In recent times, Data Privacy has continued to remain a front burner issue in our ever progressive world. From the issuance of the European Union General Data Protection Regulation in 2016 to the introduction of Nigeria Data Protection Regulation (NDPR) in 2019 and the subsequent enactment of the Nigeria Data Protection Act (NDPA) in 2023 (which lends life to the NDPR 2019), discussions around Data Privacy have become more inclusive. Stakeholders are beginning to take a more systematic and proactive approach in ensuring the adequate protection and security of data within their possession.
In this Article, we have discussed some developments around the Data Privacy in Nigeria and also highlighted relevant obligations for businesses in the coming months.
Obligations under the NDPR 2019 and NDPA 2023
- Data Privacy Audit and Filings
Organisations in Nigeria are required to conduct an audit on the data privacy practices of their organisation and file a summary of their audit to the Nigeria Data Protection Commission (NDPC or "the Commission") not later than 15 March 2024.
The audit (which is to be mandatorily conducted and filed through a licensed Data Protection Compliance Organisation) would cover the data privacy practices of the year 2023 such as a review of the grounds for processing personal data, data security and protection systems, identification of possible breach or near breach situations for adequate reporting and attention, data subject access request procedures amongst others.
The NDPC has emphasised the need for Organisations to ensure strict compliance with the deadline of 15 March 2024 for the filing of the statutory data protection audit reports. More importantly, the Commission maintained that an extension of the deadline for filing audit reports (after 15 March 2024) will only be considered under extenuating circumstances.
- Implementation of Adequate Data Security and Privacy Systems
Organisations are mandated to implement appropriate technical and organisational measures to ensure security, integrity and confidentiality of personal data within their custody. Simply put, organisations should ensure adequate systems are put in place for the purposes of ensuring security and protection of personal data. These measures include technical measures such as adequate Information Technology Security systems, access control systems amongst others as well as organisational measures which include the drafting and implementation of relevant policies such as the Data Privacy and Protection Policy, Data Breach Management Procedure, Data Privacy Impact Assessment Policy, Data Retention Policy amongst others.
- Appointment and Certification of Data Protection Officers
Organisations have an obligation to designate appropriate Data Protection Officers (DPOs) who are tasked with the responsibility of ensuring the organisation's compliance with the data protection laws. In a virtual meeting held on 11 January 2024, the Commission discussed the opportunity for registration of DPOs in Nigeria via its online portal. However, Organisations are required to register only DPOs who have undergone relevant data privacy and protection certification from internationally recognised data protection certification bodies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.