On June 12, 2023, the Nigerian government took a bold step towards achieving maximum data protection. While the European Union (EU) was miles ahead, Nigeria began to measure up to the world’s standard.
The Nigerian Data Protection Act (NDPA) was that bold step. It was established to provide a legal and comprehensive framework for safeguarding the data of Nigerian citizens, both home and abroad.
Prior to this, there have been attempts by the Nigerian government to protect personal data. One notable mention is the NDPR.
The NDPR full meaning, Nigerian Data Protection Regulation, was issued in February 2019. It was established by the NITDA (Nigerian Information Technology Development Agency).
Putting into consideration the intensity of data threats, regulations like the NDPR are not enough. As a secondary law with a weaker legal and judicial stance, foreign organizations were unable to trust the Nigerian market. This situation birthed the Data Protection Bill,2023 which established the NDPA.
This article will provide an overview of the NDPA, its objectives, basic terminologies, scope of application, principles, and penalties.
Objectives of the Nigerian Data Protection Act (NDPA)
According to Forbes, the world generates 2.5 quintillion bytes of data daily. Why? Data is an important part of any organization’s growth.
Companies process data to know what service to promote, which product to make, and, most importantly, digital marketing.
For all the positive uses of data, the threats to data are on the increase. Organizations have to implement data protection systems against unauthorized access, loss, or compromise of data.
The objectives of the NDPA are:
-
- To protect the rights of data subjects by making sure personal data is processed in a lawful, fair, and transparent manner. This aligns with the basic principles of data protection.
-
- To provide a legal framework for the regulation and protection of personal data. Also a means of rectifying the rights of data subjects breached.
-
- To ensure data controllers and processors comply with their obligations to data subjects
-
- To promote data security and privacy in data processing activities in Nigeria.
-
- To ensure the inclusion of Nigeria in the regional and global economies through trusted use of personal data.
Basic terminologies in NDPA.
The Nigerian Data Protection Act has unique terminology. Here are some definitions you should get familiar with.
Data controller
Is an individual, private entity, public commission, agency, or any other body that, alone or jointly with others, determines the purpose and means of processing data.
Data Processor
The act describes a data processor as an individual, private entity, public authority, or any other body who processes data on behalf of a data controller or another data processor.
Personal data
Any information that relates directly or indirectly to an identified or identifiable individual by reference to an identifier, e.g., name, age, identity number, location ID, factors specific to the physical, psychological, cultural, social, or economic state of the individual.
Sensitive personal data
The act defined sensitive data as personal data relating to an individual’s
-
- Genetic and biometric data
-
- Ethnic origin
-
- Religious or similar beliefs, such as philosophy or conscience,.
-
- Sex life
-
- Health status
-
- Political opinion
-
- Trade union membership
And other information deemed sensitive by the commission.
Scope of Application of the Nigerian Data Protection Act
The primary goal of the NDPA is to protect personal data belonging to citizens of Nigeria. Its application extends beyond the borders of Nigeria.
The NDPA applies in the following instances where:
-
- The data processing takes place in Nigeria.
-
- The organization processing data is not located in the country but processes data belonging to a Nigerian citizen.
-
- The data controller or processor is resident or operating in Nigeria.
The Nigerian Data Protection Act does not apply when personal data processing is carried out for personal or household purposes. It is important to know that this exemption is applicable only when the right to privacy of the data subject isn’t violated.
In a nutshell, every data controller or processor (home or abroad) processing Nigerian data is subject to the NDPA. Except for personal and household purposes, so far, the rights of the data subjects have been upheld.
Basic Principles of the Nigerian Data Protection Act (NDPA)
Just like most data protection regulations around the world, the NDPA has principles guiding organizations to compliance.
Consent
Organizations must get the full consent of the data subjects before collecting, processing, and storing data. The subjects must give consent freely with no trace of foul play. The data subjects also have the right to withdraw their consent.
Now data processing is lawful without consent when carried out:
-
- To protect the interests of the data subject or another person where the subject is physically or legally incapable of giving consent.
-
- To establish, defend a legal claim, get legal advice, or carry out a legal proceeding.
-
- To carry out a contract to which the data subject is a third party.
-
- To conduct a task of public interest.
- In situations where a child (under 18 years old) is the data subject, data controllers are to get the consent of the parent or legal guardian.
Lawfulness
Data can only be collected for lawful purposes. Which means organizations must clarify the reasons for data collection, processing, and storage. Such purposes should be clearly disclosed to the data subjects.
Accuracy
All the data collected by organizations must be correct. Any inaccuracy should be rectified immediately.
Data minimization
Data collected can only be processed for the stated purposes. It is unlawful to process data for any reason contradicting the initial purposes.
Data security
Organizations must take specific precautions to ensure the security of their data. This includes measures against unauthorized access, disclosure, loss, and compromise of data.
The following are some of the best data security practices organizations can use:
-
- Pseudonymization
-
- Encryption
-
- Data masking
-
- Periodic risk assessments
-
- Creating an incident-response plan.
-
- Regular evaluation of the effectiveness of the data security measures implemented.
Data Protection Impact Assessment (DPIA)
Under section 28(1) of the NDPA, data controllers are required to conduct a DPIA where processing of data may lead to high risk of data subjects. Should the assessment confirm high-risk, it’s mandatory that the controller consults the NDPC.
Penalties under the Nigerian Data Protection Act
The NDPA penalties are not as harsh as the GDPR. The NDPC (Nigerian Data Protection Commission), the regulatory body for the NDPA, can impose a fine of up to 2% of the global annual profit, or 10 million naira, on defaulting organizations.
Apart from the fine, continuous loss or compromise of data will reduce trust in the organization. This can stunt the organization’s growth.
Like GDPR compliance, keeping up with the NDPA can be a task. Which is why most organizations opt for data protection service consultancies.
Data protection consultancy is a professional service that offers expert advice and solutions to organizations on how to follow data protection laws and regulations.
NDPA and NDPR
While the Nigerian Data Protection Act covers most of the NDPR, it lacks the specificity of the latter. The major difference between the two lies in the definition of terms.
-
- The NDPA broadens the scope of “sensitive data” by including biometric data, genetic data, and data relating to the subject’s philosophy or conscience.
-
- Under the NDPA, a change was made to “data breach.” To include situations that will “likely lead to” accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed. This has a broader scope than the NDPR.
-
- Under the NDPR, every data controller must appoint a Data Protection Officer (DPO). This is not so in the NDPA; DPO is now limited to data controllers of importance.
In summary, the NDPA and NDPR are more similar than different. In times where there is a conflict between the two, the NDPA overrules any other.
NDPA and GDPR
The Nigerian Data Protection Act (NDPA) and the General Data Protection Regulation (GDPR) are the regulations for data protection in Nigeria and the EU, respectively.
Non-compliance with the GDPR comes with a fine of up to 4% of the annual global profit, or €20 million, whichever is higher. This is higher than the NDPA penalty.
Conclusion
Compliance with the Nigerian Data Protection Act (NDPA) is important for organizations. It enhances data security, ensures compliance with international standards, and protects the rights of data subjects.
Does your organization struggle with NDPA compliance and other data protection problems? Johan Consults is the right consultancy for you.