How You Can Comply with the Nigeria Data Protection Act in the New Year

In today’s digital age, a common notion is “Data is the new oil.” Coined by British mathematician Clive Humby in 2006, the phrase is analogous to the oil revolution in the Industrial Era and how data like oil requires refinement to have value and drive innovation and business performance. However, over the years, this comparison has evolved as more conversations on data have moved past the economic value of data to privacy, regulation, and its potential to cause harm.

As data protection concerns grow globally, many countries ensure businesses handle personal data responsibly; Nigeria is no exception. The Nigeria Data Protection Regulation (NDPR) was introduced in 2019, and the bill was signed into law by President Bola Tinubu in June 2023. This Act provides a legal framework for protecting personal information and the practice of data protection in Nigeria.

This blog delves into the Nigeria Data Protection Act, its principles, how Cloneshouse is taking steps to comply and a guide for organisations to comply with the Act.

The Nigerian Data Protection Act

The Nigeria Data Protection Regulation was enacted on 25th January 2019 according to Section 6 of the NITDA Act 2007, a legal framework that harmonizes data privacy laws across Nigeria and protects and empowers all Nigeria citizens regardless of location. After 4 years of its adoption, the NDPR was signed into law on the 12th of June, 2023. 

The NDPA is similar to other international data protection laws, such as the European Union’s General Data Protection Regulation (GDPR), as it prioritizes the protection of personal data, ensuring legal obligations for privacy and data security.

The Act also establishes the Nigeria Data Protection Commission, replacing the previous Nigeria Data Protection Bureau formed under former President Buhari in February 2022. Led by a National Commissioner, this Commission oversees the regulation of personal information processing.

Principles of Processing Personal Data

The Act highlights principles that data controllers or data processors must adhere to to ensure that personal data is processed responsibly, ethically, and securely. 

These principles include:

1. Lawfulness, Fairness, and Transparency– Personal data must be processed in a lawful, fair, and transparent manner. This means organizations should only collect data for clear, legitimate purposes and inform individuals how their data will be used. 
2. Purpose Limitation– Personal data must be collected for specified, explicit, and legitimate purposes. Organizations must ensure they have a valid reason for collecting the data and that it is used only for those stated purposes.
3. Data Minimization– Data collected should be relevant, adequate, and limited to the purposes for which it was collected. In other words, data processors or data controllers should not collect excessive data beyond what is required to fulfill a specific need. 
4. Storage Limitation– Personal data must be retained only for as long as necessary to achieve the lawful purpose for which it was collected. Once the purpose is fulfilled, the data should be securely deleted or anonymized to prevent misuse or unauthorized access.
5. Accuracy– Personal data must be accurate, complete, and not misleading. Additionally, organisations should put measures in place to ensure that the data is up-to-date.
6. Security– Personal data must be processed to guarantee appropriate security. Organisations are required to implement technical and organisational measures, like access control, anonymisation and encryption, to protect personal data from being compromised.

In addition to these principles, the Act mandates that organisations set up appropriate technical and organisational measures to ensure the confidentiality, integrity, and availability of personal data. This means that the organisation must protect data not only against unauthorised access but also ensure it is intact, accurate, and accessible when needed by authorised personnel. Again, the Act stipulates that data controllers or data processors should demonstrate accountability for how they handle personal data, ensuring that the principles of data protection are upheld, and adhering to the requirements set out in the Act.

The Act covers a wide range of provisions, which can be further explored to gain a deeper understanding of data protection practices in Nigeria.

How Cloneshouse is Abiding

As an organisation that is deeply committed to data privacy and security, we have implemented a robust organisational data protection framework that fully aligns with the provisions of the NDPA. Here are some steps taken to ensure compliance:

Organisational Data Privacy Policy
We have a clear data privacy and protection policy that outlines how we handle personal data. This policy is shared with clients and donors, so they know exactly how their information is collected, used, and protected.

