top of page
Search

Understanding the Nigerian Data Protection Act of 2023: Key Updates and Comparisons with the National Data Protection Regulation of 2019


Nigeria's National Flag
Nigeria's National Flag

Overview: The Nigerian Data Protection Act (NDPA) is a significant legislative update that repeals and replaces the Nigeria Data Protection Regulation (NDPR). It aims to strengthen the country’s data protection framework and establish a robust regulatory environment for personal data protection. This article explores the key amendments introduced by the NDPA, the roles of supervisory authorities, legal bases for processing personal data, and other NDPA compliance requirements.


Definitions: The NDPA’s definitions of personal data and sensitive personal data include:

  • Data Controller: An individual, private entity, public Commission or agency, or any other body which, alone or jointly with others, determines the purposes and means of the processing or personal data.

  • Data Processor: An individual, private entity, public authority, or any other body who or which processes personal data on the behalf of or at the direction of a data controller or another data processor.

  • Personal Data: Any information that relates to an identified or an identifiable individual. This includes any data that can be used to identify a natural person directly or indirectly, such as names, identification numbers, or other unique identifiers.

  • Sensitive Personal Data: A special category of personal data that includes data on racial or ethnic origin, political opinions, religious beliefs, health status, sexual orientation, trade union membership, genetic/biometric data, and any other data that could pose a significant risk to the individual’s rights and freedoms if misused.


Applicability and Territorial Scope: The NPA has broad applicability and territorial scope:

  • Entities within Nigeria: The NDPA applies to any organization operating within Nigeria, regardless of where the data processing takes place digitally or physically.

  • Entities outside of Nigeria processing data of Nigerian residents, if:

    • They offer goods or services to individuals in Nigeria, or

    • They monitor the behaviors of individuals in Nigeria.


Exceptions and Exemptions: The NDPA includes exceptions and exemptions regarding its

applicability. These include:

  • Exceptions (Situations where the NDPA does not apply): There are cases where the NDPA does not apply at all, meaning the law is not triggered for certain types of processing.

    • Household or personal use: If an individual processes personal data strictly for personal or household activities, the NDPA does not apply.

    • Non-personal data: The NDPA applies only to personal data, so anonymized or aggregated data is excluded from its scope.

  • Exemptions (Situations where some NDPA provisions do not apply: These exemptions allow certain organizations or activities to bypass specific NDPA obligations while still being subject to other aspects of the Act.

    • Law enforcement, national security, and intelligence agencies: These entities may be exempt from specific obligations when processing personal data for crime prevention, investigations, or national security.

    • Journalistic, academic, artistic, and research purposes: Some NDPA provisions, such as restrictions on processing, may not fully apply if the processing is done in the public’s interest.

  • Other regulatory exemptions: The NDPC can grant sector-specific exemptions through regulations.


Key Amendments from NDPR to NDPA

Aspect

NDPR

NDPA

Legal Status

Regulation under NITDA guidelines

Comprehensive legislation

Supervisory Authority

Oversight by NITDA

Nigerian Data Protection Commission (NDPC)

Data Protection Board

Not established

Nigerian Data Protection Board introduced

Fines and Penalties

Limited guidance on penalties

Clear fine structures and enforcement

Data Transfer

Vague on cross-border requirements

Explicit rules for cross-border transfers

Security Measures

General best practices

Mandatory data protection assessments


Supervisory Authority: Nigerian Data Protection Commission (NDPC): The NDPC

replaces NITDA as the primary supervisory authority for enforcing the NDPA. Key

responsibilities include:

  • Monitoring compliance with the NDPA.

  • Investigating complaints and conducting audits.

  • Issuing guidelines and codes of practice.

  • Imposing administrative fines and penalties.


Nigerian Data Protection Board (NDPB):

The NDPB acts as the governing body overseeing the NDPC. Its primary roles include:

  • Advising on data protection policies.

  • Reviewing annual reports on data protection activities.

  • Assisting in drafting regulations and guidelines.


Legal Bases for Processing Personal Data: The NDPA introduces six legal bases for processing personal data:

  • Consent of the data subject.

  • Performance of a contract.

  • Compliance with legal obligations.

  • Protection of vital interests.

  • Performance of a task in the public’s interest.

  • Legitimate interests of the data controller, unless overridden by data subject rights.


Key NDPA Notice Requirements: The NDPA data controllers and data processors to provide

clear and accessible notice to individuals at or before the point of collecting their

personal data. This requirement ensures transparency and helps individuals understand how their data will be used. The requirements include:

  • Timing of Notice:

    • Notice must be provided at or before the point of data collection.

