Frequently Asked Quetions

What is the full meaning of NDPA?

Nigeria Data Protection Act

What are the major objectives of the NDPA ?
  •  To safeguard the rights of Natural Persons to Data Privacy;
  •  To foster safe conduct of transactions involving the exchange of Personal Data;
  •  To prevent manipulation of Personal Data; and
  •  To ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which (framework) is in tune with best practice. (See Article 1.1, NDPR)
What is the scope of the NDPC?
  • NDPA applies to all transactions that involve the processing of Personal Data;
  •  NDPA applies to natural persons residing in Nigeria or residing outside Nigeria (but who are citizens of Nigeria);
  •  NDPA does not limit, abridge or deny the full protection a natural person is entitled to under any law, regulation, policy, contract for the time being in force in Nigeria or in any foreign jurisdiction. (See Article 1.2, NDPR)
What is Data Processing?

Data Processing means: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. (See Article 1.3 xxi, NDPR)

The consent of a data subject is very important in data processing. A Data Controller must seek this consent either in writing or by any other action through which the Data Subject knows he is giving consent. There are exceptions where duly constituted authorities can process data without consent in public interest or where private organizations may have lawful and cogent basis (albeit rebuttable) for data processing. These exceptions are without prejudice to the principles of data protection. Hence every data controller whether acting in public interest or in private interest can be held to account under the NDPA. (See Articles 2.1-2.4, NDPR)

How can the Nigeria Data Protection Commssion (NDPB) legally Protect the Privacy Right of a Data Subject?

Privacy right is a fundamental right that is recognized and enforceable through executive powers vested in the executive arm and the judicial powers vested in the judicial arm of government. In the exercise of the executive powers vested in the President by virtue of Section 5, 1999 Constitution of the Federal Republic of Nigeria (CFRN, as amended), the NDPC was established to implement the NDPA (See About Us). Through its synergy or collaboration with relevant government agencies such as the National Information Technology Development Agency (NITDA), Nigeria Police Force, Federal Competition and Consumer Protection Commission, Independent Corrupt Practices and Related Offences Commission (ICPC), Central Bank of Nigeria etc. NDPB takes effective executive measures in protecting the Privacy Rights of Data Subjects.

What is the role of NDPA in transactions that require transfer of Personal Data abroad?

The NDPR recognizes the need for cross-border transfer of data in an era of globalized and high-speed business transactions. Article 2.11 of the Regulation, which touches on transfer to a foreign country, addresses this issue. To comply with the provision and other aspects of the Regulation, the Data Controller is under legal obligation to provide the following:

  • I) The name(s) of the country where personally identifiable information of Nigerian citizens are transferred on a regular course of business.
  • II) The consent of the data subject in line with the principles of data protection.
  • III) The Data Protection Laws and contact of National Data Protection Office / Administration of such of the named country (in I above)
  • IV) The Privacy Policy of the Data Controller which must comply with the provisions of the NDPR.
  • V) An overview of encryption method and data security standard.
  • VI) Any other detail that assures the privacy of personal Data is adequately Protected in the named country (in “(I)” above).
When is the deadline for filing Annual Privacy Audit Returns?

Data Controllers are expected to file their data audit report annually before the 15th of March of a new year. (See Article 4.1 (7) NDPR)

We process less than 2000 data subjects, do we need to file Privacy Audit Returns (PAR)?

Data Privacy Audit is a legal standard and an obligation imposed on all Data Controllers regardless of the number of data subjects processed. (See Article 4.1(5) NDPR). A data controller who neglects to abide by this legal requirement and to demonstrate compliance by filing the audit returns with the Bureau faces the risk of legal action on the part of data subjects and the Bureau. Failure to demonstrate compliance is a justiciable threat to the fundamental right to privacy. NDPA does not limit the right of a data subject, rather it advances the right. The PAR filed by a Data Controller is the first certifiable public document that has probative value whenever and wherever proof of NDPA compliance is required.

How do we file Privacy Audit Returns (PAR)?

PAR is to be filed with the Bureau through a Licensed DPCO (See the List of Licensed DPCOs).

Our Sector Regulator has issued a Data Protection Regulation for our sector, are we still expected to comply with the NDPR?

Yes. NDPA covers all sectors and all aspects of data privacy. Sectorial guidelines or regulations are usually directed at customers or persons to whom you (as a Data Controller or Processor) may owe a fiduciary duty. NDPA, in line with section 37 of 1999 Constitution of the Federal Republic of Nigeria, imposes a duty of care in respect of customers, employees, guests, visitors and all other categories of data-subjects whose data may be in your custody or come into your custody for any reason?

What are the possible consequences of non-compliance with the NDPA?
  • Breach of data privacy by a non-compliant Data Controller or Processor attracts administrative and criminal sanctions.
  •  Data Subjects have the right to take civil actions against the Controller on the basis of the NDPA.
  •  The business implication of non-compliance includes brand image damage, loss of customers, restriction from international market opportunity, lack of support from national Supervisory Authority against foreign investigation of breach by an international authority.
  •  Negative perception/reputation of the organization.


According to Article 2.10 of the NDPR:
Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable, in addition to any other criminal liability, to the following:

  •  In the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater;
  •  In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.
Does the NDPA limit my right as a professional to advise clients on Data Protection?

NO!
Professionals are not restricted from performing their professional duties; however, only licensed DPCOs can provide competent verification statement on an Privacy Audit Returns.