Johan consults limited logo

An Overview of The Nigeria Data Protection Act

On June 12, 2023, the Nigerian government took a bold step towards achieving maximum data protection. The country enacted the Nigeria Data Protection Act to provide a comprehensive legal framework for data protection. While the European Union (EU) was miles ahead, this decision placed Nigeria on the same journey towards the protection of data. 

Prior to this, the Nigerian government made several attempts to protect personal data, one of which is the NDPR

The NDPR, which stands for Nigerian Data Protection Regulation, was issued in February 2019 and established by the NITDA (Nigerian Information Technology Development Agency). But there wasn’t much regard for it.

Why? A major shortcoming of the NDPR is that it’s subsidiary legislation and lacks vital provisions expected of a comprehensive law. For example, NITDA lacked the statutory authority to establish a commission with wide powers to deal with data privacy issues in Nigeria.

This created a problem between foreign organisations and the Nigerian market, as the former could not trust the latter. So, the NDPA came into play as the principal data legislation in Nigeria. This article will provide an overview of the NDPA, its objectives, basic terminology, scope of application, principles, and penalties.

Objectives of the Nigerian Data Protection Act (NDPA)

There’s something about data that’s invaluable. A look at the estimated amount of data generated worldwide—2.5 quintillion bytes—proves how much the world uses data. While individuals can pretend to not need data, companies dare not say so. They need data to run promotions, for market expansions, product diversification and most importantly, digital marketing

Now, companies are not the only users of data; cybercriminals obsess over it too. And they don’t care about who/what gets hurt. So, Organizations have to implement data protection systems against unauthorized access, loss, or compromise of data.

So, how does the NDPA help out? The primary objective of the NDPA is to safeguard the fundamental rights and freedom of privacy as guaranteed under the constitution of the Federal Republic of Nigeria.

The objectives of the NDPA in detail are:

  • To protect the rights of data subjects by making sure personal data is processed in a lawful, fair, and transparent manner. This aligns with the basic principles of data protection.
  • To provide a legal framework for the regulation and protection of personal data. Also a means of rectifying the rights of data subjects breached.
  • To ensure data controllers and processors comply with their obligations to data subjects
  • To promote data security and privacy in data processing activities in Nigeria.
  • To ensure the inclusion of Nigeria in the regional and global economies through trusted use of personal data.

Basic terminologies in NDPA.

The Nigerian Data Protection Act has unique terminology. Here are some definitions to help you get started.

Data controller

Is an individual, private entity, public commission, agency, or any other body that, alone or jointly with others, determines the purpose and means of processing data.

Data Processor

The act describes a data processor as an individual, private entity, public authority, or any other body who processes data on behalf of a data controller or another data processor.

Personal data

Any information that relates directly or indirectly to an identified or identifiable individual by reference to an identifier, e.g., name, age, identity number, location ID, factors specific to the physical, psychological, cultural, social, or economic state of the individual.

Sensitive personal data

The act defined sensitive data as personal data relating to an individual’s

  • Genetic and biometric data
  • Ethnic origin
  • Religious or similar beliefs, such as philosophy or conscience,.
  • Sex life
  • Health status
  • Political opinion 
  • Trade union membership

And other information deemed sensitive by the commission.

NDPA

Scope and Application of the Nigerian Data Protection Act

The NDPA applies to the processing of personal data by data controllers and processors belonging to data subjects in Nigeria. 

The NDPA mandatorily applies in the following instances:

  • Where the data processing takes place is Nigeria.
  • The organisation processing data is not located in the country but processes data belonging to a Nigerian citizen.
  • The data controller or processor is resident, domiciled, or operating in Nigeria.

It’s important to note that the location of the controller or processor doesn’t matter as long as the data subject is in Nigeria; the NDPA applies.

However, the Nigeria Data Protection Act has limitations.

The Nigerian Data Protection Act does not apply to the processing of personal data carried out by one or more persons solely for personal or household purposes. Also, it’s important to know that this exemption applies when such processing doesn’t violate the fundamental rights of a data subject. 

Additionally, the NDPA will not apply if the processing of personal data is carried out by a competent authority for any of the following purposes:

  • the prevention, investigation, detection, prosecution, or adjudication of a criminal offense or to execute a criminal penalty in accordance with any applicable law;
  • to prevent or control a national public health emergency; 
  • for national security; 
  • in respect of publication in the public interest for journalism, educational, artistic and literary purposes to the extent that such obligations and rights are incompatible with such purposes; or
  • necessary to establish, exercise, or defend legal claims, whether in court proceedings or in an administrative or out-of-court procedure

Basic Principles of the Nigerian Data Protection Act (NDPA)

Just like most data protection regulations around the world, the NDPA has principles guiding organisations to compliance.

