Image: mikedugeri.wordpress.com

The National Information Technology Development was mandated by the National Information Technology Development Act (NIDTA) to come up with laws that will regulate the use of information technology and electronic data. This was as a result of the need to ensure the privacy and protection of Nigerians' personal data due to the alarming increase in breach of personal data. To achieve this goal, the National Information Technology Development Act (NITDA) issued the Nigerian Data Protection Regulation (NDPR).

The objectives of the NDPR as contained in section 1 of the Regulation are as follows:

a)    To safeguard the rights of natural persons to data privacy;
b)    To foster safe conduct of transactions involving the exchange of personal data;
c)     To prevent manipulation of personal data, and
d)  To ensure that Nigerian businesses remain competitive in international trade; through the safeguards afforded by a just and equitable legal regulatory framework on data protection and which regulatory framework is in tune with global best practices.[1]

From the above, the NDPR seeks to protect the privacy an individual's personal data; to provide safety or security in dealing with an individual's personal data; and to help Nigerian businesses compete in international trade since the regulatory frame work is in tune with global best practices.

For a proper understanding of this topic, it is necessary to be conversant with the meaning of some terms which will constantly be referred to in the course of this article. These terms are as follows:

• Personal data: any information relating to an identifiable natural person. Personal data could be employees' information in an organisation, customer and subscribers' data, vendors and service providers' information, etc.  The following information are usually found in a personal data:
  • Name, phone numbers, contact information;
  • Location information, financial information, transaction history;
  • Gender, ethnicity, health records, and sexual orientation.
    
• Data subject: is an identifiable person; a person who can be identified directly or indirectly.
• Data controller: is a person(s), or statutory body, who determine the purposes for and the manner in which personal data is to be processed or is processed.
• Processing: means any operation performed on personal data such as: collection, recording, organisation, structuring, storage, adaptation or alteration, making available, restriction, or destruction.
• Personal data breach: a breach of security that leads to unlawful destruction, loss, unauthorized disclosure of, or access to personal data transmitted, stored, or processed.

The NDPR applies to every Nigerian residing inside or outside the country; it also applies to transactions intended for the processing of personal data (i.e. transactions that involve collecting, structuring, making available, etc., an individual's personal data) in respect of natural persons in Nigeria.

Major Features of the Nigerian Data Protection Regulation

The NDPR is a regulation enacted to provide for the privacy and security of an individual's personal data. In doing that, the NDPR contains some features that will bring about the achievement of its objectives. Some of those key features will be discussed below.

1. The Legitimate Use of Personal Data
   Under the NDPR, the personal data of an individual must be collected for a specific and legitimate use, subject to the consent of the data subject (i.e. the identifiable person). The data obtained should be accurate and not injure the dignity of the person involved; it must be stored for the period it is needed. This means that anyone obtaining the personal data of a data subject must ensure the accuracy of the information, and not get any information that might be injurious to the person's dignity. It must be used for a legitimate purpose. The NDPR also provides that the personal data must be secured against cyber-attacks, viral attacks, theft, damages, etc.[8]
2. The Duty of Care Owed to Data Subjects
   An employer or anyone who is in custody of a personal data, owes the data subject a duty of care to protect the data from any breach, theft, cyber-attacks, or damages, amongst all others. The NDPR also holds accountable, any person entrusted with the personal data of a data subject, in the event of any act or omission that contravenes with the laws stated in above.
3. The Requirement of Lawful Data Processing
   It has already been stated above that Data Processing means any operation performed on personal data such as: collection, storage, dissemination, making available, etc. The question is, how can this be done lawfully?
   
   The NDPR states that data processing is done lawfully when the data subject gives consent for the processing to be used for specific purposes; when the processing is necessary to perform a contract to which the data subject is a part of; and when the interests of the data subject or any public interest is at stake and there is a need to protect it.
   Data Processing will be lawful if at least one of the aforementioned applies
4. The Requirement of Obtaining Express Consent
5. To obtain consent from a data subject, the purpose of which that personal data is to be used must be communicated by the data controller to the data subject. After this has been done, the NDPR states that the data controller must obtain genuine consent from the data subject, and the Data Subject should possess the legal capacity to give consent. 
   
   This suffices to mean that the consent obtained must not be gotten fraudulently, by coercion, or undue influence.
6. The Requirement of Privacy Policy
   Data collectors that collect personal data must provide a privacy policy that is easily understood by the data subject irrespective of the medium used to collect such data. The privacy policy must include the following:

a.    What constitutes the data subject's consent;
b.     Description of collectable personal information;
c.     Purpose of collection of personal data
d.   The technical methods used to collect and store personal information, cookies, etc.;
e.     Access (if any) of third parties to personal data and purpose of access;
f.      Available remedies in the event of violation of the privacy policy, and the time frame or remedy, and
g.   Any limitation clause. (This limitation clause will not avail any data controller who acts in breach of the principles set out in section 6 of the Nigerian Data Protection Regulation.)

