AN OVERVIEW OF THE NIGERIA DATA PROTECTION REGULATION IN ANTICIPATION OF THE NATIONAL DATA PROTECTION BILL
In today’s world, it's nearly impossible to engage in online activities or e-commerce without providing data. Requests to share personal or professional information are a common occurrence. One major concern for those who provide their data is its use once it is shared publicly. This invariably leads us to the issue of data protection and privacy.
Data protection refers to the safeguarding of personal information and ensuring that it is used in an ethical and lawful manner while privacy refers to the right of individuals to control their personal information and to keep it confidential. Both data protection and privacy are essential in today's world, where vast amounts of personal information a recollected, stored, and processed by organizations and governments.
Under Nigeria’s legal regime, the Nigeria Data Protection Regulation 2019 (the regulation) is a comprehensive regulatory framework that governs the collection, storage, use, and transfer of personal data in Nigeria. It was established under the Nigerian Communications Commission Act (NCC) and was enacted in 2019 to ensure the protection of personal data and the privacy rights of individuals in Nigeria. The regulation commends the right of citizens protected under the Constitution of the Federal Republic of Nigeria, 1999 (as amended).
The regulation outlines the responsibilities of data controllers, data processors, and data subjects, as well as the obligations of data controllers and data processors in protecting personal data. It defines personal data as any information that relates to an identifiable individual, including names, addresses, email addresses, phone numbers, and biometric data.
Under the regulation, data controllers and data processors must obtain the consent of data subjects before collecting, storing, or processing their personal data. This consent must be obtained in writing, either through a written agreement or electronic means. The regulation also requires that data controllers and data processors take appropriate security measures to protect personal data from unauthorized access, alteration, or destruction.
Additionally, the regulation requires data controllers and data processors to conduct data protection impact assessments (DPIAs)before processing personal data. This is to ensure that any potential risks to personal data are identified and addressed before processing begins.
The regulation also provides for the right of data subjects to access, rectify, or delete their personal data. In addition, data subjects have the right to object to the processing of their personal data, as well as the right to data portability.
In the event of a data breach, the regulation requires data controllers and data processors to promptly notify the NCC and affected individuals. The NCC has the power to impose fines and sanctions on data controllers and data processors that fail to comply with the provisions of the Regulation.
To further strengthen the data protection and privacy legal regime the Federal Executive Council (FEC), on the 25th ofJanuary 2023, approved the transmission of the National Data ProtectionBill (NDPB) to the National Assembly as an executive bill through the office ofthe Minister of Justice and Attorney General of the Federation.
Signing the NDPB into law will increase the confidence of foreign investors in Nigeria's economy and encourage them to engage in business activities while also providing a comprehensive framework for the collection, storage, use, and transfer of personal data, and ensuring that appropriate measures are taken to protect personal data from unauthorized access or misuse. We greatly anticipate the signing of NDPB as it reinforces the data protection and privacy legal regime in Nigeria.