June 19, 2024
By Cybervergent Team

What is NDPA? The overview guide for getting compliance.

On June 12, 2023, years of preparation ended. Across Nigeria, long-planned data protection reforms started to be enforced. President Bola Ahmed Tinubu signed the Nigeria Data Protection Act, 2023, into law. This marked a significant milestone in the country's journey towards developing a comprehensive legislative framework for protecting the personal information of natural persons residing or doing business in Nigeria.

As Nigeria continues to become the tech hub of Africa, large numbers of data are being generated, stored, and processed online. Privacy and data protection have become critical for the Nigerian government. The compelling need to safeguard citizens' privacy and data rights led to a collaboration between the Nigeria Data Protection Bureau ("NDPB" or "the Bureau"), a member of the World Bank Group, and the International Development Association through their Nigeria Digital Identification for Development Project ("NID4D"). This joint effort eventually begat the Bill that gave birth to the Data Protection Act

What is NDPA?

Nigeria, being the most populous nation in Africa and the 6th most populous country in the world, the NDPA (Nigeria Data Protection Bureau) can be considered as having the world's strongest set of data protection rules. These rules enhance how people can access information about themselves and place limits on what organizations can do with personal data. The full text of the NDPA contains 66 individual articles.

The Act regulates the processing of personal data, including rights of a data subject, data security, and cross-border transfer of personal data. The Act also establishes the Nigeria Data Protection Commission, as an independent body to superintend and regulate data protection matters, and enforce compliance with the provisions of the Act.

Who does NDPA apply to?

The NDPA applies to any Data controller or business that handles the personal data of Nigerians or anyone residing in Nigeria. The NDPA does not apply to the processing of personal data for personal or household purposes. 

Data Controllers are the main decision-makers who exercise overall control over the purposes and means of processing personal data. The important thing about what constitutes personal data is that it allows a person to be identified. Masked data can still fall under the definition of personal data. Personal data is so important under NDPA due to the fact that individuals, organizations, and companies who assume the roles of 'controllers' or 'processors' of personal data are subjected to the law.

What are your NDPA rights?

Under the Act, data subjects have the right to acquire confirmation from a data controller or data processor as to whether their data will be stored. Where this is confirmed to be the case, they are entitled to be informed of the following:

  • The right to lodge a complaint with the commission.
  •  right of access
  •  right to rectification
  •  right to object to processing
  •  right to restrict processing
  •  right to data portability
  •  right to be forgotten

NDPA Breaches and fine

The Nigerian Data Protection Act, which was passed in 2015, allows regulators to fine businesses that don't comply with the law. If an organization doesn't process an individual's data in the correct way, it can be fined. Under the NDPA, Data Controllers or Processors that are found to have breached the provisions of the Act may be subject to the payment of a fine of whichever is greater between the sum of N10,000,000 or 2% of its annual gross revenue from the preceding financial year. Similarly, other data controllers or processors may be liable to pay a fine of whichever is greater between the sum of N2,000,000 or 2% of their annual gross revenue from the preceding financial year.

Conclusion 

The Nigeria Data Protection Act (NDPA) is a robust legislative framework designed to protect personal data in Nigeria. Applicable to businesses handling Nigerian citizens' data, it grants individuals rights such as access, rectification, and the right to be forgotten. Non-compliance may result in fines, emphasizing the importance of adherence in the digital age. Stay compliant to secure data and uphold privacy rights.