The Nigeria Data Protection Act (NDPA) was signed into law in June 2023. This landmark legislation empowers you with control over your online data, granting you several crucial rights. Just as in other jurisdictions in Europe and the United States, companies and individuals have to be extra careful when it comes to personal information, as legal action can be taken against any company or person in the event of a breach.
What is the NDPA?
The NDPA establishes a comprehensive framework for regulating how personal data is collected, used, and protected within Nigeria. It supersedes the previous Nigerian Data Protection Regulation (NDPR) by creating a dedicated enforcement body, the Nigeria Data Protection Commission (NDPC).
What are your key rights under the NDPA?
- Right to Access: You have the right to know what personal data an organisation holds about you and how it’s being used.
- Right to Rectification: If your data is inaccurate or incomplete, you can request its correction.
- Right to Erasure: Under certain circumstances, you can request the deletion of your data.
- Right to Restrict Processing: You can limit how your data is used, for example, by preventing its sale to third parties.
- Right to Object: You can object to automated decision-making based on your data, such as algorithmic profiling, that might affect your access to services or opportunities.
- Right to Data Portability: You can request a copy of your data in a machine-readable format for transfer to another service provider.
- Right to Restrict Sharing: You can protect conversations or communications with someone held in private and protect them from being shared with third parties, unless it is necessary for an investigation by law enforcement agencies or via an order of court.
How can you exercise your rights?
Organisations collecting your data must provide clear and accessible mechanisms for you to exercise your rights. This could involve dedicated forms, online portals, or designated contact points. The NDPC website will also offer guidance and resources.
What are the implications for businesses?
The NDPA imposes specific obligations on data controllers (organisations collecting data) and data processors (entities handling data on behalf of controllers). They must:
- Implement robust data security measures.
- Obtain informed consent for data collection and processing.
- Conduct data protection impact assessments for high-risk processing activities.
- Report data breaches to the NDPC and affected individuals.
NDPA vs. NDPR: What has been improved in the new act?
While the Nigeria Data Protection Act (NDPA) builds upon the foundation laid by the previous Nigeria Data Protection Regulation (NDPR), the NDPA introduces several key changes and improvements. Let’s delve into the differences and see how the NDPA enhances data privacy for Nigerians:
Scope and Enforcement:
- Wider reach: The NDPA applies to any data controller or processor operating in Nigeria, regardless of their location. This expands coverage compared to the NDPR, which focused on Nigerian entities.
- Dedicated enforcement body: The NDPA establishes the Nigeria Data Protection Commission (NDPC), responsible for enforcing the law. This dedicated body offers a clearer point of contact and accountability compared to the NDPR, which relied on the National Information Technology Development Agency (NITDA) for enforcement.
Data Subject Rights:
- Right to data portability: The NDPA introduces the right to data portability, allowing individuals to request their data in a machine-readable format for transfer to another service provider. This right was absent in the NDPR.
- Clarification on consent: The NDPA provides clearer guidelines for obtaining informed consent, emphasising the need for it to be freely given, specific, informed, and unambiguous.
Data Controller Obligations:
- Data breach notification: The NDPA mandates data controllers to notify the NDPC and affected individuals of data breaches within 72 hours. This requirement strengthens data security accountability compared to the NDPR’s less specific guidelines.
- Data protection impact assessments (DPIAs): The NDPA requires DPIAs for high-risk processing activities, helping organisations identify and mitigate potential data privacy risks before processing begins. This proactive approach was not mandatory under the NDPR.
Other Improvements:
- Increased penalties: The NDPA prescribes harsher penalties for non-compliance, deterring organisations from neglecting data protection obligations.
- Cross-border data transfer regulations: The NDPA establishes a framework for regulating cross-border data transfers, safeguarding Nigerian data when transferred abroad.
However, it’s important to note that the NDPA is still evolving.
- Implementation details: Specific regulations and implementation details are yet to be fully established, leaving some aspects open to interpretation.
- Limited scope for certain data: The definition of “personal data” under the NDPA is narrower compared to the NDPR, potentially excluding some types of data from its purview.
Conclusion
Knowing your rights helps in protecting and enforcing them. With the Nigeria Data Protection Act in place, you can rest assured that companies, data brokers, and persons who deal with data have much more to do with ensuring that your information with them is kept secure. Where there is a breach in the circumstances, you have an actionable right against such companies or persons.
Join the Law Centriole channel on WhatsApp to get early updates about new posts.