In February 2022, the Nigeria Data Protection Bureau (the “NDPB”), was established by the Federal Government as the principal data protection regulatory body to implement the objectives of the Nigeria Data Protection Regulation 2019 (“NDPR”), replacing the National Information Technology Development Agency (NITDA).
In furtherance of its objectives, the NDPB on October 5, 2022, issued a compliance directive (the “Directive”) to organisations that collect and or process personal data of Nigerians. (“Regulated Entities”). The Directive mandates Regulated Entities to comply with its provisions on or before November 25, 2022, in order to be included in the National Data Protection Adequacy Programme (“NADPAP”) Whitelist.
This article highlights the compliance requirements of the NDPB as provided in the Directive.
What is the National Data Protection Adequacy Programme (NADPAP)?
The NADPAP is a programme established by the NDPB to create more awareness on the responsibilities of data controllers/processors under the NDPR. The NDPB through this programme seeks to put together a Whitelist of Regulated Entities in Nigeria which are compliant with the requirements of the NDPR. These Regulated Entities will be published on the NDPB website, in major newspapers, and will be shared with local and international establishments to serve as a reference in relevant transactions.
Regulated Entities are expected to comply with the requirements of the Directive on or before November 25, 2022, to be included in the NDPB's publication.
What are the Compliance requirements under NADPAP?
i. Notification: Regulated Entities should notify the NDPB on or before November 25, 2022, of the technical and organisational measures it is taking to ensure data privacy and data protection.
ii. Key steps to be taken to avoid legal liabilities: The Directive highlights some key steps to be taken by Regulated Entities in order to avoid legal liabilities and ensure they meet up with the minimum required standard of care required under the NDPR. Regulated Entities are required to: (i) read and understand the NDPR; (ii) develop and implement a privacy policy that is consistent with the NDPR; (iii) notify their employees, customers, and online visitors of their privacy policy; and (iv) designate at least one or two members of staff as Data Protection Contacts (DPCs).
iii. Penalties attached to non-compliance: The Directive reiterates the resulting penalties for non-compliance with the NDPR, which include: payment of a fine of 2% of the annual gross revenue of the preceding year or 10 (ten) million naira (whichever is greater), in the case of a data controller dealing with more than 10,000 (ten thousand) data subjects, and payment of a fine of 1% of the annual gross revenue of the preceding year or 2 (two) million naira (whichever is greater), in the case of a data controller dealing with less than 10,000 (ten thousand) data subjects.
iv. Oversight: Regulated Entities are required to ensure that their service providers (i.e agents, licensees, contractors etc.) comply with the NDPR.
v. Free induction course: Regulated Entities are expected to forward the names of their DPCs (not more than three) to the NDPB for a free induction course in Data Protection Regulation Compliance for Nigeria and the ECOWAS via email to info@ndpb.gov.ng.
Conclusion
From the antecedents of the NDPB since its establishment, it is evident that its mandate to ensure compliance with the NDPR has been prioritized. It is, therefore, important for all Regulated Entities to liaise with relevant Data Protection Compliance Organisations to ensure full compliance with the provisions of the NDPR and avoid the penalties of non-compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
