July 31, 2019
The National Information Technology Development Agency (NITDA) has granted a three-month extension to Data Controllers and Processors (organizations and entities who collect and process personal data of individuals) to conduct a data protection audit and file their initial audit report to the NITDA. The NITDA also disclosed that the extension does not limit its right to investigate and enforce data breaches against non-compliant Data Controllers.
On 25 January 2019, the NITDA issued the Nigerian Data Protection Regulation (NDPR) to regulate and impose penalties on Data Controllers and Processors for the protection of privacy rights of individuals. Article 4.1(5) of the NDPR mandates Data Controllers to submit an initial audit report within six months of issuance of the Regulation.
The six months deadline for the filing of an initial audit report ended on 25 July 2019 with several Data Controllers appealing to the NITDA for an extension of time to meet the filing obligation. The NITDA, after consultations with industry stakeholders, has announced a three-month extension for Data Controllers to conduct relevant data protection audits and file their initial audit reports. According to a press statement released by the Director General (DG) of the NITDA, the extension period will elapse on 25 October 2019.
The DG also noted that the extension of time is for the purpose of filing of audit reports by Data Controllers and does not limit the NITDA’s right to investigate and enforce other allegations of breach of data privacy rights made against any Data Controller or Processor, pursuant to the NDPR and the NITDA Act.
The extension of time for Data Controllers and Processors to conduct and file their data protection audit report to the NITDA offers some additional grace period for Data Controllers and Processors who are yet to comply with the regulatory obligation to make amends.
However, the NITDA has specifically indicated its resolution to continue to investigate and enforce the provisions of the NDPR, regardless of the extension. This suggests that the NITDA might sanction non-compliant Data Controllers found to be in breach of the NDPR notwithstanding the extension of time given specifically for filing of audit reports.
In this regard, it is imperative for non-compliant Data Controllers or Processors to take advantage of the extension and engage an approved Data Protection Compliance Organization, to conduct a data protection audit on their organization to ensure they are compliant with the NDPR as failure to do so, will expose such non-compliant Data Controllers or Processors to stringent liabilities as indicated in the NDPR and NITDA Act.