Data Collection and Consent
We make it a priority to collect personal data only with the explicit consent of our clients, customers and project participants. Our consent forms are straightforward and transparent, explaining why we collect data, how it will be used, and what rights individuals have over their own information.

Data Minimization and Purpose Limitation
We follow a data minimization approach, gathering only the information that is necessary for the services we provide. We also ensure the purpose of data collection is clearly defined and that data is only used for the stated purposes.

Data Security Measures
To protect personal data, we implement various technical and organisational security measures, including encryption, access controls, regular security audits, and continuous monitoring of our systems to prevent breaches or unauthorised access.

Training and Awareness
At Cloneshouse, we believe that data protection is not just about compliance; it is about creating a culture of awareness. The Cloneshouse Data Protection Officer conducts quarterly training for the team and clients on data privacy best practices, ensuring everyone is informed and prepared to handle data responsibly.

How to Comply with the Nigeria Data Protection Act

Below is a step-by-step guide to help you navigate the process of registering with the Nigeria Data Protection Commission as a Data Controller or Processor of Major Importance.

Step 1: Determine Your Eligibility

The NDPA categorizes organizations that need to register as “Data Controllers” or “Data Processors of Major Importance.” These are organizations that:

• Process personal data of more than 200 individuals within six months.
• Operate in key sectors such as finance, communication, health, education, tourism, or oil and gas.
• Engage in data-intensive activities like ICT services, cross-border data processing, or manage sensitive personal data.

Assess your operations to determine if you fall under the classification criteria outlined by the NDPC.

Step 2: Understand Your Classification

The NDPC classifies Data Controllers and Processors into three categories based on the scale of operations and data sensitivity:

1. Ultra High Level (MDP-UHL)
   
   • Includes commercial banks, telecom companies, multinational corporations, and organizations processing over 5,000 individuals’ data in six months.
   • Fee: ₦250,000.
2. Extra High Level (MDP-EHL)
   
   • Includes government agencies, higher institutions, hospitals, and organizations processing over 1,000 individuals’ data in six months.
   • Fee: ₦100,000.
3. Ordinary High Level (MDP-OHL)
   
   • Includes SMEs, primary schools, primary healthcare centers, and organizations processing over 200 individuals’ data in six months.
   • Fee: ₦10,000.

Identify your category to know the applicable requirements and registration fees.

Step 3: Registration

During the registration process, the following documents (though not mandatory) are typically required:

• A Data Protection Policy tailored to operations.
• Organizational details, including the registration number.
• Evidence of compliance, such as audits or assessments.
• Details of a certified Data Protection Officer (DPO).

Upon successful registration, a certificate will be issued.

Step 4: Maintain Compliance

After registration, adhere to the NDPA’s obligations, including:

• Engaging a licensed Data Protection Compliance Organisation for routine audits and reporting.
• Safeguarding personal data during processing and storage.
• Ensuring transparency in data handling practices.

If you have questions or need assistance during the registration process, contact the NDPC via: www.ndpc.gov.ng

 

In conclusion, data is one of the most valuable assets a business can possess, and it comes with a sense of responsibility to protect the data and its owner. Start your compliance journey today to stay ahead in a data-driven economy!

 

About the Author

Rachael Okoronkwo  is a PMD-Pro certified development practitioner with five years of experience in project planning, implementation, monitoring, evaluation, and learning (MEL) for government and non-governmental organizations. Her interests span gender, education, public health, public policy advocacy, and youth leadership. She excels in designing robust M&E frameworks, conducting data collection, analysis, management and protection, and delivering actionable insights to optimize program outcomes. She is also an active member of the EvalYouth Global Network, where she contributes to advancing youth involvement in evaluation practices, particularly within the private sector. 

In addition to her professional pursuits, Rachael is deeply committed to volunteerism, driving initiatives that empower underserved communities, advocate for gender equity, and promote sustainable development. She is a 2023 Fellow of the Friedrich Ebert Stiftung Nigeria and a member of the YALI Network Abuja. Guided by her personal mantra, “Positive change begins with me,” she has built a career in project management and advocacy, always striving for impactful change.