Nigeria’s Data Protection Regulation came into effect in January 2019, and companies operating in the country have an obligation to ensure they are compliant.
Nigerian law firm Aelex has provided an overview of gaining compliance.
Step One
Determine the processing activities of the organisation.
The NDPR has defined processing as any operation or set of operations which is performed on personal data such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Identify the type of personal data that are collected and the nature of processing. The identification would assist in determining the most effective means to comply with the NDPR.
Step Two
Ascertain whether the organisation is a data controller or a data administrator/processor.
A data controller is one who determines the purpose and manner in which personal data is to be processed. On the other hand, a data administrator simply processes data.
Identify the circumstances where your organisation is a data controller or administrator/processor, as most obligations are imposed on the data controller. The data controller has the responsibility to ensure that the consent of the data subject is obtained without fraud, coercion or undue influence, and is liable for any breach of the NDPR. As such, the data controller will be liable for a violation done by a data administrator/processor. Also, depending on the circumstance, the data controller or the processor may be responsible for the actions and inaction of any third party.
Step Three
Appoint a Data Protection Officer (DPO)
As a data controller, an organisation must appoint a DPO. The DPO may be an individual or any entity. The duty of the DPO is to ensure that the organisation complies with the provision of the NDPR.
Step Four
Assess your organisation’s processing activities
Conduct an assessment of the organisation’s processing activities to determine the necessary steps to ensure alignment with the NDPR. Questions such as the following, should be addressed:
- How is data collected?
- Which department receives such data?
- Why does the organisation process such data?
- What will be the legal basis for processing such data?
- What are the security measures taken by the organisation to prevent data breach?
Step Five
Begin Implementation of the NDPR
To implement the NDPR, an organisation should adopt the following within the stated timelines:
- Make available the data protection policies (such as the privacy policy) for the general public. This should have been carried out since 25th April, 2019.
- Conduct an audit of the organisation’s privacy and data protection practices on or before the 25th of July, 2019.
- Where an organisation is a data controller and it processes personal data of more than 1000 people in 6 months, it should submit a summary audit to NITDA. No compliance timeline was indicated for this obligation in the NDPR.
- Where an organisation is a data controller and it processes personal data of more than 2000 people in a year, it must submit an audit to NITDA on the 15th of March 2020 and the 15th March of every subsequent year.
In closing, it should be noted that the mass media and civil society have been given the right to uphold accountability and foster the objectives of the NDPR.
To read more about the Regulation, click here.
For information as to how Relocation Africa can help you with your Mobility, Immigration, Research, Remuneration, and Expat Tax needs, email marketing@relocationafrica.com, or call us on +27 21 763 4240.