Organizations all over the world are facing a great challenge, “how to safeguard data”. The process of safeguarding data, known as data protection, is a delicate one. Companies, small, medium, and large, are exposed to data threats like cyberattacks, accidental loss, and compromise. Where the wrong persons access data, forgeries, targeted attacks, and impersonations are some of the consequences. This pushed countries—Nigeria included—to lay ground rules to guide organizations through protecting the data of their citizens. Examples are the NDPR, GDPR, UK GDPR, etc.
In this article, you’ll learn all there is to know about the Nigerian Data Protection Regulation(NDPR)
What is the NDPR?
The full NDPR meaning is NIGERIAN DATA PROTECTION REGULATION. It is a set of rules guiding the protection of Nigerian data by organizations.
The Nigerian Data Protection Regulation has four objectives, which are:
- To prevent manipulation of personal data
- To protect the rights of the natural person to data privacy
- To promote the safe conduct of transactions involving personal data
- To ensure Nigerian businesses remain competitive in international trade through the protections provided by a fair, legal data protection framework, in line with best practices.
Territorial scope of the NDPR
Just like most data protection laws, its reach extends beyond Nigerian borders. The NDPR applies to any organization processing the personal data of Nigerian citizens (home or abroad), regardless of its geographical location.
For instance, If an organization in the EU wants to process the personal data of a Nigerian citizen, it has to follow the NDPR.
When was the NDPR Established?
The establishment of the Nigerian Data Protection Regulation occurred in January 2019 by the National Information Technology Development Agency (NITDA).
Who Regulates NDPR?
In the initial stages, the NITDA was the regulatory body. However, there was a need to create a separate body for the NDPR. The NITDA was stretched beyond what was necessary.
The Nigeria Data Protection Bureau (NDPB) was established as the regulatory body. The purposes of NDPB are:
- Ensuring compliance with data protection laws and regulations
- Implementing data protection policies
- Enlightening individuals and organizations in Nigeria on data privacy rights.
Principles of the NDPR
The Nigerian Data Protection Regulation has some principles guiding organizations (data controllers)
Consent
Organizations must get the full consent of the data subjects before collecting, processing, and storing data. The subjects must give consent freely with no trace of foul play. The data subjects also have the right to withdraw their consent.
Lawfulness
Data can only be collected for lawful purposes. Organizations must clarify the reasons for data collection, processing, and storage. Such purposes should be clearly disclosed to the data subjects.
Accuracy
Another principle is Accuracy. All the data collected by organizations must be correct. Any inaccuracy should be rectified immediately.
Data minimization
Data collected can only be processed for the stated purposes. It is unlawful to process data for any reason contradicting the initial purposes.
Security
Organizations must take specific precautions to ensure data security. This includes measures against unauthorized access, disclosure, loss, and alterations of personal data.
Rights of data subjects.
Also, the NDPR has provisions for data subjects. Individuals have the clear right to halt the processing of their data. They can also request access, erasure, and correction.
Differences between the NDPR and NDPA.
NDPA stands for the Nigerian Data Protection Act. Its issuance was in February 2023.
The NDPA is the current data protection law in Nigeria. Its issuance did not completely overrule the previous laws—NDPR and the Data Protection Bill. Rather, they were placed under its umbrella.
While the NDPA covers most of the NDPR, it lacks the specificity of the latter.
The major difference between the two lies in the definition of terms.
- The NDPA broadens the scope of “sensitive data” by including biometric data, genetic data, and data relating to the subject’s philosophy or conscience.
- Under the NDPA, personal data breaches have new definitions. To include situations that will “likely lead to” accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed. This has a broader scope than the NDPR.
- Also, the NDPR mandates every data controller to have a Data Protection Officer (DPO). This changed under the NDPA; DPO is now limited to data controllers of importance.
In summary, the NDPA and NDPR are more similar than different. In times where there is a conflict between the two, the NDPA is supreme.
NDPR and GDPR
The Nigerian Data Protection Regulation (NDPR) and the General Data Protection Regulation (GDPR) are the regulations for data protection in Nigeria and the EU, respectively.
When it comes to it, the penalties are different. Non-compliance with the GDPR comes with a fine of up to 4% of the annual global profit or €20 million, whichever is higher.
The NDPR non-compliance penalty is less severe. A fine of up to 2% annual global profit or 10 million Naira, whichever is greater.
Nigerian Data Protection Regulation is an adaptation of the GDPR. GDPR is more comprehensive, with a broader scope.
In conclusion
The Nigerian Data Protection Regulation is important for safeguarding data in Nigeria, and meeting international standards while addressing local needs. Compliance with the NDPR will help organizations avoid penalties and foster trust among the client community.
Are you an organization looking to scale up your NDPR and GDPR compliance? You can reach out to us at Johan Consults and be sure to get the best.
