August 6, 2019
With the recent cybersecurity breaches involving major companies such as Google, which was slammed with a fine of £44 million and British Airways, which is currently facing a record fine of £183million in the United Kingdom (UK), the Nigerian Information Technology Development Agency (NITDA) is currently pushing hard on the agenda to ensure protection of data privacy in Nigeria.
The Nigerian Data Protection Regulations (NDPR) which was released in January 2019, has introduced major compliance obligations on Nigerian companies across all sectors, which include audit checks, publication of data protection policies, filing of audit reports amongst others, and also severe penalties for its breach.
Recently, the NITDA commenced investigations on some identified data controllers for alleged breach of the NDPR. The NITDA initially set a 25 July deadline for Companies to file their initial data protection audit report. However, after consultations with industry stakeholders, the Agency announced a three-month extension (which will elapse on 25 October 2019) for Data Controllers to conduct relevant data protection audits and file their initial audit reports.
In the light of these recent events, personal data protection and privacy has become a burning issue for a number of stakeholders. Therefore, this Article examines the NDPR provisions and other data protection and privacy developments in the international scene.
i . Background
On 25 January 2019, the NITDA issued the NDPR pursuant to its powers under the NITDA Act. The Regulations introduce a new data protection framework with novel compliance requirements for organizations that deal with the data of individuals. The objectives of the Regulations include, inter alia, safe guarding the rights of natural persons to data privacy, preventing manipulation of personal data and fostering the safe conduct of transactions involving exchange of personal data. The Regulations also seek to enhance the competitiveness of Nigerian companies in international trade through the safeguards that are in line with global best practices.
The NDPR applies to all transactions intended for the processing of personal data of natural persons residing in Nigeria or Nigerian citizens residing in foreign jurisdictions. Based on the NDPR, data processing includes the collection, recording, storage, retrieval, use, disclosure, transmission, erasure and destruction of personal data.
The NDPR also specifically confers certain rights on persons that provide their personal data i.e. Data Subjects. These include the right to information about their personal data, right to access their personal data, right of rectification of their information, right to withdraw consent, right to object, right to data portability and right to be forgotten.