Nigeria/
data-protection/
Nigeria Data Protection Regulation (NDPR) and Nigeria Data Protection Act (NDPA)
Nigeria Data Protection Regulation (NDPR) and Nigeria Data Protection Act (NDPA)
Nigeria Data Protection Regulation (NDPR) and Nigeria Data Protection Act (NDPA) 2023 compliance. Covers lawful basis for processing, data subject rights, cross-border transfer mechanisms, Data Protection Compliance Organisation (DPCO) registration, mandatory DPIA filing, and breach notification. Keywords: NDPR, NDPA, Nigeria, NITDA, DPCO, Africa data protection, cross-border transfer.
Nigeria Data Protection Regulation (NDPR) and Nigeria Data Protection Act (NDPA)
Overview
Nigeria's data protection framework comprises the Nigeria Data Protection Regulation (NDPR) issued by NITDA in January 2019, and the Nigeria Data Protection Act (NDPA) signed into law on June 12, 2023. The NDPA established the Nigeria Data Protection Commission (NDPC) as an independent regulatory body, replacing NITDA's oversight role. The NDPA applies to the processing of personal data by any data controller or processor that is domiciled, resident, or operating in Nigeria, or that processes personal data of data subjects in Nigeria.
Lawful Basis for Processing (NDPA Section 25)
| Lawful Basis | Description |
|---|---|
| Consent | Data subject has given consent to the processing for one or more specific purposes. Must be freely given, specific, informed, and unambiguous. |
| Contract | Processing necessary for the performance of a contract to which the data subject is party. |
| Legal obligation | Processing necessary for compliance with a legal obligation of the controller. |
| Vital interests | Processing necessary to protect the vital interests of the data subject or another natural person. |
| Public interest | Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority. |
| Legitimate interests | Processing necessary for legitimate interests of the controller or third party, provided the interests are not overridden by the data subject's rights. |
Data Subject Rights (NDPA Part IV)
| Right | Description | Response Period |
|---|---|---|
| Right to be informed | Receive information about data processing at the point of collection | At collection |
| Right of access | Obtain confirmation of processing and a copy of personal data | 30 days |
| Right to rectification | Correct inaccurate personal data | 30 days |
| Right to erasure | Request deletion of personal data where no lawful basis for continued processing | 30 days |
| Right to restrict processing | Request limitation of processing in certain circumstances | 30 days |
| Right to data portability | Receive personal data in a structured, commonly used, machine-readable format | 30 days |
| Right to object | Object to processing based on legitimate interests or public interest | 30 days |
| Right related to automated decision-making | Not be subject to decisions based solely on automated processing that produce legal or significant effects | 30 days |
Sensitive Personal Data (NDPA Section 30)
The NDPA defines sensitive personal data as data relating to:
- Racial or ethnic origin
- Political opinions or affiliations
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data for identification purposes
- Health data
- Sex life or sexual orientation
- Criminal convictions or offences
Processing of sensitive personal data requires explicit consent or is permitted under specific derogations (substantial public interest, employment obligations, vital interests, legal claims, health or social care purposes).
Cross-Border Transfer (NDPA Part VI)
Personal data may be transferred outside Nigeria where:
- Adequacy decision: The NDPC has determined that the receiving country or international organisation ensures an adequate level of data protection.
- Appropriate safeguards: Including binding corporate rules, standard contractual clauses approved by the NDPC, codes of conduct, or certification mechanisms.
- Derogations: Explicit consent, contract performance, public interest, legal claims, vital interests, or transfer from a public register.
The NDPC maintains a whitelist of countries with adequate protection. Controllers must conduct a transfer impact assessment and maintain records of all cross-border transfers.
Data Protection Compliance Organisation (DPCO)
Under the NDPR framework, organisations processing personal data of more than 2,000 data subjects in a 12-month period must engage a licensed Data Protection Compliance Organisation (DPCO) to conduct an annual data protection audit. The DPCO:
- Must be licensed by the NDPC (formerly NITDA)
- Conducts annual data protection audits
- Files the audit report with the NDPC
- Verifies compliance with the NDPR/NDPA
- Provides data protection advisory services
Data Protection Impact Assessment (NDPA Section 28)
Controllers must conduct a DPIA prior to processing that is likely to result in a high risk to data subjects' rights and freedoms, particularly:
- Systematic and extensive evaluation of personal aspects (profiling)
- Large-scale processing of sensitive personal data
- Systematic monitoring of a publicly accessible area
- Processing involving new technologies
DPIA results must be filed with the NDPC.
Breach Notification (NDPA Section 39)
| Requirement | Detail |
|---|---|
| Notification to NDPC | Within 72 hours of becoming aware of a personal data breach |
| Notification to data subjects | Without undue delay where the breach is likely to result in a high risk to rights and freedoms |
| Content of notification | Nature of breach, categories and approximate number of data subjects affected, name and contact of DPO, likely consequences, measures taken or proposed |
| Record keeping | Document all breaches regardless of notification obligation |
Penalties (NDPA Section 46)
- Organisations processing data of more than 10,000 data subjects: up to 2% of annual gross revenue or NGN 10 million, whichever is greater.
- Organisations processing data of fewer than 10,000 data subjects: up to 1% of annual gross revenue or NGN 2 million, whichever is greater.
- Additional remedies include compensation orders, enforcement notices, and compliance orders.
Registration Requirement
Data controllers and processors must register with the NDPC. The registration includes:
- Description of categories of data subjects and personal data
- Purposes of processing
- Categories of recipients
- Description of cross-border transfers
- Retention periods
- Description of security measures
No additional documents ship with this skill.