    • If data is collected from a third party, notice must be given within a reasonable period after obtaining the data.

  • Content of the Notice: Organizations must inform individuals of the following:

    •  Identity and contact details of the data controller (organization collecting the data).

    • Purpose for collecting and processing the data.

    • Legal basis for processing (e.g., consent, contractual necessity, legal obligation).

    • Categories of personal data being collected.

    • Recipients or third parties who may receive the data.

    • Retention period (how long the data will be kept).

    • Data subject rights, including access, correction, deletion, and objection.

    • Right to withdraw consent (if consent is the basis for processing).

    • Complaint process (how individuals can report concerns to the Nigeria Data Protection Commission (NDPC)).

    • International data transfers (if data will be transferred outside Nigeria, with safeguards in place).

  • Clarity and Accessibility:

    • Notices must be concise, transparent, and easy to understand.

    • Use plain language (especially for children or vulnerable individuals).

    • Must be available in a written, electronic, or other accessible format.

  • Exceptions to Providing Notice: Organizations may not be required to provide notice if:

    • The individual already has the required information.

    • It is impossible or requires disproportionate effort (e.g., large-scale public data collection).

    • Providing notice would compromise national security, crime prevention, or regulatory compliance.


Consent Provisions: The NDPA outlines consent provisions to ensure that individuals have

control over their personal data. The key consent requirements include:

  • Lawful Basis for Processing: Consent must be freely given, specific, informed, and unambiguous before an organization can process personal data, except where another lawful basis applies (e.g., legal obligation, contract performance, public interest).

  • Sensitive Personal Data Explicit Consent: The processing of sensitive personal data (e.g., health, biometric, or religious data) requires explicit consent from the data subject unless an exception applies, such as public interest or legal compliance.

  • Consent Withdrawal:

    • Data subjects can withdraw their consent at any time, and organizations must ensure this is as easy as giving consent.

    • Once withdrawn, processing must stop unless another legal basis justifies it.

  • Clear and Accessible Information: Organizations must provide clear plain language explanations of:

    • Why they are collecting data.

    • How it will be used.

    • Who it will be shared with.

    • The data subject’s rights regarding their data.

  • No Forced or Implied Consent:

    • Consent cannot be bundled with other services or made a condition for accessing a product/service unless necessary.

    • Silence, inactivity, or pre-ticked boxes do not constitute valid consent.


Rights and Freedoms of Data Subjects: The NDPA strengthens individual rights, ensuring

greater transparency and control over personal data. Key rights include:

  • Right to access and obtain copies of personal data.

  • Right to rectification of inaccurate or incomplete data.

  • Right to erasure (‘right to be forgotten’).

  • Right to restrict processing.

  • Right to data portability.

  • Right to object to processing, especially for marketing purposes.

  • Right to withdraw consent at any time.

  • Right to lodge complaints with the NDPC.


Data Subject Representation and Appeals: Data subjects have the following rights:

  • Representation: Data subjects have the right to appoint legal representatives, such as legal professionals, advocacy groups, or other authorized entities, to act on their behalf in exercising their data protection rights or filing complaints with the NDPC.

  • Appeals Process: If a data subject is dissatisfied with a decision by the NDPC or feels their complaint has not been adequately addressed:

    • They can formally request a review of the decision by the NDPC.

    • If still dissatisfied, they can escalate the matter to the Nigerian judiciary under procedures specified in the NDPA.

    • Appeals must include supporting documentation, evidence of the complaint, and any prior correspondence with the NDPC.

  • Support for Vulnerable Data Subjects: The NDPA provides mechanisms to support vulnerable individuals (e.g., minors or individuals with disabilities) in exercising their rights through representation or third-party assistance.

  

Obligations of Data Controllers and Data Processors: Data controllers and data processors must satisfy the following NDPA compliance requirements. Data controllers and data

processors must demonstrate the ability to comply with NPDA’s data protection principles

by demonstrating a “duty of care.”

  • Data Controllers:

    • Must ensure data is processed lawfully, fairly, and transparently.

    • Maintain records of processing activities.

    • Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

    • Respond to data subject requests within one month of receiving the request.

    • Notify data subjects of any extensions within the initial one-month period, providing reasons and the expected timeline for completion (up to an additional two months for complex requests).

    • Enter into legally binding agreements with data processors that outline their roles and obligations.

    • Ensure that data retention policies align with the NDPA’s data minimization principles, retaining personal data only for as long as necessary for the purpose of processing.

