Johan consults limited logo

Data Protection Bill: Know It Guidelines, Objectives and Penalties

In recent times, Nigerian businesses have been fighting a battle against data threats of all kinds. And the odds are not in their favor. In 2021, 71% of Nigerian firms were hit by ransomware. Small and medium businesses have it even worse. Phishing attacks on SMEs grew by 87% in 2022 , compared to 37% in 2021.

These attacks had terrible consequences. Scams, impersonations, and loss of privacy became the norm. All these discouraged foreign organizations from investing seriously in the country.

The Director of Research and Development, Mr. John Dumesi, said, “Part of the findings and key threat trends we discovered are that data protection policies, enforcement, and disclosure practices are grossly lagging; there is a surge in corporate phishing attacks.”

It was obvious that Nigeria needed a strong data protection policy. In 2023, a data protection bill was passed by the Nigerian government and in this article, you’ll learn what the Data Protection Bill means for Nigerians.

The Objectives of Data Protection Bill 2023

The data protection bill for 2023 came on the heels of the NDPR (Nigerian Data Protection Regulation). Eventually, the NDPR was replaced by NDPA (Nigerian Data Protection Act), due to insufficient policies and weak enforcement.

The primary objective of the data protection bill is to protect the fundamental rights and freedoms of data subjects by regulating the processing of personal data.

The following objectives are as stated in the document:

“Protecting data subjects’ rights as well as providing means of recourse and remedies in the event of breaches; ensuring that data controllers and data processors fulfill their obligations to data subjects”

– “Promoting data processing practices that safeguard the security of personal data and the privacy of data subjects; ensuring that personal data is processed in a fair, lawful, and accountable manner.”

“Strengthen the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial, trusted use of personal data.”

– And finally , “Establishing an impartial, independent, and effective regulatory commission to superintend over data protection and privacy issues and supervise data controllers and data processors.”

Major Highlights of the Data Protection Bill

Establishment of the Nigerian Data Protection Commission (NDPC)

A law is only as effective as its enforcement. This statement is a known fact all over the world. As a matter of fact, lack of proper enforcement led to the NDPR cancellation. The Data Protection Bill made the necessary provisions for its own enforcement.

According to Section 7 of the bill, the NDPC is to:

1. Promote awareness of risks to personal data and data protection measures. Including the rights and obligations granted under the Act.

2. Ensure the use of technological and organizational data protection measures.

3. Foster the development of personal data protection technologies in accordance with recognized international good practices and applicable international law.

4. Promote awareness of data controllers and processors’ obligations under the Act.

Data Processing Guidelines

The guidelines are very straightforward. Data controllers and processors are not allowed to process sensitive personal data themselves or by a third party unless:

– The processing is necessary for exercising or performing the rights or obligations of the data controller or the data subject to underemployment, social security laws, or any other similar laws.

– The data subject has given and not revoked consent to the processing for the specific purpose or purposes for which it will be processed.

– It is necessary to protect the vital interests of the data subject or of another individual where the data subject is physically or legally incapable of giving consent.

In the situations above, the Data Protection Bill has the following principles:

1. Data can only be processed for lawful purposes, which must be stated clearly beforehand.

2. The data subject must have consent before to the use of his or her data. Data subjects also have the right to withhold or withdraw consent at any point.

3. The data collected must not be used for any other purpose other than the stated one.

4. For no reason should personal data be stored beyond the necessary timeframe. Also, data subjects can request deletion or destruction of their data by data controllers.

5. All data must be accurate, with inaccuracies corrected immediately.

6. Lastly, the integrity of personal data must be kept with the utmost priority.

The NDPC is responsible for enforcing compliance with the rules.

Child Consent

The data protection bill also caters to the data of all Nigerian children. According to the Bill, a child is an individual under the age of 18. Section 33 of the bill states that “The data controller must obtain the child’s parent or legal guardian before processing personal data.”

It also emphasizes the use of government-approved identification documents to prove the child’s age and consent. Although, this does not apply when:

1. Processing is necessary to protect the interests of the child,

2. The processing is for medical or social care purposes by a professional or similar service provider with a duty of confidentiality.

Data Protection Impact Assessment

Section 28(1) requires data controllers to conduct a DPIA on every project likely to cause high-risk to the rights of data subjects. This is to identify and reduce the risks to data.

In the event of identified high risk, controllers are mandated to consult the NDPB.

Data Breach Management

Data breaches, as a constant threat, have gained the attention of the Nigerian government. So, the bill laid out a proper guide for Its management.

The Data Protection Bill mandates data controllers and data processors to keep a record of all personal data breaches.

In addition, data controllers are to report every data breach that occurs to the NDPC within 72 hours. However, this timeframe can be extended due to the legal needs of law enforcement.

Data Protection Officer and Compliance Services

Section 33 of the bill mandates data controllers and processors of “major importance” to have a data protection officer well-versed in the data protection laws and practices.

The DPO can be an employee or outsourced from a data protection service consultancy . Also, the Data Protection Bill 2023 outlines the tasks of a DPO as follows:

– Advising the data controller, processor, and respective employees on data processing.

– Ensuring compliance with the bill and related policies (GDPR Compliance).

– The point of contact for the commission is with the data controller or processor.

– International data transfers

Section 43(1)(a) states:

“A data controller or data processor shall not transfer personal data from Nigeria to another country unless the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection with respect to the personal data, or a permitted condition outlined in Section 45 of the Bill”.

In a nutshell, data from Nigeria can only be transferred to countries with adequate data protection laws.

Data Protection Bill Penalties

Lastly, the bill contains penalties for non-compliance. The bill groups controllers and processors into two.

The data controllers and processors of “major importance” and others.

For data controllers and processors of major importance, the penalty shall be greater than NGN 10 million and 2% of their annual gross revenue from Nigeria in the preceding financial year.

For others, the fine is NGN 2 million and 2% of the annual gross revenue from Nigeria in the preceding financial year.

Conclusion

The bill is a significant step by Nigeria towards safeguarding personal data in Nigeria. Although not as comprehensive as the GDPR, it is sufficient.

By ensuring international data transfer compliance and imposing penalties for non-compliance, the bill protects data subjects’ rights and boosts Nigeria’s participation in the global digital economy.

Get You Business Compliant Today!

Learn Everything Data Protection Here. Download our Free Ebooks and Guides to Get Started!

You'll Also Want to Read

Categories

Tags

Stay on top of global data regulations. Subscribe to our Newsletter.

Products page subscribe form (#4)

© Johan Consults Limited Nigeria 2024. All rights reserved. Johan Consults Limited Nigeria.

Designed by Tech Della Solutions LTD.