The Nigeria Data Protection Act, 2023 has been signed into law by Bola Ahmed Tinubu, the President of Nigeria. The law establishes the Nigeria Data Protection Commission and replaces the Nigeria Data Protection Bureau (NDPB). The Commission will be led by a National Commissioner with the responsibility for regulating the processing of personal information.
The Act establishes a legislative framework for the protection of personal information and data protection practice in Nigeria.
The various Stakeholders include;
- (1) Data Subjects,
- (2) Data Controllers,
- (3) Data Processors, and the Commission.
Data subjects and The Nigeria Data Protection Act, 2023
Data Subjects are the focus of all data privacy activities globally. As a result, data subjects will have more control over their personal information. The right of a Data Subject which are;
• Right to Information: The right to information includes the right to know how one’s personal information is gathered, used, and processed. Information on the objectives, legal justification, and data recipients must be provided by organisations in a clear and transparent manner.
• Right of Access: Individuals have the right to access the personal information about them that organisations have stored. They have the option to seek copies of their data as well as information about what data is being processed and why.
• Right to Rectification: People have the right to ask that any inaccurate or incomplete personal information that organisations may have about them be updated or corrected. The organisation shall swiftly implement the necessary adjustments and, where needed, notify the appropriate third parties.
• Right to Erasure (Right to be Forgotten): When personal information is no longer required, permission is withdrawn, or there are other legal grounds for erasure, data subjects have the right to request that it be deleted or removed.
• Right to Restriction of Processing: Under certain conditions, such as when the data’s accuracy is disputed, the processing is unlawful, or the data is no longer required, individuals have the right to request that certain restrictions be placed on the processing of their personal data.
• Right to Data Portability: Data subjects have the right to obtain their personal information in a format that is machine-readable, frequently used, and structured. If it is technically possible, they can ask for the transfer of their data from one entity to another.
• Right to Object: Individuals have the right to object to the processing of their personal data for direct marketing or based on legitimate interests. Unless an organisation can provide sufficient legitimate grounds for the processing that outweigh the rights of the individual, it must stop processing the data.
• Right not to be Subject to Automated Decision-Making: Data subjects have the right to be exempt from decisions that significantly impact them but are entirely based on automated processing, including profiling. People have the right to personal contact and the freedom to voice their opinions.
• Withdrawal of consent: An individual has the right to withdraw his consent to the processing of his personal information. The data controller must make sure that withdrawing consent is just as simple for the data subject as giving it.
Data Controllers and Data Processors:
The law imposes a variety of requirements on data controllers, including the requirement to acquire consent from data subjects before processing their information, the requirement to keep information safe, and the requirement to alert data subjects to security breaches.
The requirements for the registration of Data Controllers and Data Processors.
• Upon the start of the Act or upon becoming a data controller or data processor of major importance, data controllers and data processors of major importance shall register with the Commission within six months.
Obligations of the data controller and data processor
When a data controller hires a data processor or when a data processor hires another data processor, they must take reasonable steps to ensure that the engaged data processor:
• Complies with the principles and obligations that are applicable to the data controller.
• Assists the data controller (or data processor) in fulfilling their obligations to respect the rights of data subjects, using appropriate technical and organisational measures.
• Implements suitable technical and organisational measures to ensure the security, integrity, and confidentiality of personal data.
• Provides the data controller (or data processor) with any necessary information to comply with and demonstrate compliance with this Act.
• Informs the data controller (or data processor) when engaging new data processors.
Data Privacy Impact Assessment (DPIA)
Where the processing of personal data may likely result in high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context, and purposes, a data controller shall, prior to the processing, carry out a data privacy impact assessment.
Where the data controller is unsure of the measures above, the Commission should be contacted for clarification. In best Global standards and practice, it is advisable to carry out DPIA in all cases as it relates to personal information.
Basis for cross-border transfer of personal data
Personal data cannot be transferred from Nigeria to another country unless specific conditions are met.
Data controllers and processors must keep records and assess the adequacy of protection for transferred data. The Commission can establish rules and designate additional restrictions based on the type of personal data and associated risks.
The enforcement measures or sanctions that can be imposed include:
- (a) Requiring the data controller or data processor to rectify the violation.
- (b) Ordering the data controller or data processor to compensate data subjects who have suffered harm or loss due to the violation.
- (c) Directing the data controller or data processor to account for any profits obtained from the violation.
- (d) Imposing a penalty on the data controller or data processor.
Failure to comply with orders can result in fines, imprisonment, or both, depending on the severity of the offence and the status of the data controller or data processor involved.
The penalty can be an amount up to:
(a) For data controllers or data processors of major importance, the higher maximum amount.
The “higher maximum amount” is determined as the greater of either ₦10,000,000 or two percent of the data controller or data processor’s annual gross revenue derived from Nigeria in the preceding financial year.
(b) For data controllers or data processors other than those of major importance, the standard maximum amount.
The “standard maximum amount” is determined as the greater of either ₦2,000,000 or two percent of the data controller or data processor’s annual gross revenue derived from Nigeria in the preceding financial year.
The Nigerian Data Protection Act represents a significant step toward safeguarding privacy rights, fostering trust, and promoting responsible data-driven innovation.