Nigeria, like many African countries, has taken on board the major challenges of data governance. In implementing its strategy to secure its digital space and establish its digital sovereignty over the 213.4 million Nigerians, the Nigeria Data Protection Act, 2023 came into force on 12 June 2023. The Act guarantees a formal legal framework for the protection of citizens’ personal data and information, and the practice of data protection in the country.
The new law establishes the Nigerian Data Protection Commission (NDPC), which replaces the Nigerian Data Protection Bureau (NDPB). The new body’s remit includes regulating and promoting the deployment of technological and organisational measures to improve the protection of personal data; imposing sanctions for any breach of the provisions of the Act or subsidiary legislation derived therefrom; and accrediting, licensing and registering suitable persons to provide data protection compliance services.
As part of the guidelines for implementing the Act, the Commission has issued an information notice to data controllers and processors to remind them of the imminent expiry of certain compliance obligations.
The obligation to draw up an annual compliance report
In accordance with the Nigeria Data Protection Act (NDP Act) and its implementing legislation (General Application and Implementation Directive (GAID)), data controllers and processors are required to complete and file an annual data protection compliance audit returns (CAR) with the Data Protection Authority. This report is the embodiment of the principle of accountability, a fundamental principle of the law guaranteeing effective compliance by the bodies concerned in both the public and private sectors.
When a data controller reaches the legal data processing threshold of one thousand (1,000) data subjects within a period of six (6) months and two thousand (2,000) data subjects within a period of twelve (12) months, it is required to submit its audit report to the Commission, in accordance with section 4.1, paragraphs 6 and 7 of the Nigerian law. The deadline for filing the said report is 15 March 2024 . The filing process is facilitated by approved Data Protection Compliance Organisations (DPCOs). These organisations are registered on a list maintained by the Commission and work on behalf of their clients to support them in their compliance process.
Other points to watch out for
Initial training for Data Protection Officers (DPOs)
All appointed Data Protection Officers must attend an induction training course to be organised by the Commission in January 2024. This training will specifically address the rights of data subjects, as well as the various compliance obligations relevant to controllers and processors under the Act and its implementing decree.
The planned training is free of charge and specifically concerns designated DPOs.
As the format has not been specified, the Commission reserves the right to specify these procedures at a later date.
The Commission’s white list
The Commission will maintain a white list on which data controllers and processors who have demonstrated their compliance will be entered, following receipt of the annual compliance audits.
The white list is an accountability tool, as it contains functional information on controllers and processors. It is a rebuttable presumption that a controller or processor on the list is committed to taking adequate technical and organisational measures to safeguard the rights of data subjects.
The presence of a body on this list does not therefore imply any commitment, certification or labelling whatsoever on the part of the Commission. It is the responsibility of the listed organisation to implement adequate security measures, maintain them and ensure their continuous improvement.
Penalties for non-compliance
The Commission’s notice also provides for a set of specific sanctions in the event of non-compliance with the obligations mentioned, in particular the filing of the CAR, on the basis of the national data protection law, the NDP Act. The penalties provided for fall into two categories: financial and procedural or reputational. The data controller or processor must therefore:
• Remedy the breach;
• Pay compensation to the data subject who has suffered harm, loss or damage as a result of the breach;
• Account for any profits made as a result of the breach;
• Pay a penalty or repair costs.
It is therefore imperative that data controllers and processors take these requirements into account in order to comply and effectively protect the personal data of Nigerian citizens.
By Patrick NGUETCHOUESSI, PhD Student & DPO.