Written by Dorcas Tsebee and Diana Uzor
After nearly two decades of fragmented legal frameworks and several unsuccessful attempts, Nigeria has successfully enacted its Data Protection Act. Building on the foundations laid by the Nigeria Data Protection Regulation (NDPR) over the past four years, this new Act represents a significant leap forward in Nigeria's data protection landscape. It introduces novel obligations, clears up ambiguous provisions from the NDPR, and provides some degree of certainty. However, it also brings new complexities that organisations must navigate.
This Act signifies the need to revise and update existing processes and privacy programmes for organisations, ensuring alignment with the new law. Here is a roadmap to guide businesses through the essential adjustments that need to be made.
Scope of the law
It applies to both automated and non-automated processing of personal data where the data controller or processor is resident in Nigeria, where the processing is carried out in Nigeria, and where the processing is carried out by a controller or processor not resident in Nigeria but processing the data of data subjects in Nigeria.
The first step is a comprehensive review of existing policies and procedures supporting the privacy programme. Organisations should identify gaps between their current practices and the new requirements under the Data Protection Act. This step may include revising the data subject rights request procedure, updating data breach response protocols, the content of the data processing agreement, and third-party risk management procedure to map the old obligations to the relevant provisions of the law
Organisations could compare their existing privacy programme against a recognised privacy framework to ensure thorough compliance. This benchmarking process will help identify areas that need improvement, establish a clear path to achieving full compliance, and chart a lucid route towards propelling the organisation closer to global best practices.
The new Act stresses the importance of protecting children's data, which necessitates implementing robust age verification procedures. This will ensure that data collection processes involving minors are lawful and meet the strict requirements of the Act.
The Act introduces stricter regulations for international data transfers and new transfer mechanisms. While guidance or regulation may be required to clear some of the ambiguities under this provision, organisations must scrutinise their data-sharing practices with overseas partners and ensure safeguards are in place to protect the data when transferred internationally. For example, it is now a requirement to document relevant data transfer mechanisms, which means the record of processing activities must now include information about data transfer mechanisms.
Under the NDPR, information about data processing is only required where the information is collected directly from the data subject. Under the Act, where personal data is not collected directly from the data subject, organisations must notify and provide a privacy notice to the individual. This requirement must be incorporated into data collection procedures and could involve reassessing communication strategies.
With the Act's introduction, organisations must increase their data security measures. This includes technical and organisational solutions, such as more robust encryption, frequent security audits, periodic assessments, regular testing, updating measures to address risks, and continuous staff training. The Act provides elaborate provisions for the security of personal data, raising the bar for obligations.
The Act imposes stricter due diligence requirements for managing third-party risk. Organisations should enhance their third-party management processes, ensuring they thoroughly vet their vendors and continuously monitor their compliance with the Act.
Under the NDPR, there was no provision for using 'legitimate interest' as a lawful basis for processing personal data. Additionally, the rules were unclear about how sensitive personal data could be lawfully processed. The regulation only stipulated consent as a lawful basis for processing sensitive personal data, which led to impractical situations when consent was not an appropriate or viable option. The new Act changes this by recognising 'legitimate interest' as a lawful basis for processing personal data. It also provides different lawful bases for processing sensitive personal data. This implies that organisations are now compelled to reassess and modify the lawful bases they rely on for various processing operations. Additionally, they must revise their processing activity documentation by aligning identified purposes with the corresponding lawful basis, ensuring a granular and compliant record of data processing.
The new Act expands the rights of data subjects. Companies should review and adapt their procedures for handling data subject requests to comply with these expanded rights, such as the right to data portability and automated decision-making. The Act also provides a broader framework for exercising these rights, including their limitations and exceptions. Consequently, the data subject rights procedure should be reviewed to accommodate the new conditions and exceptions introduced under the Act.
10. Do not stop training
Companies should initiate training programmes rooted in the Act's fresh provisions, enabling employees to grasp the evolving landscape and integrate it into their daily work routines. This may encompass role-specific training for units managing incident responses, marketing, or data subject rights requests, ensuring they stay abreast of the revised regulations and understand how these alterations affect their roles. Compliance with data protection is not a one-off task but an ongoing commitment that necessitates continuous vigilance and updates. By establishing routine training and awareness initiatives, businesses can ensure their employees stay well-informed about the Act's stipulations, reducing the potential for non-compliance.
The enactment of Nigeria's Data Protection Act is a pivotal step towards robust data protection practices. While the Act does bring some uncertainty and a need for adjustment, it also presents an opportunity for organisations to refine their data protection practices and strengthen trust with their consumers. While the legislation necessitates extensive changes to organisations' privacy programmes, these changes are an opportunity to build stronger, more trusting relationships with customers, partners, and other stakeholders. It is an investment in the future of the digital economy of Nigeria, promising better security, greater trust, and enhanced growth for businesses willing to adapt. By embedding privacy into the heart of business operations, companies can achieve regulatory compliance and gain a competitive edge in today's data-driven world.
As the saying goes, the devil is in the details. The above points serve as a starting point. Organisations should seek professional guidance to navigate this new data protection landscape, ensuring full compliance and seizing the new Act's opportunities.