2. Section 1: 10:00am to 11:00am
Break: 11:00am - 12am
Section 2: 12:00pm - 1:00pm
Closing
Program of
Event
3. TRAINING
OBJECTIVES
By the end of this training, participants will be
able to:
- Identify the primary regulations, policies, and
laws governing data protection in Nigeria.
- Explain personal data and sensitive personal
data.
- Describe the principles for processing personal
data within the Nigerian context.
- Explain Data Subject Right
- Explain the roles of DPO
- Describe the Data protection documents and
policies
- Understand the requirements for compliance with
the Nigerian Data Protection Act (NDPA) and the
consequences of non-compliance.
4. - Introduction
- Data Protection and Data Privacy
- Data Privacy Legislation and Guideline in Nigeria
- Personal Data, Sensitive Personal Data and Data
Processing.
- Exemption from Application of the ACT
- Personal and sensitive
- Data People
- Key principles that apply to the processing of
personal data
- Data Subject Privacy Rights
- Data Protection Officer
- Documents/Information
- NDPR Compliance Requirement
- Liability for Non Compliance
TABLE OF
CONTENTS
5.
6. Introduction
In today's digitally driven world, data has become a quintessential asset, powering
innovation, driving economic growth, and transforming various aspects of our lives.
However, this surge in data usage has also brought forth significant concerns regarding
privacy, security, and individual rights. As a response to these challenges, data protection
regulations have emerged as a critical framework aimed at safeguarding personal
information and fostering trust in the digital ecosystem.
First and foremost, data protection regulations serve to uphold fundamental human
rights, particularly the right to privacy. In an era where personal data is constantly
collected, processed, and analyzed, individuals must have control over how their
information is utilized. Data protection laws establish guidelines to ensure that personal
data is processed lawfully, transparently, and with respect for individual privacy
preferences. By empowering individuals with rights such as consent, access, and
erasure, these regulations reinforce the notion that personal data belongs to the
7. Introduction…
Moreover, data protection regulations play a pivotal role in fostering trust and confidence among
consumers, businesses, and other stakeholders in the digital economy. By setting clear standards for data
handling practices, these regulations mitigate the risks of data breaches, identity theft, and other forms of
cybercrime. Organizations that comply with data protection laws demonstrate their commitment to ethical
conduct and responsible stewardship of personal information, thereby enhancing their reputations and
credibility in the marketplace. This trust is essential for promoting innovation, driving consumer
engagement, and facilitating cross-border data flows in a globalized world.
Furthermore, data protection regulations are essential for promoting fair competition and preventing
monopolistic practices in the digital marketplace. In an environment where data is often referred to as the
"new oil," it is imperative to prevent the abuse of dominant positions by certain players who may exploit
personal data for anti-competitive purposes. By imposing obligations such as data minimization, purpose
limitation, and data portability, these regulations level the playing field and promote a more open and
competitive digital ecosystem where users have a choice over how their data is used and shared.
8. Introduction…
Additionally, data protection regulations are crucial for ensuring accountability and fostering a culture of
responsible data governance. By requiring organizations to implement privacy-by-design principles, conduct
data protection impact assessments, and appoint data protection officers, these regulations promote proactive
measures to identify and mitigate privacy risks throughout the data lifecycle. This proactive approach not only
helps organizations comply with legal requirements but also cultivates a broader culture of data ethics and
responsible innovation, thereby benefiting society as a whole.
9. • Data Protection is about Data Security
• It ensures that personal data is
safeguarded from unlawful access by
unauthorized parties
• It protects organizational assets by
“keeping threats out”
• Data Protection is a Governance issue
• If you collect personal data, then you
have the responsibility of protecting it
from unauthorized access
DATA PROTECTION
• Data Privacy is contained in Section 37
CFRN as “citizen’s right to Privacy in their
homes, correspondence, telephone
conversations and telegraphic
communications guaranteed”
• Every Nigerian therefore has a right to
data privacy
• This dictates the rights of Nigerians over
their personal data
• If you collect personal data then you must
respect privacy rights
DATA
PRIVACY
10. DATA PRIVACY LEGISLATIONS AND GUIDELINES IN
NIGERIA
The principal data protection legislation in Nigeria is the Nigeria Data
Protection Act 2023 (“NDPA”) which was signed into law by President Bola
Ahmed Tinubu on 14 June 2023.
