The Scope of Data Protection Legislation In Nigeria

In Nigeria the principal legislation for the regulation of data protection is the Nigeria Data Protection Act 2023 (“NDPA”) which was signed into law by President Bola Ahmed Tinubu on 14 June 2023. The provisions of the NDPA is regulated and enforced by The Nigeria Data Protection Commission (“NDPC”), which is the body responsible for the administration of all data protection matters in Nigeria.

Data protection generally, is the safeguarding and protection of sensitive important information from corruption, damage, compromise or loss.

Various sectors in Nigeria have specific laws, regulations and guidelines with an impact on data protection in Nigeria. They include:

  1. The Consumer Code of Practice Regulations 2007 (“NCC Regulations, 2007”) published by the Nigerian Communications Commission (“NCC”).
  2. The Registration of Telephone Subscribers Regulations 2011, published by the NCC.
  3. The Consumer Protection Regulations 2020, issued by the Central Bank of Nigeria (“CBN”), Nigeria’s apex bank.
  4. The Lawful Interception of Communications Regulations, 2019 which was issued by the NCC.
  5. The Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020, issued by the NITDA.
  6. The Official Secrets Act 1962.
  7. The CBN Guidelines on Point of Sale Card Acceptance Services 2011.
  8. The CBN Regulatory Framework for Bank Verification Number Operations and Watch-List for the Nigerian Banking Industry 2017.
  9. The NITDA Guidelines for Nigerian Content Development in Information and Communication Technology 2019 (as amended).
  10. The Credit Reporting Act 2017.

The NDPA also applies to businesses established in other countries where the businesses are involved in the processing of the Personal Data of Data Subjects in Nigeria. Section 2(2) of the NDPA.

Personal Data as defined by the Nigeria Data Protection Act (“NDPA”), is referred to as any information relating to an individual, who can be identified or is identifiable, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that individual.

Some Key principles on personal data processing as provided by the NDPA include:

  • Transparency: Personal Data shall be processed in a fair, lawful and transparent manner.  
  • Lawful basis for processing: There must be lawful bases for the processing of Personal Data
  • Purpose limitation: That a Data Controller or Data Processor shall ensure that Personal Data is collected for specified, explicit and legitimate purposes, and not to be further processed in a way that is incompatible with these purposes.
  • Data minimization: A Data Controllers or Data Processors must ensure that Personal Data is adequate, relevant and limited to the minimum necessary for the purposes for which the personal data was collected or further processed.
  • Proportionality: Personal Data must be in proportion for the purpose for which it was collected.
  • Retention: A Data Controller or Data Processor shall ensure that Personal Data is retained for not longer than is necessary to achieve the lawful bases for which the Personal Data was collected or further processed. 
  • Data Security: A Data Controller or Data Processor shall ensure that Personal Data is processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach. 
  • Accountability: A Data Controller or Data Processor owes a duty of care, in respect of data processing, and shall demonstrate accountability, in respect of the principles contained in the NDPA.

Registration of Businesses with NDPC

The NDPA, requires Data Controllers and Data Processors of Major Importance to register with the NDPC. Businesses who are Data Controllers or Data Processors of Major Importance are required to register with the NDPC.  The NDPA defines a “Data Controller or Data Processor of Major Importance” as a Data Controller or Data Processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process Personal Data of more than such number of data subjects who are within Nigeria, as the NDPC may prescribe, or such other class of Data Controller or Data Processor that is processing Personal Data of particular value or significance to the economy, society or security of Nigeria as the NDPC may designate. 

Registration requirements for Data Controllers and Data Processors of Major Importance with the NDPC:

  1. the name and address of the Data Controller or Data Processor, and the name and address of the Data Protection Officer (“DPO”) of the Data Controller or Data Processor;
  2.  the description of Personal Data and the categories and number of Data Subjects to which the Personal Data relate;
  3. the purposes for which Personal Data is processed;
  4. the categories of recipients to whom the Data Controller or Data Processor intends or is likely to disclose Personal Data;
  5. the name and address of any representative of any Data Processor operating directly or indirectly on its behalf; 
  6. the country to which the Data Controller or Data Processor intends, directly or indirectly to transfer the Personal Data;
  7. a general description of the risks, safeguards, security measures and mechanisms to ensure the protection of the Personal Data; and
  8. any other information required by the NDPC.

Sanctions for failure to register with the NDPC

The NDPA provide for sanctions under Sections 48 and 49 of the Act for failure to register with the NDPC:

  1. in the case of a Data Controller or Data Processor of Major Importance, the payment of a fine of 2% of the organisation’s annual gross revenue of the preceding year or the payment of the sum of 10 million Naira, whichever is greater; and
  2. in the case of a Data Controller or Data Processor not of Major Importance, the payment of a fine representing 2% of the organisation’s annual gross revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.

By Adeola Oyinlade & Co

Adeola Oyinlade & Co provides help and offers advisory to clients on data protection in Nigeria.

Need help? Kindly contact us using the details below:

Email: info@adeolaoyinlade.com

Mobile: +234 803 826 7683 / +234 802 686 0247

× Need help? Available on SundayMondayTuesdayWednesdayThursdayFridaySaturday