HOW A COMPANY CAN BE DATA PROTECTION COMPLIANT IN NIGERIA

The Nigeria Data Protection Act, 2023, marks a pivotal step forward in protecting the privacy of individuals in the country. Signed into law on June 12, 2023, by President Bola Ahmed Tinubu, the Act establishes a comprehensive legal framework for personal data protection. It supersedes the Nigeria Data Protection Regulation (NDPR) 2019, which, despite its merits, faced challenges of limited enforceability.

In today’s digital landscape, where personal data is vital to business and government operations, compliance with data protection laws has become non-negotiable. The Act not only ensures the rights of data subjects are protected but also aligns Nigeria with international standards, creating a trustworthy digital ecosystem for individuals and businesses alike.

The Act provides clear requirements and guidelines for companies processing personal data. Below is an outline of how companies can achieve data protection compliance in Nigeria under the new law.

Objectives of the Act

Section 1 of the Act provides for its objectives and are as follows:

1.?? Safeguard Data Subjects’ Rights: Protect individuals’ personal data from unauthorized or unlawful processing while ensuring fairness, lawfulness, and accountability.

2.?? Enhance Data Privacy: Promote practices that guarantee the security and privacy of personal data in Nigeria.

3.?? Provide Remedies: Establish legal recourse for breaches of data subjects’ rights.

4.?? Obligate Controllers and Processors: Ensure that companies fulfill their legal responsibilities regarding data subjects.

5.?? Foster Economic Growth: Strengthen Nigeria’s participation in global digital economies by establishing trusted and secure data handling practices.

Key Concepts in the Act

1.??? Data Controller: An individual, private entity, public commission that determines the purposes and means of processing personal data.

2.??? Data Processor: An individual, private entity or public authority that processes personal data on behalf or at the discretion of a controller.

3.??? Personal Data: Information that identifies an individual, such as names, identification numbers, and online identifiers.

4.??? Sensitive Personal Data: Data related to race, religion, health, sexual orientation, political opinions, and biometric or genetic identifiers.

5.??? Data Subjects: An individual to whom personal data relates.

Applicability of the Act

The Act applies to companies or entities that:

1. Are domiciled or operate in Nigeria.
2. Process personal data within Nigeria.
3. Process data of Nigerian residents, even if based outside Nigeria.

However, processing solely for personal or household purposes is exempt unless it infringes on data subjects’ privacy.

Principles of Data Processing

To comply with the Act, data processors must adhere to the following principles.

1.?? Lawfulness, Fairness, and Transparency: Personal data must be processed in a fair, lawful and transparent manner.

2.?? Purpose Limitation: Data should be collected only for specific, explicit and legitimate purposes and not to be further processed in ways incompatible with those purposes.

3.?? Data Minimization: Collect only the data necessary for the stated purpose.

4.?? Accuracy: Ensure data is accurate, complete and not misleading and must be up to date.

5.?? Storage Limitation: Retain data only as long as necessary for the intended purpose.

6.?? Security: Implement measures to prevent unauthorized access, loss, or misuse of personal data.

Obligations of Data Controllers and Processors

Companies processing personal data must:

1.?? Register with the Commission: Submit records of data processing activities for regulatory oversight.

2.?? Appoint a Data Protection Officer (DPO): A DPO ensures compliance and act as a liaison officer with the Nigeria Data Protection Commission.

3.?? Implement Technical and Organizational Measures: Safeguard data using appropriate security technologies and practices.

4.?? Notify Breaches: Inform the Commission and affected data subjects of breaches within a specified timeframe.

5.?? Provide Access Rights: Allow data subjects to access, rectify, or erase their data.

Rights of Data Subjects

The Act empowers individuals with the following rights:

1.?? Right to Access: Know whether their data is being processed and for what purposes.

2.?? Right to Rectification and Erasure: Correct or delete inaccurate or unnecessary data.

3.?? Right to Withdraw Consent: Revoke previously granted consent.

4.?? Right to Data Portability: Receive personal data in a usable format and transfer it to another controller.

5.?? Right to Object: Challenge processing based on legitimate interests or for direct marketing.

