Breaking Down the Nigeria Data Protection Regulation
The regulation, issued in January, could pace Nigeria as a leader in data protection in Africa.
Nigeria, which has long lacked legislation to prevent the misuse and management of personal data, recently enacted its own regulation, the Nigeria Data Protection Regulation.
The country's National Information Technology Development Agency (NITDA) issued the regulation earlier this year, in January; it applies to all transactions intended for the processing of personal data to any natural person residing in Nigeria or residing outside Nigeria who are citizens of the country.
NITDA, an institution formed under the NITDA Act in 2007, that’s charge of implementing, monitoring, and regulating the country's information technology policy, has been workshopping the regulation for years. It released draft guidelines on data protection - a set of mandatory guidelines for federal, state and local government agencies and institutions as well as private sector organizations which own, use or deploy information systems - in September 2013.
The regulation, like many passed in the last several years, mirrors bits and pieces of the General Data Protection Regulation.
Here are some of the regulation’s key principles:
Under the regulation, personal data can only be processed if at least one of the following applies:
- The data subject has given consent
- Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary in order to protect the vital interests of the data subject
- Processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller
- No data shall be obtained except the specific purpose of collection is made known to the Data Subject
- Data Controller is under obligation to ensure that consent of a Data Subject has been obtained without fraud, coercion or undue influence; accordingly
- What constitutes the Data Subject’s consent
- Description of collectable personal information;
- Purpose of collection of Personal Data
- Technical methods used to collect and store personal information, cookies, JWT, web tokens etc.
- Access (if any) of third parties to Personal Data and purpose of access;
- A highlight of the principles stated in Part 2
- The time frame for remedy; and
- Provided that no limitation clause shall avail any Data Controller who acts in breach of the principles set out in this Regulation.
Any entity involved in data processing or the control of data needs to develop security measures to protect data, including but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling personal data and other sensitive data, protection of emailing systems and continuous capacity building for staff.
Objections by Data Subject
Data subjects have the right to object to the processing of personal data that's going to be used for marketing, be offered a mechanism to object to any form of data processing.
Persons subject to the regulation will be held liable to the following:
- Data controllers who deal with more than 10,000 Data Subjects can be fined 2% of their Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater
- Data controllers who deal with less than 10,000 Data Subjects can be fined 1% of their Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater
- All public and private organizations that control data of natural persons must, within three months after the regulation's enactment, make available their data protection policies.
- Like the GDPR, every data controller needs to designate a Data Protection Officer to adhere with the regulation.
- Organizations must conduct a detailed audit of their privacy and data protection practices within six months of the regulation going into effect, detailing:
- Personally identifiable information the organization collects on employees of the organization and members of the public
- Any purpose for which the personally identifiable information is collected
- Any notice given to individuals regarding the collection and use of personal information relating to that individual
- Any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual
- Whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent
- The policies and practices of the organization for the security of personally identifiable information
- The policies and practices of the organization for the proper use of personally identifiable information
- Organization policies and procedures for privacy and data protection;
- The policies and procedures of the organization for monitoring and reporting violations of privacy and data protection policies;
- The policies and procedures of the organization for assessing the impact of technologies on the stated privacy and security polices