On 11 July 2019, the National Information Technology Development Agency (NITDA) issued a Press Statement disclosing its ongoing investigation of alleged breach of data privacy rights of Nigerians by some identified Data Controllers. NITDA also released a draft Data Protection Implementation Framework (the draft framework), which has been made available on its website for inputs from stakeholders.
In January 2019, NITDA issued the Nigeria Data Protection Regulations (NDPR). The overall objective of the NDPR is to safeguard personal data rights, enhance security of transactions involving personal data and improve the access of Nigerian companies to cross border data. The NDPR sets out a number of compliance obligations for Data Controllers, which include the requirements to do the following:
The NDPR also provides for penalties of up to 2% of a company’s gross revenue in the event of its breach.
NITDA disclosed in its recent statement that is currently investigating some organizations, which include the Nigerian Immigration Service, Banks, Financial Technology companies and some Telecommunication companies for alleged breach of the provisions of the NDPR. It expressed the agency’s readiness to implement the NDPR with the ultimate aim of ensuring compliance and making businesses and government work better for every Nigerian.
On a related note, the draft framework outlines compliance checklists to guide Data Controllers. It also provides a guide on the modalities of handling individual personal data. Furthermore, the framework provides for different forms of NDPR enforcement mechanisms, which include surveillance, complaint filings, investigations, administrative sanctions as well as criminal prosecution.
The draft framework highlights the role of the Data Protection Compliance Organizations (DPCO) in the compliance and enforcement of the NDPR. The DPCOs are professionals licensed by the NITDA to provide training, auditing, consulting, and compliance services to Data Controllers. It also stipulates that Data Controllers would need to present a DPCO ‘s audit verification statement as a pre-condition to filing of an annual audit report or any other report demanded by the NITDA.
The ongoing investigation of some Data Controllers in Nigeria and the release of the draft framework alludes to NITDA’s commitment to enforcing the provisions of the NDPR. This development is likely to result in the imposition of huge penalties and administrative sanctions on Data Controllers who are in breach of the provisions of the NDPR.
As such, organizations engaged in the collection, storage and use of personal data of individuals in Nigeria might benefit from engaging in discussions with their professional advisers/DPCOs to better understand their compliance risks, obligations and responsibilities under the NDPR.