The NDPB released a compliance notice (“Notice”) on 13 October 2022, which contained additional compliance requirements for data controllers under the National Data Protection Adequacy Programme (“NaDPAP”) Whitelist.

We have highlighted some of these updates that may affect you as a data controller/processor in this regulatory compliance update.

Introduction

You will recall that the Nigeria Data Protection Bureau (“NDPB”) was established in February 2022 and has taken over from the National Information Technology Development Agency (“NITDA”) as the Data Protection Regulatory Authority in Nigeria.

On 6 October 2022, the NDPB released the Data Protection Bill 2022 (“the Bill”) on 6 October 2022. The Bill appears to be a beacon of hope for a final legislation on the subject, as the National Commissioner of the NDPB had stated earlier in the year that there would be a Data Protection Act by December 2022[1]. This Bill seeks to establish an independent and effective regulatory commission to superintend over data protection and privacy issues and supervise data controllers and data processors[2] within the private and public sectors.

Additionally, the NDPB released a compliance notice (“Notice”)[3] on 13 October 2022, which contained additional compliance requirements for data controllers under the National Data Protection Adequacy Programme (“NaDPAP”) Whitelist.

We have set out below, relevant information on the Bill and Notice, as may affect you as a data controller/processor.

  1. The Data Protection Bill 2022

Please find annexed, a summary of the Bill, highlighting its significant provisions.

  1. Nigeria Data Protection Bureau Compliance Notice –Supplementary Compliance Requirements for Data Controllers

Highlights of the Compliance Notice

  1. The Notice reiterated the objectives of the NDPR, which include to:
  • Safeguard the rights of natural persons to data privacy.
  • Foster safe conduct for transactions involving the exchange of Personal Data.
  • Prevent manipulation of Personal Data; and
  • Ensure that Nigerian businesses remain competitive in international trade through the safeguards afforded by a just and equitable legal regulatory framework on data protection.
  1. The Notice also stated that adequate technical and organizational measures for data protection are obligatory for every organization (as data controllers/processors) in Nigeria.
  2. The Notice further highlighted additional requirements that every data controller in Nigeria is expected to meet. Thus, every data controller is expected to:
  • Read and understand the NDPR – as it applies to various situations and persons involved in data processing.
  • Develop and implement a Privacy Policy that is consistent with the NDPR.
  • Notify its employees, customers, and online visitors of its Privacy Policy
  • Designate at least one or two members of staff as Data Protection Contacts (“DPCs”). These officers may, after training, become Data Protection Officers (“DPOs”) for the organization.
  • Forward the names of the DPCs (not more than 3) to the Bureau for a free Induction Course in Data Protection Regulation Compliance for Nigeria and Economic Community of West African States (ECOWAS); if a DPO has already been appointed, his/her contact details should also be forwarded. The softcopy of the details should be forwarded info@ndpb.gov.ng AND the hard copy to 5 Donau Crescent, Maitama Abuja.
  • Mandate your service providers (agents, licensees, contactors or howsoever called) to comply with the NDPR.
  1. All data controllers are to comply with the above obligations and duly notify the Bureau of the technical and organizational measures it is taking for data privacy and protection on or before 25 November 2022.
  2. Following the above steps, the NDPB will publish a NaDPAP Whitelist which will contain the list of all compliant data controllers/processors. The NaDPAP Whitelist will be published on NDPB website, in major newspapers, and will be shared with local and international establishments. It will serve as a reference in relevant transactions and proceedings.

Penalty

Any organisation that fails to take the additional steps outlined in paragraph 3 above, and notify the NDPB accordingly, will not be listed on the NaDPAP Whitelist. Additionally, the penalty for breach of the NDPR[4] may be imposed on a defaulting organisation where applicable.

*Please reach out to us via email (tmt@aelex.com) for further information in this regard.

[1] https://www.ndpb.gov.ng/Home/NewsDetails/11

[2] Data Controller” means a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed; “Data Controller/ Administrator” means a person or an organization that processes data

[3] Please find the Notice annexed to this Update.

[4] Penalty for breach by an organization may be as high as 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira (whichever is greater). In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million naira, whichever is greater.