Consent

Organisations must get the full consent of the data subjects before collecting, processing, and storing data. The subjects must give consent freely with no trace of foul play. The data subjects also have the right to withdraw their consent.

Now, data processing is lawful without consent when carried out:

  • To protect the interests of the data subject or another person, where the subject is physically or legally incapable of giving consent.
  • To establish, defend a legal claim, get legal advice, or carry out a legal proceeding.
  • To carry out a contract to which the data subject is a third party.
  • To conduct a task of public interest.
  • In situations where a child (under 18 years old) is the data subject, data controllers are to get the consent of the parent or legal guardian.

Lawfulness

Data can only be collected for lawful purposes. Which means organizations must clarify the reasons for data collection, processing, and storage. Such purposes should be clearly disclosed to the data subjects.

Accuracy

All the data collected by organizations must be correct. Any inaccuracy should be corrected immediately.

Data minimization

Data collected can only be processed for the stated purposes. It is unlawful to process data for any reason contradicting the initial purposes.

Data security

Organizations must take specific precautions to ensure the security of their data. This includes measures against unauthorized access, disclosure, loss, and compromise of data.

The following are some of the best data security practices organizations can use:

  • Pseudonymization
  • Encryption
  • Data masking
  • Periodic risk assessments
  • Creating an incident response plan.
  • Regular evaluation of the effectiveness of the data security measures implemented.

Penalties under the Nigerian Data Protection Act

The NDPA penalties are not as harsh as the GDPR. The NDPC (Nigerian Data Protection Commission), the regulatory body for the NDPA, can impose a fine of up to 2% of the global annual profit, or 10 million naira, on defaulting organizations.

Apart from the fine, continuous loss or compromise of data will reduce trust in the organization. This can stunt the organization’s growth.

Like GDPR compliance, keeping up with the NDPA can be a task. Which is why most organizations opt for data protection service consultancies.

Data protection consultancy is a professional service that offers expert advice and solutions to organizations on how to follow data protection laws and regulations.

NDPA and NDPR

Sure, the Nigerian Data Protection Act covers most of the NDPR, but it lacks the specificity of the latter. The major difference between the two lies in their scopes and applicability.

The NDPA does not protect Nigerian citizens residing outside of Nigeria, while the NDPR protects Nigerian citizens, home and abroad. This creates two implications.

 (1) the personal data of Nigerians abroad do not enjoy protection, except the data controller or data processor is domiciled in, resident in, or operating in Nigeria; and 

(2) The personal data of both Nigerians and non-Nigerians in Nigeria enjoys protection. This is similar to the provisions on territorial scope under the General Data Protection Regulation (GDPR). 

Furthermore, the NDPA broadens the scope of “sensitive data” by including biometric data, genetic data, and data relating to the subject’s philosophy or conscience. Additionally, under the NDPA, a change was made to “data breach” to include situations that will “likely lead to” accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed. This has a broader scope than the NDPR.

Finally, under the NDPR, every data controller must appoint a Data Protection Officer (DPO). This is not so in the NDPA; DPO is now limited to data controllers of importance.

In summary, the NDPA and NDPR are more similar than different. In times where there is a conflict between the two, the NDPA reigns supreme.

NDPA and GDPR

The Nigerian Data Protection Act (NDPA) and the General Data Protection Regulation (GDPR) are the regulations for data protection in Nigeria and the EU, respectively. Non-compliance with the GDPR comes with a fine of up to 4% of the annual global profit, or €20 million, whichever is higher. This is higher than the NDPA penalty.

The major difference between the NDPA and GDPR lies in the territorial scope. While the former applies to Nigeria, the GDPR rules the EU.

Conclusion

Compliance with the Nigerian Data Protection Act (NDPA) is important for organizations. It enhances data security, ensures compliance with international standards, and protects the rights of data subjects.

Does your organization struggle with NDPA and GDPR compliance? Johan Consults is the right consultancy for you.

FaQs You May Also Have

  1. When was the NDPA established?

The NDPA was established on June 12, 2023 by President Bola Tinubu.

  1. What is the regulatory body of the NDPA?

The NDPA is enforced by the NDPC (Nigerian Data Protection Commission).

Get You Business Compliant Today!

Learn Everything Data Protection Here. Download our Free Ebooks and Guides to Get Started!

You'll Also Want to Read

Categories

Tags

Stay on top of global data regulations. Subscribe to our Newsletter.

Products page subscribe form (#4)

© Johan Consults Limited Nigeria 2024. All rights reserved. Johan Consults Limited Nigeria.

Designed by Tech Della Solutions LTD.