    • Provide transparent and easily accessible privacy notices detailing the purpose of data processing, categories of data collected, and rights of data subjects.

  • Data Processors:

    • Process data only on instructions from controllers.

    • Implement appropriate security measures.

    • Notify controllers of any data breaches promptly.

    • Maintain detailed records of all categories of processing activities carried out on behalf of controllers.

    • Cooperate with the NDPC during audits or investigations and provide necessary documentation.


Mandatory Provisions in Contracts Between Controllers and Processors: They include:

  • Processing Instructions: Data processors must only process personal data on documented instructions from the controller.

  • Confidentiality: The processor must ensure that any personnel involved in data processing maintain strict confidentiality.

  • Security Measures: Processors are required to implement appropriate technical and organizational measures to ensure data security and prevent breaches.

  • Sub-Processing:

    • Processors must seek prior written authorization from the controller before engaging sub-processors.

    • Contracts with sub-processors must mirror the obligations set by the controller.

  • Data Breach Notifications: The processor is obligated to notify the controller promptly in the event of a data breach.

  • Data Deletion or Return: Upon completion of processing services or termination of the agreement, processors must either delete or return all personal data, as instructed by the controller.

  • Audits and Inspections: The controller has the right to conduct audits or inspections to verify the processor’s compliance with the agreement and the NDPA.

  • Assistance with Data Subject Rights: Processors must assist controllers in responding to data subject requests (e.g., access, erasure, rectification) and fulfilling other compliance obligations under the NDPA.

  • Accountability for Transfers: Processors must comply with cross-border transfer requirements when transferring data internationally, ensuring adequate safeguards are in place.


Data Controllers and Data Processor of “Major Importance”: The NDPA refers to “Data

Controllers and Data Processors of Major Importance” (DCMI / DPMI) as organizations that

handle significant volumes of personal data, or who engage in high-risk data processing

activities. These entities have stricter compliance obligations than regular data controllers

and data processors.

  • Definition of and Criteria for DCMI or DPMI: The NDPC designates an organization as a DCMI, or a DPMI based on factors like:

    • Volume of Data Processed: Organizations processing large-scale personal data (e.g., banks, telecoms, health institutions, and large tech firms),

    • Sensitivity of Data: Entities handling sensitive personal data (e.g., biometric, health, financial, or children’s data).

    • Impact on Individuals: Organizations whose data processing could significantly impact individuals’ freedoms and rights.

    • Public Interest: Companies processing personal data that affects national security, economic stability, or public safety.

  • Additional Compliance Obligations for DCMI / DPMI: Entities designated as a DCMI or as a DPMI must:

    • Register with the NDPC and submit annual compliance audits.

    • Appoint a Data Protection Officer to oversee compliance.

    • Conduct a DPIA for high-risk processing activities.

    • Implement enhanced security measures to protect personal data.


Audit Compliance Obligations: The NDPA includes specific audit requirements for

organizations that process personal data. These requirements help ensure compliance

with the NDPA’s data protection principles and regulatory standards. The key NDPA audit

obligations include:

  • Mandatory Data Protection Compliance Audit: Organizations classified as DCMIs or DPMIs must conduct annual audits to assess their NDPA compliance.

  • NDPC Audit Submissions: Entities required to conduct audits must submit their data protection compliance audit reports to the NDPC within a specific timeframe.

  • Audit Report Contents: The report must include:

    • The types and volume of personal data processed.

    • An assessment of data protection risks.

    • Measures implemented to ensure NDPA compliance.

    • Any identified non-compliance issues and the remediation actions taken.

  • Licensed Data Protection Compliance Organization (DPCO) Certification: Organizations may be required to engage a DPCO licensed by the NDPC to conduct audits and to certify compliance.

  • Enforcement and Penalties: The failure to conduct or to submit audit reports may result in:

    • Regulatory fines.

    • NDPC compliance directives.

    • Potential reputational damage for non-compliance.


Data Breach Notification Requirements: Data controllers and data processors must

satisfy the following NDPA compliance requirements.

  • Definition of a Breach: A data breach includes unauthorized access, disclosure, alteration, or destruction of personal data.

  • Timeline for Notification:

    • Data controllers must notify the NDPC of a breach within 72 hours of discovering it.

    • If notification cannot be made within this time frame, the controller must provide reasons for the delay and submit the report as soon as possible.

  • Details to Include in the Report:

    • Nature of the breach.

    • Categories and approximate number of affected individuals and records.

    • Likely consequences of the breach.

    • Measures taken or proposed to address the breach.

