5 Steps to Compliance with the Nigeria Data Protection Regulations

By Alexander Adekunbi

Data protection has become a major focus for companies and governments worldwide, as concerns have continued to grow about privacy and the large-scale harm that can be done when organizations are permitted to collect and use citizens’ personal data without sufficient restrictions, as with the Facebook Cambridge Analytica scandal and other data breaches which have caused significant financial and harm.

In Europe, this push for data protection led to the passage of the General Data Protection Principles, and similar legislation has been passed in other countries including the US, Kenya, South Africa and in Nigeria, in the form of the Nigeria Data Protection Regulations issued by the National Information Technology Development Agency (NITDA) on the 25^th of January, 2019.

The regulations stipulate a range of rights which people have and obligations which organizations must comply with, to safeguard those rights. Non-compliance has severe consequences of up to either 2% of annual gross revenue or payment of the sum of NGN 10 million, where the organization processes the data of more than 10,000 data subjects; or payment of a fine of 1% of annual gross revenue or payment of the sum of NGN 2 million, where the number of data subjects is less than 10,000. The good thing is that complying and avoiding that liability is straightforward, and here’s a checklist of five steps to guide you:

1. Audit

The first step in getting compliant is to assess exactly where your organization is at the moment, in terms of your data protection processes. The first step is to determine whether your organization is a data processor or controller, after which you’ll need to ascertain exactly what kinds of data you collect and whether the processes you have in place for collecting, storing, using and sharing such data is in compliance with the regulations.

At this point, getting the specific number of people whose data you process is also important because it’ll determine whether you need to submit a summary of your audit report to the NITDA. The regulations take a very broad approach in defining who a data subject is but the key point to bear in mind is that everyone whose personal data you have in your records counts, whether that’s an employee, a marketing lead, partners, suppliers, job applicants etc.

2. Remedial Action

After getting a clear picture of where your organization’s data protection processes stand, the next step is to begin taking remedial action. Typically, for most organizations, this will begin with fixing the processes through which you collect data. The regulations provide for the grounds upon which data can be legally processed, including consent, contractual purposes and legal obligation, among others.

To ensure you’re getting the requisite consent, there might be a need to update your privacy policies for your website as well as for physical locations and events. Apart from customer-facing policies, the regulations also require an organizational policy for the handling of personal data to be put in place, covering access control to such data, its encryption using suitable technologies and all the other requirements in the NDPR.

3. Appointment of a DPO

Like the GDPR, the NDPR (in the NDPR Implementation Framework) requires private organizations to appoint a Data Privacy Officer (DPO) if they meet certain parameters in relation to how many people’s data they process and how integral processing is to their business operations, among other factors.

The role of the DPO is to coordinate the organization’s data protection system and also to serve as the contact point for third-parties who wish to communicate with the organization for data-protection related purposes, such as a data subject wishing to exercise his rights. Fortunately, there is some flexibility because the regulations permit the appointment of any person within the organization or for the role to be outsourced to a “verifiably competent firm or person.”

4. Submission of reports to NITDA

Whether or not your organization has to submit reports is dependent on the number of people whose data you process. The regulations provide that data controllers which process the personal data of more than 1,000 data subjects in a period of six months must submit a soft copy of the audit to NITDA. In addition, data controllers which process the personal data of more than 2,000 in a period of 12 months must submit a summary of the audit to NITDA on an annual basis.

This is a regulator-facing obligation, which makes it even more crucial, as failure could lead to financial penalties and reputational damage. The NITDA has indicated its willingness to issue sanctions albeit from the relatively mild starting point of issuing compliance notices to defaulting organizations in December last year.

5. Staff Training

Complying with the NDPR is an ongoing obligation, not a one-time process. Even after completing the steps above, failure to train your staff in the best practices for data handling would inevitably to a failure of the processes and the attendant legal liability which you’re working to avoid.

The ideal way to conduct this training would be to engage the services of a DPCO which has been granted a license by the NITDA specifically for the purpose of training organizations on data protection compliance as well as providing other services including auditing, monitoring and consulting. Such trainings may be virtual or physical, as long as the goal of ensuring that your staff are aware of their obligations and risk-mitigation strategies which they must take daily, is achieved.

Ademola Adekunbi is a Legal Analyst at Balogun Harold, a corporate law firm licensed by NITDA as a Data Protection Compliance Organization.