The Nigeria Data Protection Commission (“NDPC”) is the primary data
protection authority and is responsible for enforcing the NDPA in Nigeria.
The NDPA establishes the NDPC. The NDPC is the agency responsible for
enforcing the provisions of the NDPA and the administration of all data
protection matters in Nigeria.
The NDPA retained and did not repeal the existing NDPR and its
Implementation Framework. These documents are now to be read in
conjunction with the NDPA; however, where there is any conflict in their
provisions, the provisions of the NDPA are to prevail.
11. DATA PRIVACY LEGISLATIONS AND GUIDELINES IN
NIGERIA
The following laws and regulations impact data protection in Nigeria:
a. The Constitution of the Federal Republic of Nigeria 1999 (as amended).
b. The Nigeria Data Protection Regulation 2019 (“NDPR”).
c. The NDPR Implementation Framework 2020, issued by the National Information
Technology Development Agency (“NDPR Implementation Framework”).
d. The Child Rights Act 2003.
e. The Cybercrimes (Prohibition, Prevention, etc.) Act, 2015.
f. The Freedom of Information Act, 2011.
g. The National Health Act, 2014.
h. The HIV and AIDS (Anti-Discrimination) Act, 2014.
12. DATA PRIVACY LEGISLATIONS AND GUIDELINES IN
NIGERIA
The following sector-specific laws, regulations and guidelines have an impact on data protection in Nigeria:
a. The Consumer Code of Practice Regulations 2007 (“NCC Regulations, 2007”) published by the Nigerian
Communications Commission (“NCC”).
b. The Registration of Telephone Subscribers Regulations 2011, published by the NCC.
c. The Consumer Protection Regulations 2020, issued by the Central Bank of Nigeria (“CBN”), Nigeria’s apex bank.
d. The Lawful Interception of Communications Regulations, 2019 which was issued by the NCC.
e. The Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020, issued by the
NITDA.
f. The Official Secrets Act 1962.
g. The CBN Guidelines on Point of Sale Card Acceptance Services 2011.
h. The CBN Regulatory Framework for Bank Verification Number Operations and Watch-List for The Nigerian
Banking Industry 2017.
i. The NITDA Guidelines for Nigerian Content Development in Information and Communication Technology 2019
(as amended).
13. ● The NDPA will not apply “to the processing of personal data
carried out by one or more persons solely for personal or
household purposes” as long as such processing does not
violate the fundamental right to privacy of a data subject.
● processing activities by law enforcement during the prevention,
investigation, detection, or prosecution of a crime,
● processing for the prevention or control of a national public
health emergency, national security or public interest purposes,
and as necessary for the establishment, exercise, or defense of
legal claims are exempt from most of the obligations under Part
V of the Act
Exemption from Application of the Act
14. Accordingly, the NDPA will not apply to a data controller or data processor if the
processing of personal data is carried out by a competent authority for any of the
following purposes:
● the prevention, investigation, detection, prosecution, or adjudication of a criminal
offense or to execute a criminal penalty in accordance with any applicable law;
● to prevent or control a national public health emergency;
● as is necessary for national security;
● in respect of publication in the public interest, for journalism, educational, artistic and
literary purposes to the extent that such obligations and rights are incompatible with
such purposes; or
● necessary to establish, exercise, or defend legal claims, whether in court
proceedings, or in an administrative or out-of-court procedure.