A privacy policy is required of data collectors to assure data subjects that their personal data is secured; that the personal data is used for a legitimate purpose; that the personal data is kept private; that the personal data is protected from cyber-attacks and other things set out in section 5 and 6 of the NDPR; to reveal to the data subject the method used to collect and store the personal information; the privacy policy must contain the fact that the data subject has remedies when the privacy policy is violated, etc.

If a third party is going to have access, or be involved in the processing of the personal data of a data subject; there must be a written contract between the data controller and the third party to that effect

7. The Requirement of Providing Data Security
   Data collectors are required to provide or develop security measures to protect data. These security measures can be provided by protecting the systems or confidential information from hackers; setting up firewalls against virus; employing data encryption technologies; developing organisational policy for handling personal data; continuous capacity building for staff, etc.
   
   The essence of this provision is to ensure the privacy and safety of an individual's Personal Data. The Data Collector is saddled with this responsibility of ensuring privacy and safety, and the NDPR has listed the measures expected of a Data Collector in meeting this requirement.
8. Penalty for Default
   A data controller, who is in breach of the data privacy rights, will be liable to pay 2percent of Annual Gross Revenue of the preceding year, or pay the sum of 10million naira when the data controller is dealing with 10,000 data subjects. On the other hand, if the data controller is dealing with less than 10,000 data subjects, the data controller will be liable to pay 1percent of the Annual Gross Revenue in the preceding year, or pay the sum of 2million naira.
   
   Beyond the financial loss a company will suffer for a breach of the NDPR, the company can also suffer reputational damage, especially where such company has international recognition. The company may lose customers, clients, or contracts. The provisions of the NDPR must be strictly adhered to.
9. The Requirement of Transferring Data to a Foreign Country
   Personal data can be transferred to a foreign country, but this must be done subject to the provisions of the NDPR and under the supervision of the attorney general of the Federation. The role of the attorney general of the Federation is to take into the consideration, the legal system of the foreign country that this personal data is going into. Legal matters such as its rule of law, its respect for human rights, its Data Protection Rules, its laws in relation to access of public authorities to personal data, etc. The Attorney General of the Federation is also to consider the implementation of those laws, as well as the rules for the onward transfer of personal data to another foreign country.
   
   In addition to the above, to transfer personal data to a foreign country, the agency must ensure that the foreign country in question has an impressive level of protection. In the absence of any decision by the agency or the attorney general of the Federation as to the adequacy of safeguards in a foreign country, a transfer of personal data to a foreign country can only be done with the express consent of the data subject.
10. The Rights of a Data Subject
    A data subject has the right to request for any information that relates to processing, and the information must be concise, transparent, and comprehensible. The information to be provided to the data subject is free, unless the request is baseless, or excessive. The data subject will then be charged a reasonable amount. The controller has the burden of proving that the request is baseless.
    
    A data subject also has the right to some information from the data controller before giving out the personal data. These information are as follows:

a)      The identity and contact details of the controller.
b)     The contact details of the data protection officer.
c)      The purposes of the processing for which the personal data is intended, as well as the legal basis for the processing.
d)      The legitimate interest pursued by the controller or by a third party.
e)      The recipient of the personal data (if any).

The data subject has the right to know whether the data controller shall transfer the personal data to an international organisation; whether the data subject has the right to request the data controller to rectify or erase the personal data; whether the data subject has the right to lodge complaints at any point in time to the relevant authority; whether the provision of the personal data is a statutory, or contractual requirement, and the consequences if the data subject does not provide the personal data; the data subject also has the right to know when the data controller intends to use the personal data for purposes other than that for which the personal data was collected.    

The Benefits of the Nigerian Data Protection Regulation

The NDPR was issued in January 2019, as the country's first codified Data Protection Legislation to protect the data-privacy of Nigerians. In a brief interview with, Adeoluwa Akomolafe, he stated that the importance of data-privacy cannot be over emphasized. He said that the attacks on businesses were based on data breaches, which led to an increase in regulatory focus worldwide. Regulations such as the European Union's General Data Protection Regulation; the Asia Pacific Data Protection and Cyber Security Guide 2020; the German IT Security Act 2015, etc., were all created to address the issue of the rampant breaches of data belonging to individuals and companies.

According to him, the NDPR was created as a response to the increase in data breaches. The purpose of the NDPR, in his statement, is to ensure that Nigerian companies understand the data in their custody; how such data is classified; their obligations in ensuring security of that data; and other relevant issues relating to the data in their custody.[20]

That said, the four benefits of the Nigerian Data Protection Regulation are as follows:

1. The NDPR is a regulation put in place to ensure the security and safety of Nigerians' personal data by providing reasonable principles guiding data processing.
2. The NDPR prevents any possible breach of personal data and data manipulation to the detriment of the data subject.
3. The NDPR bestows upon Nigerians, the rights to withhold or not to withhold consents when it comes to giving out their information on personal data for processing.
4. The NDPR gives Nigerian businesses a competitive edge in international trade over other countries without a Data Protection Regulation, or any form of Act, created to provide security on a company, or an individual's information. Hence, the NDPR is in tune with global best practices, which is splendid for the country's image.

