December 28, 2019
The Nigeria Information Technology Development Agency (NITDA) has disclosed its intention to issue non-compliance notices to companies and organizations that have failed to comply with the Nigeria Data Protection Regulation (NDPR), 2019. In a recent public statement, the Desk Officer, e-Government Development and Regulation Department at NITDA revealed that the agency would soon notify the first batch of 100 non-compliant companies. According to the report, the companies on the list, include those in the financial technology (Fintechs), betting and aviation sectors, among others.
In January 2019, NITDA issued the NDPR to regulate organizations that collect and process personal data of individuals (Data Controllers) as well as sanction non-compliance with the Regulation. The NDPR imposes obligations on Data Controllers to conduct a mandatory data protection audit of their organization and file the audit report with the NITDA through a Data Protection Compliance Organization (DPCO) within six months from the issuance of the NDPR and carry out other obligations. Failure to comply with these obligations attracts penalties of up to 2% of the annual gross revenue of a non-compliant company in addition to other penalties provided under the NITDA Act.
NITDA Grants a 3-month Extension to Data Controllers to File their Initial Data Protection Audit Report. However, the deadline was extended to 25 October, 2019, following appeals from stakeholders. Since the extension granted by the NITDA, there has been an increased rate of compliance by affected organizations, although the compliance rate is still generally low. In view of this, NITDA has now indicated that it will carry out a nationwide enforcement of the NDPR in order to track compliance and sanction non-compliant companies.
A recent report disclosed that only 94 companies have fully complied with the obligation to carry out the mandatory self-audit while NITDA has granted 200 organizations an extension to submit the audit, based on requests made by the organizations. The report also disclosed that NITDA is currently investigating five important cases of data breaches and will soon begin to issue notice of non-compliance to major companies and organizations that are yet to file the mandatory data protection audit report.
The protection of the personal data of individuals against abuse and unauthorized use is a contemporary global issue. By the introduction and enforcement of the NDPR and its provisions, NITDA is aligning with this global practice and is showing its commitment to the protection of the data privacy of individuals in Nigeria. Given that the period granted to data controllers to appoint a licensed DPCO to conduct and file their mandatory audit report has elapsed, NITDA would be acting within its powers if it decides to carry out an enforcement action against defaulters without further recourse to them.
Consequently, it is imperative for non-compliant companies and organizations, to take immediate steps to forestall enforcement by NITDA and imposition of the sanctions under the NDPR. They should do this by engaging a licensed DPCO to review their data collection and processing activities, and carry out the necessary measures for complying with the NDPR. Companies may also engage with NITDA through their appointed DPCOs, to obtain more information about how they can comply with the NDPR and the possibility of getting additional time to comply.