Exemption from Application of the Act
15. Section 30 of the Act defines personal data
as “any information relating to an individual,
who can be identified or is identifiable,
directly or indirectly, by reference to an
identifier such as a name, an identification
number, location data, an online identifier
or one or more factors specific to the
physical, physiological, genetic,
psychological, cultural, social, or economic
identity of that individual.”
PERSONAL AND SENSITIVE
PERSONAL DATA
16. It further defines sensitive personal data as
personal data relating to an individual’s:
● genetic and biometric data, for the purpose
of uniquely identifying a natural person;
● race or ethnic origin;
● religious or similar beliefs, such as those
reflecting conscience or philosophy;
● health status;
● sex life;
● political opinions or affiliations; and
● trade union memberships.
PERSONAL AND SENSITIVE PERSONAL DATA
17. Core Values
WHAT IS DATA PROCESSING?
Article 65 of Nigerian Data Protection Act defines “Processing” as
any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation,
structuring, storage, adaptation, alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment, combination, restriction,
erasure or destruction and does not include the mere transit of
data originating outside Nigeria
18. THE DATA PEOPLE
DATA SUBJECT
DATA PROCESSOR
(ADMIN)
DATA CONTROLLER
DATA PROTECTION
OFFICER
DATA PROTECTION
COMPLIANCE
OFFICER
An individual to
whom personal
data relates
An individual, private entity,
public authority, or any other
body, who processes
personal data on behalf of or
at the direction of a data
controller or another data
processor
An individual, private
entity, public
Commission, agency
or any other body who,
alone or jointly with
others, determines the
purposes and means
of processing of
personal data ;
An individual who
ensures, in an
independent manner,
that an organization
applies the laws
protecting individuals'
personal data.
NITDA Licensed
Organizations Who
provide Data Protection
services
19. · Data Controller or Data Processor of Major Importance
According to the NDPA, a “Data Controller or Data Processor
of Major Importance” is a Data Controller or Data Processor
that is domiciled, resident in, or operating in Nigeria and
processes or intends to process personal data of more than such
number of data subjects who are within Nigeria, as the NDPC
may prescribe, or such other class of Data Controller or Data
Processor that is processing Personal Data of particular value or
significance to the economy, society or security of Nigeria as
the NDPC may designate.
20. These principles are designed to protect individuals' rights and
ensure their data is handled responsibly.
● Lawfulness, Fairness and Transparency
● Purpose Limitation
● Data Minimization
● Accuracy
● Storage Limitation
● Integrity and Confidentiality
Key principles that apply to the processing of personal
data
21. Section 24(1) of the NDPA provides that Personal Data
shall be processed in a fair, lawful and transparent
manner. It also provides that Personal Data is to be
collected for specified, explicit, and legitimate purposes
and is not to be further processed in a way incompatible
with these purposes.
Example: In case the personal is collected from an online
bookshop prior to downloading an e-book, the data
subject must be informed about the purpose of the data
collection and must be asked to give their consent.
However, if the bookshop wants to add this person to its
emailing list, the data subject must knowingly agree to it
by opting in.
DATA
PROTECTION
PRINCIPLES
Lawfulness, Fairness and
Transparency
22. LEGAL BASES FOR PROCESSING PERSONAL DATA
CONSENT
VITAL INTEREST OF
DATA SUBJECT
PUBLIC
INTEREST
LEGITIMAT
E
INTEREST
CONTRACT
LEGAL
COMPLIANCE
23. LEGAL BASES FOR PROCESSING PERSONAL DATA
Lawful basis for processing: Section 25 of the NDPA provides six lawful bases for the
processing of Personal Data:
A. where the Data Subject has given and not withdrawn consent for the specific purpose
or purposes for which Personal Data is to be processed;
B. where processing is necessary for the performance of a contract to which the Data
Subject is party or in order to take steps at the request of the Data Subject prior to
entering into a contract;
C. where processing is necessary for compliance with a legal obligation to which the Data
Controller or Data Processor is subject;
D.where processing is necessary in order to protect the vital interests of the Data Subject
or of another natural person;
E. where processing is necessary for the performance of a task carried out in the public
interest or in exercise of official public mandate vested in the Data Controller; or
F. where processing is necessary for the purposes of the legitimate interests pursued by
the Data Controller or Data Processor, or by a third party to whom the data is disclosed.
