR.
There are several comparable definitions, provisions, and requirements between the GDPR and the NDPR. These include definitions of data controllers and data processors which are referred to as 'data administrators' and 'personal data' and 'sensitive personal data'. Under the NDPR there are several recognizable data processing principles including accountability and purpose limitation.
The NDPR provides data subjects with an extensive range of rights, including the right to erasure or deletion, access, and data portability.
The regulatory framework in Nigeria introduces the concept of private Data Protection Compliance Organisations (DPCOs) that assist the NITDA with oversight of the implementation of the NDPR and enforcement of non-compliance. The NDPR also introduces a requirement to conduct regular data protection audits when the processing of personal data meets a certain threshold.
In November 2020, NITDA released the NDPR Implementation Framework which was developed to assist data controllers and data administrators with understanding the controls and measures they need to introduce into their operations in order to comply with the NDPR.
The NDPR Implementation Framework also establishes the need for an organization to appoint a data protection officer (DPO) and lists the countries with an adequacy decision relating to their data protection law or data privacy law for the purposes of international data transfers.
GDPR v. NDPR
The GDPR v. NDPR comparison report provides a means of analyzing and comparing data protection requirements and recommendations under the GDPR and the data protection regulation of Nigeria.
The Report, produced by OneTrust DataGuidance’s in-house analyst team, examines legally binding obligations under the NDPR. The scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities set out by these provisions are detailed and compared with the requirements laid out under the GDPR.
In particular, it is noted that the two laws are fairly consistent, though with some major differences in territorial and personal scope, children’s data, and record-keeping requirements.
Key takeaways:
- The material scope of the two laws is also very consistent and both provide similar definitions for 'processing,' 'personal data' and 'sensitive personal data’.
- However, there is a significant difference in territorial and personal scope
- In addition, the NDPR does not require record-keeping, unlike the GDPR
- Sanctions and enforcement actions are provided for, although the NDPR does not set out how NITDA will calculate fines