UNDERSTANDING DATA PROTECTION LAWS IN NIGERIA: WHAT EVERY BUSINESS OWNER NEEDS TO KNOW

Millenium
Uncategorized
December 13, 2024

Introduction

Data protection has emerged as a paramount concern for businesses globally in an increasingly digital world. For entrepreneurs in Nigeria, grasping the intricacies of data protection laws is not merely a regulatory obligation but a critical component of sustainable business practice. The landscape of data privacy in Nigeria has evolved significantly in recent years, particularly with the enactment of the Nigeria Data Protection Act 2023. The Act aims to safeguard personal data and ensure that businesses handle such information responsibly. However, navigating these laws can be complex for business owners unfamiliar with legal jargon and compliance measures. This article seeks to demystify data protection laws in Nigeria, outlining essential guidelines that every business owner must understand to not only comply with these regulations but also to foster trust with customers and enhance their organizational reputation in an age where data breaches can have far-reaching consequences.

Overview of Nigeria’s Data Protection Framework

In Nigeria, data privacy is predicated on the individual’s right to privacy and personal life. Section 37 of the 1999 constitution of the Federal Republic of Nigeria provides that “ the privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications is hereby guaranteed and protected”. Despite having a pride of place in the constitution, this is one right that has not received much legal attention as computers today track our calls, spending, medical histories, and more. Personal data is a commodity that can be owned, transferred, and traded for value. Many people fear the loss of their privacy in a computerized and individuals who own this information (also called data subjects) thus have a right to protect its collection, storage, and use. The aim is to keep such information private and regulate its use.

The Nigerian Data Protection Act (NDPA) emerged in June 2023 as an enactment by the National Assembly. The act provided for the establishment of the Nigeria Data Protection Commission (NDPC) and a Governing Council. The NDPC’s primary responsibility is enforcing the rules and regulations of the NDPA. Other responsibilities include;  creating awareness of data privacy, regulating data handling, investigating data breaches, licensing DPOs, and regulating data processing amongst others.

Practical Consideration for Businesses to Ensure Compliance

Before commencing business in Nigeria, businesses and startups need to understand and comply with the Nigerian Data Protection ACT(NDPA) and the Nigeria Data Protection Commission. Key aspects include:

  1. Conducting a Data Mapping and Classification Exercise: Before collecting and processing data, businesses are advised to conduct a thorough data mapping exercise to identify the types of data they are likely to handle.
  2. Consent: Startups must endeavor to obtain positive consent from data subjects at every point of data collection. Consent is positive if it allows the data subject to act on it. Consent must be explicit and never implied, such as the use of a “tick-box” or “opt-in box”. This places a strong emphasis on obtaining valid consent from data subjects before the Data Controller makes a decision based solely on automated Processing which produces legal effects concerning or significantly affecting the Data Subject
  3. Compliance Audit: Startups are required to conduct a yearly data protection compliance audit to ensure adherence to the NDPC guidance notice as well as the NDPA.
  4. Developing a Data Protection Policy: Startups are expected to develop a comprehensive data protection policy that outlines how their business handles personal data, including collection, processing, storage, and sharing practices. This policy should also address data security measures, individuals’ rights, and adherence to relevant security standards while protecting the company’s data.
  5. Data Protection Impact Assessment (DPIA): Before embarking on high-risk data processing activities, startups are required to conduct a DPIA to assess and mitigate potential risks to data subjects when intense use of personal data is involved. For instance, if data processing involves; a) evaluation or scoring (profiling); b) automated decision-making with legal or similar significant effect; c) systematic monitoring; d) when sensitive or highly Personal Data is involved; e) when Personal Data Processing relates to vulnerable or differently-able data subjects; and f) when considering the deployment of innovative processes or application of new technological or organizational solutions.
  6. Appointing a Data Protection Officer (DPO): A DPO oversees the data protection activities of the company, ensures compliance, and acts as a point of contact for data subjects and the NDPC. Though having a DPO is not mandatory for all organizations, it can however be beneficial in ensuring accountability and proactive management of data-related issues. The NDPA however mandates a company with certain criteria to have a DPO. Thus, companies with the following characteristics are to have DPOs; (a)the core activities of the organization involve the processing of the Personal Data of over 10,000 (ten thousand) Data Subjects per annum; (b) the organization processes Sensitive Personal Data in the regular course of its business; or the organization possesses critical national information infrastructure (as defined under the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 or any amendment thereto) consisting of Personal Data. If the Nigerian company is a subsidiary of an international company, a data protection officer based in Nigeria is to be appointed and he should be given full access to the entire data management system of the international company.
  7. Third-Party Risk Management: Businesses that intend to enter into data processing agreements with third parties must ensure that clauses on data use only permit third parties to process expressly authorized data. The agreement must also grant the party sharing the data rights to delete, rectify, or access the data. Startups are encouraged to seek lawyers who would assist the company in drafting such agreements per the NDPA and other local laws.
  8. Implementing Data Security Measures: Protecting personal data requires implementing robust cybersecurity measures, including encryption, access controls, regular security audits, and staff training on data protection practices. Companies must also conduct annual Data Protection Audits through a licensed Data Protection Compliance Organization (DPCO), which files reports with NITDA
  9. Establishing a Data Breach Response Plan: Having a clear response plan for data breaches is very important for startups. This involves notifying relevant authorities and affected individuals within 72 hours, as required by the NDPA and NDPC, and submitting an official report to the Nigeria Computer Emergency Response Team (ngCERT) within seven days of such breach.
  10.  Regularly Review and Update Practices: Data protection is an ongoing process and such businesses must regularly review their data protection practices to ensure compliance with evolving regulations and emerging risks.
  11. Ensuring Adequate Training and Awareness: Startups should conduct regular training for their employees on data protection principles and NDPA requirements.

CONCLUSION

Understanding Nigeria’s data privacy landscape requires a clear grasp of the NDPA and strict adherence to its guidelines set by the NDPC. Compliance is not just a legal necessity but a strategic advantage, which would help startups build customer satisfaction, trust, and a competitive edge in the digital marketplace. Startups, in particular, should consider consulting experienced law firms to streamline their data protection processes and ensure compliance. Millennium Attorneys offers expert guidance to help startups navigate the complexities of data protection laws, enabling them to operate securely and responsibly.

References:

Share this

Leave a Reply

Your email address will not be published. Required fields are marked *