On January 25, 2019, Nigeria’s National Information Technology Development Agency (“NITDA”) issued the Nigeria Data Protection Regulation 2019 (the “Regulation”). Many concepts of the Regulation mirror the EU General Data Protection Regulation (“GDPR”).
Key elements of the Regulation include:
- Application: The Regulation applies to all residents of Nigeria, all citizens of Nigeria residing outside of Nigeria and all organizations processing personal data of such individuals.
- Data Processing Principles: Personal data may only be processed if at least one of five legal bases are met: (1) the data subject provides consent, or if the processing is necessary; (2) for the performance of a contract; (3) to meet a legal obligation; (4) to protect the vital interests of the data subject; or (5) for the performance of a task carried out in the public interest.
- Consent: There are specific requirements for obtaining consent.
- Data Security: Organizations must develop security measures to protect personal data, including setting up firewalls, implementing access controls, encrypting personal data, and developing internal policies for handling personal data.
- Third-Party Contracts: A data controller must enter into a written contract with any third-party processing data on its behalf that requires adherence to the Regulation.
- Data Subject Rights: Data subjects have the right to: (1) object to the processing of their personal data for marketing purposes; (2) access their personal data (and have their personal data transferred to another data controller where feasible); (3) obtain information about the processing of their personal data; (4) have their personal data deleted (where certain criteria are met); (5) have their personal data corrected; (6) restrict the processing of their personal data (where certain criteria are met); (7) withdraw consent to the processing of their personal data; and (8) lodge a complaint with the NITDA or another relevant regulator.
- Data Transfers: Transfers of personal data out of Nigeria may take place only if certain specified criteria are met.
- Transparency: Within three months of the issuance of the Regulation, all public and private organizations in Nigeria that process personal data must make available to the general public their data protection policies, which must comply with the Regulation.
- Appointment of a DPO: Every data controller must designate a Data Protection Officer (“DPO”) to ensure compliance with the Regulation.
- Privacy and Data Protection Audit: Within six months of the issuance of the Regulation, each organization subject to the Regulation must conduct a detailed audit of its privacy and data protection practices, in compliance with the requirements of the Regulation.
- Data controllers who processed the personal data of more than 1,000 data subjects in a six-month period must provide a soft copy of the audit summary to the NITDA.
- Data controllers who processed the personal data of more than 2,000 data subjects within a 12-month period must, not later than the March 15th of the following year, submit a summary of its audit to the NITDA.
- Penalties: The Regulation states that any entity found to be in breach of the privacy rights of any data subject will be liable, in addition to any other criminal liability, for the following:
- For data controllers “dealing with more than 10,000 data subjects,” a fine of 2% of annual gross revenue of the preceding year or 10 million Naira, whichever is greater; or
- For data controllers “dealing with less than 10,000 data subjects,” a fine of 1% or 2 million Naira, whichever is greater.