24. Personal data should be collected for
specified, explicit, and legitimate purposes
and not further processed in a manner that
is incompatible with those purposes.
Example: Many online stores collect
personal data so that they can provide
customers with target offers that match
their spending habits. However, the
principle of purpose limitation would be
breached if those supermarkets then
handed such data to a travel agency, as this
is beyond the scope of the data collection
DATA
PROTECTION
PRINCIPLES
Purpose Limitation
25. Data controllers should only collect and process
personal data that is adequate, relevant, and
limited to what is necessary for the purposes for
which it is processed. Organizations should
avoid collecting unnecessary or excessive
amounts of personal data.
Example: A recruitment agency helps an
employer to find qualified candidates for a job
opening. The agency asks candidates to fill out a
general questionnaire that contains specific
health-related questions that are only applicable
to specific jobs. Obtaining such data from a
person who applied for an office job would be
unnecessary.
DATA
PROTECTION
PRINCIPLES
Data Minimization
26. Personal data should be accurate and,
where necessary, kept up to date. Data
controllers are responsible for taking
reasonable steps to ensure that inaccurate
personal data is rectified or erased without
delay.
Example: If a person decides to move home
from Europe to Canada, documenting that
they currently live in Europe would be
incorrect. Nevertheless, a record indicating
that they once lived in Europe remains true,
even though they do not live there
DATA
PROTECTION
PRINCIPLES
Accuracy
27. Section 24(1)(d) of the NDPA provides that a
Data Controller or Data Processor shall
ensure that Personal Data is retained for not
longer than is necessary to achieve the lawful
bases for which the Personal Data was
collected or further processed.
Example: An organization has collected and
used the personal data of its customers to
better understand their needs before launching
a particular product. The principle of storage
limitation would be breached if the
organization would not dispose of such data
after the product is launched.
DATA
PROTECTION
PRINCIPLES
Storage Limitation
28. Section 8.2 of the NDPR Implementation Framework specifies the statutory retention periods
for storing Personal Data which will be applicable where no specific duration is agreed
between parties or is stated in any applicable law. The retention period stipulated in section
8.2 of the NDPR Implementation Framework are as follows:
A. three years after the last active use of a digital platform;
B. six years after the last transaction in a contractual agreement;
C. upon the presentation of evidence of death by a deceased’s relative, the Data Controller
and/or Processor must immediately delete the Personal Data of the deceased Data Subject
unless there is a legal obligation imposed on the Data Controller to continue to store the
Personal Data;
D. immediately upon a request by the Data Subject or his/her legal guardian where:
I. no statutory provision provides otherwise; and
II. the Data Subject is not the subject of an investigation or suit that may require the Personal
Data sought to be deleted.
The NDPR Implementation Framework further requires that Personal Data which is no longer
in use or which has been retained beyond the requisite statutorily required retention period
Storage Limitation
29. Personal data should be processed in a manner that
ensures appropriate security, including protection
against unauthorized or unlawful processing and against
accidental loss, destruction, or damage. Controller and
Data Processor to implement appropriate technical and
organisational measures to ensure the security, integrity
and confidentiality of Personal Data in its possession.
