To further safeguard individual privacy rights and promote secured data practices, President Bola Tinubu on June 12 2023 signed into law the Nigeria Data Protection Act (the“Act”).
This legislation builds upon the foundation laid down by the existing primary regulation, the Nigerian Data Protection Regulation (“NDPR”), and its Implementation Framework, which we have advised on in our previous newsletter.
In this newsletter, we have highlighted key changes introduced by the Act.
KEY PROVISIONS IN THE NIGERIA DATA PROTECTION ACT
1. Persons who are covered by the scope of the Act
Similar to the NDPR, the Act applies to data controllers and processors domiciled, resident, or operating in Nigeria. Data controllers and processors now clearly state who are not domiciled in Nigeria but are processing the personal data of data subjects in Nigeria are stated to be subject to the provisions of the Act.
2. Establishment of Nigeria Data Protection Commission (the “Commission”):
The Commission replaces the Nigeria Data Protection Bureau as the body saddled with the responsibility of ensuring compliance with data protection laws in Nigeria. In exercising its power under the Act, the Commission recently announced that it will now sanction executives of Ministry, Agencies, and Departments (“MDAs”).
3. Lawful Basis for Processing Personal Data
In addition to the existing lawful basis for processing personal data i.e. vital interest, consent, contract, legal obligation, public task, etc., the Act now clearly includes legitimate interest as a basis.
Also read: Nigeria’s carbon market approach
4. Data Impact Assessment (DPIA):
Data controllers and processors are now mandated to consult the Commission when a new product or service introduced into their organization exposes the data subjects to a high risk of contravening their rights and freedom as data subjects.
5. Sensitive Personal Data and Child Rights
In addition to the existing definition of sensitive personal data, the Act includes genetic data and biometric data for the purpose of uniquely identifying a natural person. The Act further provides that the data processors and controllers are expected to apply appropriate mechanisms to verify the age and consent of the child.
6. Rights of Data Subject
In addition to the rights of a data subject under the NDPR, the Act now clearly provides for a data subject to have the right not to be subjected to a decision based solely on the automated processing of personal data.
7. Data Controllers and Data Processors of Major Importance
The Act provides that data processors and controllers who process the data of such number of data subjects as prescribed by the Commission (“the Prescribed number”) or such other class of data of particular value or significance to the economy, society, or security of Nigeria must be registered with the Commission within 6 months from the commencement of the Act. The Commission is yet to advise on the Prescribed Number of data subjects.
Please note that other changes were made in the Act and the foregoing is not exhaustive. Please discuss with your Data Protection Compliance Organization for further guidance.