    • Contact details of the designated point of contact for further information.

  • Notification to Data Subjects:

    • Data subjects must be notified promptly if the breach poses a high risk to their rights and freedoms.

    • Notifications must be clear and in accessible language, detailing the nature of the breach and advice for mitigating risks (e.g., password changes or monitoring accounts).

Reporting Data Breaches: The NDPA has the following data breach reporting

requirements:

  • Reporting to the NDPC:

    • Breaches must be reported through the NDPC’s designated online portal or official email channels.

    • Follow-up updates may be required if the initial report does not contain all necessary details.

  • Record-Keeping: Data controllers and processors must maintain a breach register, documenting all breaches regardless of their severity.

  • NDPC’s Role: The NDPC evaluates the adequacy of the controller’s response and may require further remedial actions if necessary.

  • Follow-Up Actions: Organizations may be asked to provide evidence of corrective measures or preventive actions to avoid recurrence.


Cross-Border Data Transfer Requirements: The NDPA provides specific guidelines for

cross-border data transfers:

  • Standard Contractual Clauses (SCCs): Contracts containing NDPC-approved provisions must be used to ensure data protection in the receiving country.

  • Binding Corporate Rules (BCRs): Multinational organizations can adopt NDPC-approved internal policies for intra-group data transfers.

  • Derogations: Transfers can occur without SCCs or BCRs if:

    • Explicit consent is obtained from the data subject.

    • The transfer is necessary for the performance of a contract.

    • It is required for important reasons of public interest.

    • It is essential for legal claims or defense.

    • The transfer is necessary to protect the vital interests of the data subject.

  • Adequate Safeguards: Other measures, such as codes of conduct or certification mechanisms approved by the NDPC, can also be used to ensure data protection.


Data Protection Impact Assessments (DPIAs): The NDPA has the following DPIA

requirements for data controllers: Data controllers must conduct DPIAs

for:

  • Processing activities that involve large-scale sensitive data.

  • Systematic monitoring of public spaces.

  • Innovative uses of technologies with privacy implications.

  • Note: Data

Additional DPIA Requirements Under NDPA: They include:

  • Threshold for Mandatory DPIAs:

    • DPIAs are required for processing activities likely to result in a high risk to data subject rights and freedoms.

    • Examples include automated decision-making, large-scale sensitive data processing, or innovative technologies.

  • Comprehensive Risk Analysis: The DPIA must assess:

    • The nature, scope, and purpose of processing.

    • Potential risks to data subjects.

    • Mitigation measures to reduce or eliminate risks.

  • Documentation and Approval:

    • Controllers must document the entire DPIA process.

    • If a high risk remains after mitigation, controllers must consult the NDPC before proceeding.

  • Stakeholder Involvement: Data subjects or their representatives may need to be consulted during DPIA preparation where appropriate.

  • Periodic Reviews: DPIAs must be reviewed regularly, especially if processing activities or associated risks change.


Security Requirements: The NDPA mandates the implementation of:

  • Encryption and pseudonymization for personal data.

  • Regular security assessments.

  • Incident response plans to address data breaches.

  • Advanced Encryption Standards: Personal data must be encrypted in transit and at rest to protect confidentiality.

  • Access Control Measures: Robust access control mechanisms must be implemented to ensure only authorized personnel access sensitive data.

  • Incident Monitoring: Organizations are required to continuously monitor systems for security breaches or anomalies.

  • Periodic Security Audits: Controllers and processors must conduct frequent security audits to identify vulnerabilities and implement corrective measures.


Fines and Penalties: The NDPA introduces clear penalties for non-compliance:

  • Up to 2% of global annual turnover or ₦20 million (whichever is higher) for serious violations.

  • Lesser fines for minor violations or corrective actions.


Questions: Companies that must comply with the NDPA might ask the following

questions:

  • Have we conducted a gap analysis to identify areas where our current data practices do not align with the NDPA?

  • Are our data processing activities documented, and do we maintain proper records as required by the NDPA?

  • Do we have a data breach response plan, and are we prepared to report incidents to the Nigeria Data Protection Commission (NDPC) within the required timeframe?


Conclusion:

The NDPA signifies a major leap forward for Nigeria’s data privacy landscape. By

establishing comprehensive guidelines and strengthening enforcement mechanisms, the

NDPA ensures better protection for individuals and greater accountability for organizations.

Its emphasis on transparency, individual rights, and security highlights Nigeria’s

commitment to fostering a robust data protection ecosystem.



 
 
 

Comments

bottom of page