Example: For remote work, an organization offers
laptops to its staff with secure storage lockers for home
use and locking system for outside use. However, the
risk of theft and loss of equipment still persists. The
principle of integrity and confidentiality would be
breached if the organization would not encrypt all of the
data stored on the laptops. The encryption of the data
would reduce the improper and unauthorized use of
DATA
PROTECTION
PRINCIPLES
Data Security
30. ● Obtain information regarding the personal data held by a controller
or processor about the requestor, in a commonly used electronic
format;
● Know the source of information where the data has been collected
from a source other than the data subject;
● Lodge a complaint with the Commission;
● Know the existence of automated decision-making (ADM) and
not to be subject to a decision that is solely based on automated
processing of personal data
● Correct, and where it is not feasible or suitable,
● delete inaccurate, out-of-date, incomplete, or misleading information;
● Request erasure where the personal data is no longer required in
relation to the purpose for which it was collected;
● Request the restriction of processing personal data;
● Object to the processing of personal data;
● Data portability. The Act makes it possible for a data subject to
receive personal data concerning them from a data controller and
transmit it to another controller, or for the data to be directly
transferred from one controller to another.
● Withdraw consent to the processing of personal data at any time.
DATA SUBJECT PRIVACY RIGHTS
31. Data Protection Officer (DPO)...
The role of a Data Protection Officer (DPO) is crucial in ensuring that an
organization complies with data protection regulations and effectively manages
the privacy and security of personal data. The responsibilities of a DPO typically
include:
Monitoring Compliance: The DPO is responsible for ensuring that the
organization complies with relevant data protection laws and regulations, such
as the GDPR or CCPA. This involves staying up-to-date with changes in
legislation and assessing the organization's data processing activities for
compliance.
Advising on Data Protection Matters: The DPO provides guidance and advice to
the organization, its employees, and third parties on data protection obligations,
policies, and procedures. They may assist in conducting data protection impact
assessments (DPIAs) and addressing privacy concerns or inquiries
32. Data Protection Officer (DPO)...
Data Protection Policies and Procedures: The DPO helps develop,
implement, and maintain data protection policies, procedures, and
documentation within the organization. This includes privacy notices, data
processing agreements, data retention policies, and incident response
plans.
Training and Awareness: The DPO ensures that employees are trained on
data protection requirements and best practices. They may conduct training
sessions, develop educational materials, and raise awareness about the
importance of data protection across the organization.
Data Subject Rights: The DPO oversees the organization's processes for
handling data subject requests, such as access requests, rectification
requests, and requests for erasure (right to be forgotten). They ensure that
requests are handled promptly and in accordance with applicable laws.
33. Data Protection Officer (DPO)...
Monitoring Data Security: The DPO monitors the organization's data security measures to protect
against unauthorized access, loss, or misuse of personal data. They may conduct regular audits,
risk assessments, and security reviews to identify vulnerabilities and ensure appropriate
safeguards are in place.
Incident Management and Response: In the event of a data breach or security incident, the DPO
leads the organization's response efforts. This includes investigating the incident, assessing its
impact, notifying affected individuals and authorities as required, and implementing corrective
actions to prevent future incidents.
Liaison with Supervisory Authorities: The DPO serves as the point of contact for supervisory
authorities (such as the Information Commissioner's Office in the UK or the Data Protection
Authority in other jurisdictions) on data protection matters. They may handle communications,
inquiries, and notifications to regulators as required by law.
Vendor Management: The DPO evaluates the data protection practices of third-party vendors and
partners that process personal data on behalf of the organization. They may review contracts,
assess vendor compliance, and ensure appropriate safeguards are in place to protect data.
34. CHILDREN’S
PRIVACY
The Act expands the protections accorded to children and persons lacking legal
capacity. under which a data subject is considered a “child” to 18 years, in
alignment with the Nigeria Child Rights Act.
The Act also includes specific consent requirements for children and persons
lacking the legal capacity to consent. To effect this, the Act requires controllers
and processors to adopt consent verification mechanisms.
To guarantee stronger privacy protections for children, the Commission will
create Regulations to guide the personal data processing of a child of 13 years
and above in the course of their usage of online products and services.
However, there are instances where a controller or processor may process the
personal data of children and persons lacking legal capacity without the consent
of a parent or legal guardian, such as:
● Where the processing is necessary to protect the vital interests of the child or
person lacking the legal capacity to consent;
● Where the processing is carried out for purposes of education, medical, or
social care, and undertaken by or under the responsibility of a professional
or similar service provider owing a duty of confidentiality; or
● Where the processing is necessary for proceedings before a court relating to
the individual.
