Johan consults limited logo
BOOK CALL
QUOTE

Data Protection Bill: Know It Guidelines, Objectives and Penalties

    Data protection bill 2023
    • Data Protection
    • July 25, 2024
    • Written By: Rhoda Royal
    • 1 Comment

    In recent times, Nigerian businesses have engaged in a losing battle against data threats of all kinds: phishing attacks, malware, ransomware, etc. As proof, statistics reveal that in 2021, 71% of Nigerian firms were hit by ransomware, and small and medium businesses have it even worse. Additionally, phishing attacks on SMEs grew by 87% in 2022, compared to 37% in 2021.

    These attacks had terrible consequences as scams, impersonations, and loss of privacy became the norm. This situation discouraged foreign organisations from investing seriously in the country.

    The Director of Research and Development, Mr. John Dumesi, said, “Part of the findings and key threat trends we discovered are that data protection policies, enforcement, and disclosure practices are grossly lagging; there is a surge in corporate phishing attacks.”

    It became obvious that Nigeria needed a strong data protection policy, and in 2023, a data protection bill was passed by the Nigerian government. In this article, you’ll learn what the Data Protection Bill means for Nigerians.

    What is the Data Protection Bill in Nigeria?

    The data protection bill in Nigeria was passed into law as the Nigeria Data Protection Act (NDPA) on June 12, 2023, by President Bola Hammed Tinubu to protect Nigerian data from loss, compromise, and theft.

    The Objectives of Data Protection Bill, 2023

    The data protection bill for 2023 came on the heels of the NDPR (Nigerian Data Protection Regulation). which was replaced due to insufficient policies and weak enforcement.

    The primary objective of the Data Protection Bill is to protect the fundamental rights and freedoms of data subjects by regulating the processing of personal data.

    The following objectives are as stated in the document:.

    • “Protecting data subjects’ rights as well as providing means of recourse and remedies in the event of breaches; ensuring that data controllers and data processors fulfill their obligations to data subjects.”
    • “Promoting data processing practices that safeguard the security of personal data and the privacy of data subjects; ensuring that personal data is processed in a fair, lawful, and accountable manner.”
    • “Strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial, trusted use of personal data.”
    • And finally, Establishing an impartial, independent, and effective regulatory commission to superintend over data protection and privacy issues and supervise data controllers and data processors.”

    Data Protection Bill Highlights 

    The bill encompasses a broad range of laws, but here are the data protection bill highlights—the most important ones.

    Highlights of the data protection bill

    Establishment of the Nigerian Data Protection Commission (NDPC)

    A law is only as effective as its enforcement. This statement is a known fact all over the world.

    As a matter of fact, lack of proper enforcement led to the NDPR cancellation. The Data Protection Bill made the necessary provisions for its own enforcement.

    According to Section 7 of the bill, the NDPC was established to:

    • Promote awareness of risks to personal data and data protection measures. Including the rights and obligations granted under the Act.
    • Ensure the use of technological and organisational data protection measures.
    • Foster the development of personal data protection technologies in accordance with recognised international good practices and applicable international law.
    • Promote awareness of data controllers and processors’ obligations under the Act. 

    Data Processing Guidelines

    The guidelines are very straightforward. Data controllers and processors are not allowed to process sensitive personal data themselves or by a third party unless:

    • The processing is necessary for exercising or performing the rights or obligations of the data controller or the data subject to underemployment, social security laws, or any other similar laws.
    • The data subject has given and not revoked consent to the processing for the specific purpose or purposes for which it will be processed.
    • It is necessary to protect the vital interests of the data subject or of another individual where the data subject is physically or legally incapable of giving consent.

    In the situations above, the Data Protection Bill has the following principles:

    • Data can only be processed for lawful purposes, which must be stated clearly beforehand.
    • The consent of data subjects must be obtained. Data subjects also have the right to withhold or withdraw consent at any point.
    • The data collected must not be used for any other purpose other than the stated one.
    • For no reason should personal data be stored beyond the necessary timeframe. Also, data subjects can request deletion or destruction of their data by data controllers.
    • All data must be accurate, with inaccuracies corrected immediately.
    • Lastly, the integrity of personal data must be kept with the utmost priority.

    The NDPC is tasked with enforcing compliance with the rules.

    Child Consent

    The bill caters to the data of all Nigerian citizens, children included.

    In the Bill, a child is an individual under the age of 18

    Section 33 of the bill states that:

    The data controller must obtain the child’s parent or legal guardian before processing personal data.

    It also emphasises the use of government-approved identification documents to prove the child’s age and consent.

    Although this does not apply when

    • Processing is necessary to protect the interests of the child.
    • The processing is carried out for medical or social care purposes by a professional or similar service provider with a duty of confidentiality.

    Data Breach Management

    Data breaches, as a constant threat, have gained the attention of the Nigerian government. So, the bill laid out a proper guide for its management.

    The Data Protection Bill mandates data controllers and processors to keep a record of all personal data breaches.

    In addition, data controllers are to report every data breach that occurs to the NDPC within 72 hours. However, this timeframe can be extended due to the legal needs of law enforcement.

    Data Protection Officer and Compliance Services

    Section 33 of the bill mandates data controllers and processors of “major importance” to have a data protection officer well-versed in the data protection laws and practices.

    The DPO can be an employee or outsourced from a data protection service consultancy. Also, the Data Protection Bill 2023 outlines the tasks of a DPO as follows:

    • Advising the data controller, processor, and respective employees on data processing.
    • Ensuring compliance with the bill and related policies (GDPR Compliance).
    • The point of contact for the commission is with the data controller or processor.

    Read: Why You Need a Data Protection Officer

    International Data Transfers

    Section 43(1)(a) states:

    “A data controller or data processor shall not transfer personal data from Nigeria to another country unless the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data, or a permitted condition outlined in Section 45 of the Bill.”.

    A nutshell, data from Nigeria can only be transferred to countries with adequate data protection laws.

    Data Protection Bill Penalties

    Lastly, the bill includes penalties for non-compliance. Under the bill, controllers and processors are grouped into two; The data controllers and processors of “major importance” and others.

    For data controllers and processors of major importance, the penalty shall be greater than NGN 10 million and 2% of their annual gross revenue from Nigeria in the preceding financial year.

    For others, the fine is NGN 2 million and 2% of the annual gross revenue from Nigeria in the preceding financial year.

    Conclusion

    The bill is a significant step by Nigeria towards safeguarding personal data in Nigeria. Although not as comprehensive as the GDPR, it is sufficient.

    By ensuring international data transfer compliance and imposing penalties for non-compliance, the bill protects data subjects’ rights and boosts Nigeria’s participation in the global digital economy. 

    Reach out to Johan Consults for more enquiries.

    Get You Business Compliant Today!

    Learn Everything Data Protection Here. Download our Free Ebooks and Guides to Get Started!

    You'll Also Want to Read

    • All Posts
    • Data Compliance
    • Data Protection
    • Data Security
    • Johan Consults Articles
    • Johan Consults Updates
    • Worldwide News
      •   Back
      • Fintech Data Security

    Categories

    Tags

    Stay on top of global data regulations. Subscribe to our Newsletter.

    Products page subscribe form (#4)

    © Johan Consults Limited Nigeria 2024. All rights reserved. Johan Consults Limited Nigeria.

    Designed by Tech Della Solutions LTD.