The Nigeria Data Protection Regulation 2019 (the “NDPR” or “Regulation”) is Nigeria’s principal legal framework for the protection of personal data. The NDPR is undeniably modelled after the GDPR of the EU and represents the country’s first wholesale attempt to regulate the use and processing of personal data. The NDPR is not specifically targeted at businesses, but rather all persons (natural and corporate) who collect and/or process personal data. This notwithstanding, it is unarguable that businesses process personal data on a larger scale than private individuals given the commercial value of data in today’s digital world. For this reason, this guide will primarily focus on the prescriptions and requirements of the NDPR as it impacts on businesses in Nigeria.
Under the NDPR, the processing of “personal data” is the fundamental basis for the applicability of the Regulation and the compliance obligations prescribed therein on businesses. Simply put, only individuals/businesses who process personal data are within the contemplation of the regulation, and by extension bound to comply with the prescriptions contained in the regulation. The NDPR defines personal data as:
“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others;
From the definition above, it is clear that the protections afforded under the regulation are only applicable to data of a natural person. As such, corporate data or data of a deceased person are not within the purview of the regulation. In the same vein, the regulation elucidates on activities that constitutes processing of personal data:
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Essentially, all forms of activities on personal data will qualify as data processing and as such be caught by the provisions of the NDPR. For businesses, it is virtually inevitable that their operations will entail some form of data processing. Some of the data processing activities typically undertaken by businesses include collecting, reviewing, and storing the personal data of employees, contractors, clients/customers among others. For this reason, businesses are legally obligated to adhere to the provisions of the NDPR while engaging in any data processing activities. We have highlighted below some of the compliance standards prescribed in the NDPR:
Emplacement of a Privacy Policy: The NDPR recognises five major lawful bases for processing personal data, chief of which is consent. The concept of consent as a legal basis for processing personal data requires that the data processor (also called the data controller) must obtain the consent of the data subject as a precondition to processing the data subject’s personal data. To further ensure that informed consent is given, the NDPR requires each data controller to furnish the data subject with that data controller’s privacy policy, detailing the intended use of the data subject’s personal data, the duration the data will be stored by the data controller, and the rights the data subjects have over his/her personal data among other information. By implication, consent will be deemed not to be freely given, in the event the data controller fails to provide the data subject with its privacy policy prior to obtaining the data subject’s consent.
Designation of a Data Protection Officer: The NDPR provides that all Data Controllers shall designate a Data Protection Officer for the purpose of ensuring adherence to the Regulation, relevant data privacy instruments and data protection directives of the Data Controller. The Regulation further permits the outsourcing of the role to a verifiably competent firm or person. However, where the DPO has other work duties within the organisation, an evaluation is to be conducted to ensure that there is no conflict of interest. Furthermore, where the business processes personal data of up to 10,000 in a year or processes sensitive personal data, a dedicated data protection officer shall be appointed.
Conduct of Data Protection Audit: The NDPR obligates businesses that process personal data in excess of 2000 data subjects in a period of 12 months to not later than the 15th of March of the following year, submit a summary of its data protection audit to the regulatory body – Nigeria Data Protection Bureau (NDPB). Instructively, businesses are to engage the services of a Data Protection Compliance Organisation (DPCO) duly accredited by the NDPB, to conduct the annual audit. The audit evaluates the compliance status of the business with the provisions of the NDPR, identifies any lapses, and advises on appropriate remediation to be effected. It is useful to note that while the Regulation mandates businesses who process personal data above 2,000 to conduct DPA, it is not unusual for businesses who do not fall within that regulatory threshold to nevertheless conduct a data protection audit to assess their compliance level and consequentially enhance the goodwill and the public’s profile/perception of their business.
Conduct of Data Protection Impact Assessment: The NDPR requires businesses who undertake some specified processing activities to conduct a Data Protection Impact Assessment. A DPIA is a risk assessment done to ascertain the possible implication of these processing activities, identify possible areas where breaches may occur, and advise on the means by which the risk of those breaches may be mitigated. DPIAs are not mandatory for all Personal Data processing activities. Some of the processing activities requiring a DPIA includes processing of sensitive personal data, profiling and or automation of personal data and data subjects, among others.
SimmonsCooper Partners is a licensed Data Protection Compliance Organisation and has demonstrable experience in advising businesses on the entire gamut of compliance with extant legal and regulatory frameworks on data protection in Nigeria. Please feel free to contact us for more information and/or clarification pertaining to this guide.