Nigeria Data Protection Regulation, 2019 (NDPR)

Nigeria Data Protection Regulation - Mandatly Inc.

What Is (NDPR) Nigeria Data Protection Regulation

NDPR (Nigeria Data Protection Regulation) is the current national law in Nigeria issued in January 2019. NITDA as the Regulatory Authority for Data Protection aims at innovating data protection management in Africa through inclusive regulatory strategies, partnerships, and continuous improvement.

The objective of the Nigeria Data Protection Regulation is to safeguard the rights of natural persons to data privacy, foster safe conduct for transactions involving the exchange of Personal Data and to prevent manipulation of Personal Data.

NDPR Applicability

The NDPR Act’s regulation is applicable in the following cases to get NDPR compliance:

  • Applies to all transactions intended for the processing of Personal Data, to the processing of Personal Data.
  • Applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.

Important Definitions

  1. Personal Data
    Any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.
  2. Consent
    Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
  3. Data
    Data means characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device.
  4. Data Subject
    Any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
  5. Processing
    Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Rights of Data Subject

Let’s see the Data Subject Rights Under the NDPR (Nigeria Data Protection Regulation) compliance 

  1. Right to be Informed
    Any medium through which Personal Data is being collected or processed by business shall display a simple and conspicuous privacy policy that the class of Data Subject being targeted can understand.
  2. Right to Object
    A Data Subject shall have the option to:

    • Object to the processing of Personal Data relating to him which the Data Controller intend to process for the purpose of marketing,
    • Be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge.
  3. Right to Access
    The Controller shall take appropriate measures to provide any information relating to processing to the Data Subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and for any information relating to a child.
  4. Right to Deletion
    The Data Subject shall have the right to request the Controller to delete Personal Data without delay, and the Controller shall delete Personal Data.
  5. Right to Restriction on Processing
    The Data Subject shall have the right to obtain from the Controller restriction of processing where the processing is unlawful or the Personal Data is no longer needed for the purposes of the processing
  6. Right to Rectification
    The Controller shall communicate any rectification or erasure of Personal Data or restriction to each recipient to whom the Personal Data have been disclosed.
  7. Right to Data Portability
    The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided.

If the Controller does not act on the request of the Data Subject, the Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority.

Data Protection Officer

Every Data Controller shall designate a Data Protection Officer for the purpose of ensuring adherence to this Regulation, relevant data privacy instruments and data protection directives of the Data Controller, provided that a Data Controller may outsource data protection to a verifiably competent firm or person.

Enforcement

Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable, in addition to any other criminal liability, to the following:

  • In the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater,
  • In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.

Conclusion

Under the NDPR compliance, personal data must be processed in accordance with a specific, legitimate, and lawful purpose consented to by the Data Subject. Where a Data Controller processes the Personal Data of more than 1000 in a period of six months, a soft copy of the summary of the audit containing information as stated in the Act shall be submitted to the Agency.

Organizations must also know the existing and upcoming Data Protection compliances across countries as data movement occurs on a global level and data protection regulations differ in one way or another as per the law of the land.

Mandatly Privacy Management - Mandatly Inc.

Related Blogs

Cookie Consent Solutions for GDPR & CCPA Compliance20240708043627

Cookie Consent Solutions for GDPR & CCPA Compliance

The Role of Cookie Consent Solutions in GDPR and CCPA ComplianceIn today's digital landscape, data privacy regulations like t...
GDPR Compliance Made Easy: Tips for Updating Your Privacy Policy20240524035956

GDPR Compliance Made Easy: Tips for Updating Your Privacy Policy

GDPR Compliance Made Easy: Tips for Updating Your Privacy PolicyIntroductionIn an era where data privacy is paramount, ensuri...
Navigating GDPR Compliance: A Comprehensive Guide to Cookie Policies20240513042210

Navigating GDPR Compliance: A Comprehensive Guide to Cookie Policies

Navigating GDPR Compliance: A Comprehensive Guide to Cookie PoliciesIn an era marked by increasing concerns over data privacy...
Data Mapping Requirement for CPRA & CCPA Compliance20240501045009

