In January, 2019, National Information Technology Development Agency ("NITDA") issued the Nigeria Data Protection Regulation 2019 (the "Regulation").

The Regulation applies to all transactions intended for the processing of Personal Data being conducted or intended to be conducted and natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.

The Regulation shall not operate to deny any Nigerian or any natural person the privacy rights he is entitled to under any law, regulation, policy, or contract for the time being in force in Nigeria or any foreign jurisdiction.

This article seeks to highlight some provisions of the Regulation.

  1. GOVERNING PRINCIPLES OF DATA PROCESSING

Personal data shall be :

  1. collected and processed by specific, lawful, and legitimate purpose as consented to by a Data Subject i.e. owner of the data being collected and processed:
  2. adequate, accurate, and respect dignity of the human person; 
  3. stored only for the period within which it is reasonably needed;
  4. secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damaged by rain, fire, or exposure to other natural elements

Any person entrusted with the Personal Data of a Data Subject or who has the Personal Data of a Data Subject owes a duty of care to the said Data Subject and shall be accountable for his acts and omissions in respect of data processing.

  1. LAWFUL PROCESSING

The data processing shall be lawful if at least one of the following applies:

  1. the Data Subject has given consent to the processing of his or her Data for one or more specific purposes;
  2. processing is necessary for the performance of a contract
  3. processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. processing is necessary to protect the vital interests of the Data Subject or another natural person, and;
  5. processing is necessary for the performance of a task carried out in the public interest.

  1. PROCURING CONSENT

No data shall be obtained except the specific purpose of collection is made known to the Data Subject.

The Consent of a Data Subject must be obtained without fraud, coercion, or undue influence that is, the data subject must be legally capable of giving consent.

Where the Data Subject's consent is given in writing, the request for consent shall be presented, in an intelligible and easily accessible form, using clear and plain language.

Also, the Data Subject shall be informed of his right and method to withdraw his consent at any given time. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 Any part of the declaration that constitutes an infringement of this Regulation shall not be binding on the Data Subject.

  1. PUBLICITY AND CLARITY OF PRIVACY POLICY

Any medium through which Personal Data is being collected or processed shall display a simple and conspicuous privacy policy that the class of Data subject being targeted can understand.

The privacy policy shall in addition to any other relevant information contain what constitutes the Data Subject's consent; the description of collectible personal information; the purpose of collection of Personal Data; the technical methods used to collect and store personal information, cookies, JWT among others.

  1. DATA SECURITY

Anyone involved in data processing or the control of data shall develop security measures to protect data. Such measures include but are not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specifically authorized individuals, and employing data encryption technologies.

  1. THIRD-PARTY DATA PROCESSING CONTRACT

Data processing by a third party shall be governed by a written contract between the third party and the Data Controller

  1. OBJECTIONS BY THE DATA SUBJECT

The right of a Data Subject to object to the processing of his data shall always be safeguarded. A Data Subject shall have the option to object to the processing of Personal Data relating to him which the Data Controller intends to process.

  1. PENALTY FOR DEFAULT

Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable, in addition to any other criminal liability,

  1. in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater;
  2. in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.

  1. ADMINISTRATIVE REDRESS PANEL

The Agency shall set up an Administrative Redress Panel to Investigate allegations of any breach of the provisions of the Regulation.

The Panel is empowered to Invite any party to respond to allegations made against it within seven days.

The Agency shall conclude the investigation and determination of appropriate redress within twenty-eight (28) working days.

CONCLUSION

Data Privacy and Protection are integral to securing the personal data of citizens. It is the responsibility of data controllers and data processors to secure data by ensuring adequate cyber and information security controls.

The NITDA Regulation constitutes is a laudable attempt by the Government to protect the personal data of citizens. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.