Consequences of Non-Compliance

Non-compliance with the Act can result in:

1.?? Administrative Fines: Up to ?10 million or 2% of annual global turnover for serious breaches.

2.?? Criminal Sanctions: Prosecution for violations of data subjects’ rights.

STEPS FOR COMPANIES TO ACHIEVE COMPLAINCE

1. Understand the Act

• Training: Educate all employees, particularly those involved in data handling, about the provisions of the Nigeria Data Protection Act. This will foster awareness and ensure that everyone understands their responsibilities regarding personal data.

2. Conduct Data Audits

• Data Mapping: Identify and document all data processing activities within the organization. Companies must assess the risks associated with processing activities and ensure that personal data is only handled in accordance with the law.
• Data Inventory: Maintain a comprehensive inventory of all personal data held by the company, including sensitive data, and ensure that its collection, storage, and processing are compliant.

3. Develop a Privacy Policy

• Transparency: Draft and publish a privacy policy that explains to data subjects how their personal data is collected, used, stored, and protected.
• Data Processing Guidelines: The policy should also outline the company’s commitment to data subject rights, such as the right to access, correct, and delete data.

4. Obtain Clear and Explicit Consent

• Consent Mechanism: Set up processes to collect clear, explicit, and informed consent from data subjects before collecting their personal data.
• Documenting Consent: Keep records of the consent process, as consent must be verifiable. Silence or inactivity does not constitute consent.
• Withdrawal of Consent: Ensure that data subjects can easily withdraw their consent at any time, and that the company will cease processing the data upon request.

5. Appoint a Data Protection Officer (DPO)

• DPO Role: Appoint a Data Protection Officer (DPO) to oversee compliance with the data protection laws. The DPO should be responsible for ensuring that the company adheres to the Nigeria Data Protection Act and acts as a liaison with the Nigeria Data Protection Commission (NDPC).
• DPO Reporting: The DPO should regularly report on data protection practices and assist in responding to data subject requests and data breaches.

6. Implement Technical and Organizational Measures

• Security Protocols: Invest in robust data security technologies to protect personal data from unauthorized access, loss, or destruction. Implement encryption, firewalls, and secure data storage solutions.

7. Notify Breaches

• Incident Response Plan: Establish a clear plan for responding to data breaches. In the event of a breach, companies must inform the NDPC and affected individuals within the statutory timeframe.
• Breach Reporting: Ensure that breach notifications are clear, concise, and include details of the breach, its potential impact, and the measures taken to mitigate it.

8. Ensure Data Subject Rights

• Access and Rectification: Implement systems that allow data subjects to access their personal data, request corrections, or have their data deleted.
• Data Portability: Enable data subjects to transfer their data to another data controller, ensuring compliance with the right to data portability.
• Object to Processing: Allow data subjects to object to the processing of their data, especially for direct marketing or when processing is based on legitimate interests.

9. Engage Legal Advisors

• Legal Compliance Check: Consult with legal professionals to ensure that all aspects of the company’s data processing activities align with the provisions of the Nigeria Data Protection Act.
• Adaptation to Legal Changes: Stay updated on any amendments or additional regulations that may affect data protection compliance in the future.

10. Register with the Nigeria Data Protection Commission (NDPC)

• Mandatory Registration: Companies must register their data processing activities with the NDPC, providing detailed records of all personal data processing operations.
• Periodic Reporting: Companies must comply with periodic reporting requirements, providing the NDPC with updates on any significant changes to their data processing activities.

Conclusion

In conclusion, compliance with the Nigeria Data Protection Act, 2023 is essential for companies operating in Nigeria or processing the personal data of Nigerians. By understanding the Act’s provisions, implementing robust data protection measures, and respecting the rights of data subjects, businesses can mitigate the risk of penalties and reputational damage. Moreover, adopting a proactive approach to data protection not only ensures legal compliance but also builds trust with customers, which is invaluable in today’s economy.

?

By Olapeju Martins, an Associate at Resolution Law Firm

Email: [email protected]

Tel/WhatsApp: +2348099223322