Data Mapping Requirement for CPRA & CCPA Compliance

Data Mapping Requirement for CPRA & CCPA ComplianceWhat are the CPRA Data Mapping Requirements?The California Consumer Pr...
The Role of Employee Training in GDPR Compliance and Data Security20240205100131

The Role of Employee Training in GDPR Compliance and Data Security

The Role of Employee Training in GDPR Compliance and Data SecurityOverview: GDPR Training For EmployeesIn today's rapidly evo...
Explore the Link Between Cybersecurity and GDPR Compliance20240201044003

Explore the Link Between Cybersecurity and GDPR Compliance

The Intersection of GDPR & CybersecurityWhat is GDPR?Enforced since May 2018, GDPR is a comprehensive set of regulations ...
International Data Transfers: Understanding Legal Frameworks20240125043450

International Data Transfers: Understanding Legal Frameworks

Cross Border Data Transfer & Legal FrameworkA Legal Framework For Data ProtectionBefore delving into the legal mechanisms...
EU-U.S. Data Privacy & GDPR: A Symbiotic Bond20240110045117

EU-U.S. Data Privacy & GDPR: A Symbiotic Bond

The GDPR and the EU-US Data Privacy Framework: A Symbiotic RelationshipEU-US Data Privacy Shield FrameworkThe EU US Data Priv...
PIA Software: Streamlining Privacy Impact Assessments20231229045248

PIA Software: Streamlining Privacy Impact Assessments

Conducting Privacy Impact Assessments with PIA Software: Benefits and Best PracticesAbout Privacy Impact AnalysisIn today's d...
Getting Started with Privacy Impact Assessment (PIA) Software20231221064257

Getting Started with Privacy Impact Assessment (PIA) Software

Getting Started with PIA Software: Step-by-Step Implementation GuideIntroductionPrivacy Impact Assessment (PIA) software has ...
LGPD Compliance: Checklist & Best Practices20231109071852

LGPD Compliance: Checklist & Best Practices

Preparing for LGPD: Compliance Checklist and Best PracticesOverview Of LGPDThe LGPD, or Brazil's General Data Protection Law,...
Brazilian Data Protection Law (LGPD)20231030043222

Brazilian Data Protection Law (LGPD)

Data Subject Rights Under LGPD Access, Rectification, and ErasureIntroductionThe LGPD, or the Brazilian General Data Protecti...
Brazils’ LGPD Compliance Guide You Must Read20231025062215

Brazils’ LGPD Compliance Guide You Must Read

Everything You Need to Know About Brazil LGPD: Penalty For Non-Compliance of LGPDWhat is Brazil’s LGPD?The LGPD, or Lei Geral...
Key GDPR Compliance Privacy Software Features20230906043009

Key GDPR Compliance Privacy Software Features

5 Key Features to Look for in Privacy Management Software for GDPR ComplianceAbout The Features Of GDPR Management Compliance...
Virginia Consumer Data Protection Act – All about CDPA20230104044820

Virginia Consumer Data Protection Act – All about CDPA

Virginia Consumer Data Protection Act – All about CDPAWhat is VCPDA?The Virginia Consumer Data Protection Act CDPA is a...
Difference between CDPA, CCPA, CPRA and CPA20210722111718

Difference between CDPA, CCPA, CPRA and CPA

Difference between CDPA, CCPA, CPRA and CPAUnderstanding CDPA, CPA, CCPA & CPRAOn March 2, 2021, Governor Ralph Northam s...
Colorado Privacy Act (CPA)20210713052349

Colorado Privacy Act (CPA)

Colorado Privacy Act (CPA)Colorado is officially the third U.S state to adopt privacy legislation, after California and Virgi...
CDPA, CCPA and CPRA : Key Difference & Similarities20210705113837

CDPA, CCPA and CPRA : Key Difference & Similarities

CDPA, CCPA and CPRA : Key DifferencesAll About California’s CDPA, CPRA VS CCPAOn March 2, 2021, Governor Ralph Northam signed...