Nigeria Data Protection Regulation, 2019 (NDPR)

NDPR (Nigeria Data Protection Regulation) is the current national law in Nigeria issued in January 2019. NITDA as the Regulatory Authority for Data Protection aims at innovating data protection management in Africa through inclusive regulatory strategies, partnerships, and continuous improvement.

The objective of the Nigeria Data Protection Regulation is to safeguard the rights of natural persons to data privacy, foster safe conduct for transactions involving the exchange of Personal Data and to prevent manipulation of Personal Data.

The NDPR Act’s regulation is applicable in the following cases to get NDPR compliance:

• Applies to all transactions intended for the processing of Personal Data, to the processing of Personal Data.
• Applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.

1. Personal Data
   Any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.
2. Consent
   Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
3. Data
   Data means characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device.
4. Data Subject
   Any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
5. Processing
   Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Let’s see the Data Subject Rights Under the NDPR (Nigeria Data Protection Regulation) compliance 

1. Right to be Informed
   Any medium through which Personal Data is being collected or processed by business shall display a simple and conspicuous privacy policy that the class of Data Subject being targeted can understand.
2. Right to Object
   A Data Subject shall have the option to:
   • Object to the processing of Personal Data relating to him which the Data Controller intend to process for the purpose of marketing,
   • Be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge.
3. Right to Access
   The Controller shall take appropriate measures to provide any information relating to processing to the Data Subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and for any information relating to a child.
4. Right to Deletion
   The Data Subject shall have the right to request the Controller to delete Personal Data without delay, and the Controller shall delete Personal Data.
5. Right to Restriction on Processing
   The Data Subject shall have the right to obtain from the Controller restriction of processing where the processing is unlawful or the Personal Data is no longer needed for the purposes of the processing
6. Right to Rectification
   The Controller shall communicate any rectification or erasure of Personal Data or restriction to each recipient to whom the Personal Data have been disclosed.
7. Right to Data Portability
   The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided.

If the Controller does not act on the request of the Data Subject, the Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority.

Every Data Controller shall designate a Data Protection Officer for the purpose of ensuring adherence to this Regulation, relevant data privacy instruments and data protection directives of the Data Controller, provided that a Data Controller may outsource data protection to a verifiably competent firm or person.

Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable, in addition to any other criminal liability, to the following:

• In the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater,
• In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.

Under the NDPR compliance, personal data must be processed in accordance with a specific, legitimate, and lawful purpose consented to by the Data Subject. Where a Data Controller processes the Personal Data of more than 1000 in a period of six months, a soft copy of the summary of the audit containing information as stated in the Act shall be submitted to the Agency.

Organizations must also know the existing and upcoming Data Protection compliances across countries as data movement occurs on a global level and data protection regulations differ in one way or another as per the law of the land.