The above provisions are laudable, yet critiques have said that companies and organisations cannot take cover under the NDPR because the definition of data subject refers to 'natural persons'. It is true that registered companies enjoy separate personality, i.e., they have an identity distinct from the persons who run the affairs of the companies' and so the data-privacy of a company can be breached.

However, Adeoluwa Akomolafe in answering this question explained that a person is usually put in charge of people's data in every company. This person is referred to as the 'data protection officer'. The data protection officer is appointed by the organisation (i.e. the data controller) to take responsibility for driving the protection of data. The primary role of a data protection officer is to ensure that the organisation (i.e. the data controller), processes the personal data of its staff, customers, service providers, etc., in compliance with the applicable data protection rules. Hence, the organisation as the data controller, through its data protection officer will be responsible for the privacy-breach of another company complaining of a breach. In other words, the NDPR is applicable to companies; the organisation which is the data controller will be held responsible when another company suffers a breach of data-privacy.      

In conclusion, the NDPR applies to all storage and processes of data in respect of Nigerian citizens. The purpose of NDPR is to safeguard the rights of natural persons to data privacy; to bring about safe conduct of transactions involving exchange of personal data; and to prevent manipulations of personal data. The NDPR imposes numerous compliance obligations on data controllers and processors in the processing of personal data of natural persons.

Data controllers should ensure that all data collected must be secure; they (data controllers) must have the tools to guard against data manipulation. Explicit consent from data subject must be obtained by data controllers if the personal data is about to be shared to a third party.

Adeiye Adenekan.
Email address: [email protected]
LinkedIn: https://www.linkedin.com/in/michaelmas-chambers-5a49000146    
Twitter: @MichaelmasLaw
Phone no: 09090008231.

Section 1 of the Nigerian Data Protection Regulation, 2019.
Section 4, regulation 1.3(q) of the Nigerian Data Protection Regulation, 2019.
Section 4, regulation 1.3(k) of the Nigerian Data Protection Regulation, 2019.
Section 4, regulation 1.3(g) of the Nigerian Data Protection Regulation, 2019.
Section 4, regulation 1.3 (r) of the Nigerian Data Protection Regulation, 2019.
Section 4, regulation 1.3 (s) of the Nigerian Data Protection Regulation, 2019.
Section 2, regulation 1.2 of the Nigerian Data Protection Regulation, 2019.
Section 5, regulation 2.1(1) of the Nigerian Data Protection Regulation, 2019.
Section 5, regulation 2.1 (2) of the Nigerian Data Protection Regulation, 2019.
Section 6, regulation 2.2 of the Nigerian Data Protection Regulation, 2019.
Section 7, regulation 2.3 of the Nigerian Data Protection Regulation, 2019.
Section 9, regulation 2.5 of the Nigerian Data Protection Regulation, 2019.
Section 11, regulation 2.7 of the Nigerian Data Protection Regulation, 2019.
Section 10, regulation 2.6 of the Nigerian Data Protection Regulation, 2019.
Regulation 2.10 of the Nigerian Data Protection Regulation, 2019.
Section 14, regulation 2.11 of the Nigerian Data Protection Regulation, 2019.
Section 16-31 of the Nigerian Data Protection Regulation, 2019.
Section 16-31 of the Nigerian Data Protection Regulation, 2019.
Ibid. Nigerian Data Protection Regulation, 2019.
Adeoluwa Akomolafe, Certified Information Systems Security Personnel (CISSP) Certified Ethical Hacker (CEH), Chief Information Security Officer & Assistant GM, Wema Bank Plc.
Adeoluwa Akomolafe, Certified Information Systems Security Personnel (CISSP) Certified Ethical Hacker (CEH), Chief Information Security and Data Protection Officer, Wema Bank Plc.
Section 1 of the Nigerian Data Protection Regulation 2019
Olumide Babalola, Nigeria: My Thoughts on the Nigerian Data Protection Regulation (NDPR) 2019. (Published March 2020) Cited in Accessed 14th July 2020.
Adeoluwa Akomolafe, Certified Information Systems Security Personnel (CISSP) Certified Ethical Hacker (CEH), Chief Information Security and Data Protection Officer, Wema Bank Plc.
Adeoluwa Akomolafe, Certified Information Systems Security Personnel (CISSP) Certified Ethical Hacker (CEH), Chief Information Security and Data Protection Officer, Wema Bank Plc.