Advoke International

CONNECT
LOG IN

Nigeria Data Protection Act (NDPA), Nigeria

The Nigeria Data Protection Act, enacted on June 12, 2023, establishes comprehensive regulations for personal data protection in Nigeria. It aims to safeguard individual privacy rights while ensuring organizations comply with responsible data handling. Key principles include consent and data security, with penalties for non-compliance enforced by the Nigeria Data Protection Commission.

The Nigeria Data Protection Act (NDPA) is the country’s comprehensive law governing personal data protection. Enacted on June 12, 2023, it regulates the collection, processing, storage, and transfer of personal data. The law aims to safeguard individuals’ privacy rights and ensure organisations adopt responsible data protection practices. It applies to both public and private entities processing personal data within Nigeria or handling the data of Nigerian citizens.

Key Principles of the NDPA

The NDPA is based on internationally recognised data protection principles, which include:

  • Lawfulness, Fairness, and Transparency – Personal data must be processed legally and transparently.
  • Purpose Limitation – Data must be collected for a specific, lawful purpose and not used beyond that purpose.
  • Data Minimisation – Only the necessary personal data should be collected.
  • Accuracy – Organisations must ensure that personal data is accurate and kept up to date.
  • Storage Limitation – Data should not be kept longer than necessary.
  • Integrity and Confidentiality – Organisations must implement security measures to protect data from unauthorised access or loss.
  • Accountability – Data controllers must take responsibility for complying with the law.

Rights of Data Subjects Under NDPA

The NDPA grants Nigerian citizens specific rights over their personal data:

  1. Right to Be Informed – Individuals must be notified when their personal data is collected, including details on how and why it will be used.
  2. Right to Access – Individuals have the right to request and obtain copies of their personal data held by an organization.
  3. Right to Rectification – Data subjects can request corrections to inaccurate or incomplete personal data.
  4. Right to Object to Processing – Individuals can object to their personal data being processed, particularly for direct marketing or automated decision-making.
  5. Right to Report to the Supervisory Authority – If an individual believes their data rights have been violated, they can file a complaint with the Nigeria Data Protection Commission (NDPC).
  6. Right to Restrict Processing – Individuals can request that an organisation temporarily or permanently stop processing their personal data.
  7. Right to Data Portability – Data subjects can request their personal data be provided in a structured, commonly used format and transferred to another entity.
  8. Right to Be Forgotten (Erasure) – Individuals can request the deletion of their personal data when it is no longer necessary for the purpose for which it was collected.
  9. Right Not to Be Subjected to Automated Decision-Making – Individuals have the right to request human intervention in cases where decisions affecting them are made solely based on automated processing, such as profiling.

Obligations of Data Controllers and Processors

Organisations that collect or process personal data must comply with the following obligations:

  • Obtain clear and lawful consent from individuals before processing their data.
  • Implement adequate security measures to protect data from unauthorised access, breaches, or loss.
  • Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
  • Appoint a Data Protection Officer (DPO) where required, especially for large-scale processing.
  • Report data breaches to the NDPC and affected individuals within a specified timeframe.

Cross-Border Data Transfers

The NDPA regulates international data transfers to ensure the privacy of Nigerian citizens. Data can be transferred outside Nigeria only if:

  • The receiving country provides an adequate level of data protection.
  • The data subject consents to the transfer after being informed of potential risks.
  • The transfer is necessary for the performance of a contract or legal obligation.

Enforcement and Penalties

The Nigeria Data Protection Commission (NDPC) is the regulatory body responsible for ensuring compliance with the NDPA. Organisations that fail to comply face significant financial penalties:

  • For Data Controllers or Processors of Major Importance: The greater of ₦10 million (Ten Million Naira) or 2% of the organisation’s annual gross revenue.
  • For Other Data Controllers or Processors: The greater of ₦2 million (Two Million Naira) or 2% of the organisation’s annual gross revenue.

The NDPC determines whether an entity is classified as a “data controller or processor of major importance” based on factors such as the volume of data processed and its impact on national security and economic interests.

The Nigeria Data Protection Act, 2023 (NDPA) is a significant step forward in protecting personal data and ensuring that organisations adopt responsible data practices. With clear data subject rights, accountability measures, and strict penalties, the NDPA aligns Nigeria with global data protection standards, fostering trust in the country’s digital economy.

DPA Solutions

Advoke International provides comprehensive solutions tailored to support your organisation in achieving compliance with the NDPA.

Frequently Answered Questions

How does the NDPA affect businesses in Nigeria?

Businesses must now implement strong data protection policies, ensure lawful data processing, and appoint a Data Protection Officer (DPO) if required. They must also comply with data breach reporting requirements and ensure adequate security measures to avoid penalties.

What happens if a company suffers a data breach?

If a company experiences a data breach, it must report the incident to the Nigeria Data Protection Commission (NDPC) and notify affected individuals within 72 hours. Failure to do so could result in fines and other penalties.

Can individuals request companies to delete their personal data?

Yes. Under the right to be forgotten, individuals can request that a company delete their personal data if it is no longer necessary for the original purpose or if they withdraw consent. However, certain legal or regulatory obligations may prevent immediate deletion.

Can individuals request companies to delete their personal data?

Yes. Under the right to be forgotten, individuals can request that a company delete their personal data if it is no longer necessary for the original purpose or if they withdraw consent. However, certain legal or regulatory obligations may prevent immediate deletion.

What are the penalties for non-compliance with the NDPA?

Organisations that fail to comply may face the following penalties:

  • Major data controllers/processors: The greater of ₦10 million or 2% of annual revenue.
  • Other data controllers/processors: The greater of ₦2 million or 2% of annual revenue.