Technology Times has confirmed that the grace period for organisations to comply with data protection rules that safeguard the privacy of Nigerians expires on October 25.
The Nigeria Data Protection Regulation 2019 that came into force last year requires public and private organisations within the country and beyond holding private data of Nigerians to comply with stringent rules on data privacy protection that is applicable to “all Nigerians within and outside Nigeria.”
The looming deadline comes just as the National Information Technology Development Agency (NITDA) suspended the licensing of new Data Compliance Organisations (DPCOs) responsible for implementing the nation’s data protection rules.
“The Regulation came into effect on 25th January 2019. A major advertorial was carried in four major national dailies between 14th and 15th of February, 2019 to sensitize people on this. The grace period elapsed by 25th of July, 2019 and extended till 25th October, 2019”, according to the statement by the Nigerian IT regulator obtained by Technology Times.
Nigeria’s data protection deadline was extended, NITDA says
With the new data protection rules, the IT regulator hopes to enshrine a new regime of data privacy protection; ensure secure exchange of data; improve the business environment, and create sustainable jobs.
Provision of the data protection rules recognises the “processing” of private data of Nigerians to mean “any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Under the rules, Data Controller “are expected to file their data audit report annually before the 15th of March of the following year.”
NITDA says it “does not accept audit report by non-licensed third-party auditors. The Data Controller may encourage its auditors to obtain the Data Protection Compliance Organisation (DPCO) license or alternatively deal with NITDA licensed DPCOs. Every audit report required under the Regulation must be accompanied by a Verification Statement by a licensed DPCO.”
Meanwhile, Dr. Vincent Olatunji, NITDA’s Director of eGovernment Development and Regulations who announced the suspension of licensing of new DPCOs says that “members of the public are hereby notified that NITDA is no longer collecting application for DPCO licenses until further notice.”
He says that “applicants will be duly informed upon resumption of the application process.”
As of August this year, the IT regulator has licensed 72 DPCOs regarded under the rule as “any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services aimed at ensuring compliance with this Regulation or any foreign Data Protection law or regulation having effect in Nigeria.”
The DPCO ecosystem cuts across Professional Service Consultancy firms, IT Service Providers, Audit firms, and Law firms.
According to NITDA, organisations that run foul of the data protection rules risk:
- i. Breach of personal data by a non-compliant Controller or Processor would attract criminal and administrative sanctions;
- ii. Data Subjects have the right to take civil actions against the Controller on the basis of the NDPR;
- iii. Business implication of non-compliance include brand image damage, loss of customers, restriction from international market opportunity; lack of support from national Supervisory Authority against foreign investigation of breach by an international authority.