35. Documents/Information
● Data protection policy
● Privacy policy
● Data subject consent form
● Internal breach register
● Data subject access request procedure and form
● Subject access request record
● Data breach notification procedure
● etc
36. Data protection policy
A data protection policy outlines an organization's approach to handling and
protecting sensitive information. It typically includes guidelines, procedures,
and responsibilities related to collecting, storing, processing, and sharing
data to ensure compliance with relevant laws and regulations.
Content
1. Purpose
The purpose of this policy is to establish guidelines and procedures for the
protection of sensitive information collected, processed, stored, and shared
by us.
2. Scope
This policy applies to all employees, contractors, partners, and third parties who
37. Data protection policy
3. Data Protection Principles
Weis committed to upholding the following data protection principles:
● Lawfulness, fairness, and transparency: Data will be processed lawfully, fairly, and transparently in
accordance with applicable data protection laws and regulations.
● Purpose limitation: Data will be collected for specified, explicit, and legitimate purposes and will not be
further processed in a manner incompatible with those purposes.
● Data minimization: Only necessary data will be collected and processed for the intended purposes.
● Accuracy: Reasonable steps will be taken to ensure that personal data is accurate and up-to-date.
● Storage limitation: Data will be retained only for as long as necessary to fulfill the purposes for which it
was collected.
● Integrity and confidentiality: Appropriate technical and organizational measures will be implemented to
ensure the security, integrity, and confidentiality of personal data.
38. Data protection policy
4. Data Handling Procedures
● Data Collection: Only collect personal data necessary for specified purposes with the
consent of the data subject whenever required.
● Data Processing: Process personal data in accordance with applicable laws and
regulations and ensure appropriate security measures are in place.
● Data Storage: Store personal data securely and ensure access is restricted to
authorized personnel only.
● Data Sharing: Share personal data with third parties only when necessary and with
appropriate safeguards in place.
5. Data Subject Rights
We recognizes the rights of data subjects under applicable data protection laws,
including the rights to access, rectification, erasure, restriction of processing, data
39. Data protection policy
6. Data Security
We will implement appropriate technical and organizational measures to protect
personal data against unauthorized access, disclosure, alteration, and destruction.
7. Data Breach Response
In the event of a data breach, We will promptly assess the breach, take necessary
steps to mitigate any adverse effects, and notify affected individuals and relevant
authorities as required by law.
8. Training and Awareness
We will provide training and awareness programs to all employees and relevant
stakeholders to ensure compliance with this policy and data protection laws.
40. Data protection policy
9. Compliance Monitoring and Review
This policy will be regularly reviewed and updated to ensure compliance with evolving
data protection laws and best practices. Non-compliance with this policy may result in
disciplinary action, up to and including termination of employment or contractual
relationship.
10. Contact Information
For questions or concerns regarding this policy or data protection practices, please
contact Designated Data Protection Officer or Department.
11. Policy Acknowledgment
All employees, contractors, partners, and third parties must acknowledge receipt and
understanding of this policy and agree to comply with its provisions.
41. Privacy policy
A privacy policy is a legal document that outlines how an organization
collects, uses, stores, and protects personal data collected from individuals.
It informs users about their rights regarding their personal information and
provides transparency about the organization's data practices. Below is a
general template for a privacy policy:
1. Introduction
XYZ is committed to protecting the privacy and security of your personal
information. This Privacy Policy explains how we collect, use, disclose, and
protect the personal information we collect from you when you use our
[website/application/service].
42. Privacy policy
2. Information We Collect
● Personal Information: We may collect personal information such as your name, email address,
postal address, phone number, and other contact information when you interact with us.
● Usage Information: We may automatically collect information about your usage of our
[website/application/service], including your IP address, device information, browser type, and
operating system.
● Cookies and Similar Technologies: We use cookies and similar tracking technologies to collect
information about your interactions with our [website/application/service].
3. How We Use Your Information
We may use the information we collect for the following purposes:
● To provide and maintain our [website/application/service].
● To personalize your experience and provide tailored content.
● To communicate with you about our products, services, and promotions.
● To analyze usage trends and improve our [website/application/service].
● To comply with legal and regulatory requirements.
43. Privacy policy
4. How We Share Your Information
We may share your personal information with third parties for the following purposes:
● With service providers who assist us in providing our [website/application/service].
● With our affiliates and business partners for marketing and promotional purposes.
● In response to a legal request or to comply with applicable laws and regulations.
● In connection with a merger, acquisition, or sale of assets.
5. Your Choices
● Opt-Out: You may opt-out of receiving marketing communications from us by following the
instructions provided in the communication.
● Cookies: You can set your browser to refuse all or some browser cookies or to alert you
when websites set or access cookies. If you disable or refuse cookies, please note that
some parts of our [website/application/service] may become inaccessible or not function
properly.
44. Privacy policy
6. Data Security
We take reasonable measures to protect the security of your personal
information from unauthorized access, use, or disclosure.
7. Children's Privacy
Our [website/application/service] is not directed to individuals under the age of
18, and we do not knowingly collect personal information from children under 18.
8. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Any changes will be posted
on this page with an updated effective date.
9. Contact Us
If you have any questions or concerns about our Privacy Policy or our data
45. Why should we comply?
A- Attraction of reputable investors
B- Brand Image Enhancement
C- Customer/Citizen Loyalty
D- Data Process Maturity
E- Earning Power
F- Focus for your organization. Reduce distractions
G- Goodwill with Government, Citizens and Businesses
46. NDPR Compliance Requirements
Designate a Data
Protection Officer
(DPO) who will be
responsible for
driving NDPR
compliance
initiatives within the
organization
Document and publish
a data protection policy
in line with the
requirements of the
Data Protection
Regulation – within six
months of the
issuance
Ensure continuous
capacity building
and training for
Data Protection
Officer and other
personnel involved
in processing
personal data
Engage a licensed Data
Protection Compliance
Organization (DPCO) to
perform a Data
Protection Audit and file
a report with NITDA
within the stipulated
timeline – within six
months of the issuance
+ 3 months
47. NDPR Compliance Requirements
If a Data Controller
processes the personal
data of more than 2000
Data Subjects in a period
of 12 months, it shall
submit a summary of its
data protection audit to
the Agency
If an organisation is a data
controller and it processes
personal data of more than
2000 people in a year, it
must submit an audit to
NITDA on the 15th of
March 2020 and the 15th
March of every subsequent
year.
If a Data Controller
processes the personal
data of more than 1000
data subjects in a period
of 6 months, it shall
submit a soft copy of the
summary of the audit to
the Agency
49. The Act provides a data subject who has suffered injury, loss, or harm,
Where a controller or processor violates the provisions of the Act or
subsidiary legislation, the Commission may issue a compliance order
requiring them to take specific measures to remedy the situation within
a specified period as well as inform them of their right to a judicial review.
The Commission may also impose an enforcement order or a sanction. In
issuing an enforcement order or a sanction, the Commission may:
● Require the data controller or processor to remedy the violation;
● Order for the compensation of data subjects;
● Order the controller or processor to account for profits realized from the
violation; or
● Impose a penalty.
The penalty amount depends on whether the violator is a data controller
or processor of major importance or not. Penalties against data
controllers or processors of major importance shall be the higher of
N10,000,000 (approximately 22,000 USD) or 2% of the annual gross revenue
of the preceding financial year. Penalties against other data controllers and
processors shall be greater than N2,000,000 (approximately 4,300 USD) or
2% of the annual gross revenue of the preceding financial year
OFFENCES AND
SANCTIONS