WTS Blackwoodstone Insights
INTRODUCTION
The Nigeria Data Protection Commission (“NDPC” or “the Commission”) published the draft Nigeria Data Protection Act General Application and Implementation Directive 2024 (“GAID” or “the Directive”) in May 2024 with the aim of providing clarity and implementation frameworks for the provisions of the Nigeria Data Protection Act 2023 (NDPA or the Act). The Directive also aims to offer guidance, especially regarding disruptive technologies and evolving engagement paradigms that involve the processing of personal information among citizens, organisations, communities, states, and countries of the globe at large.
In this article, we shall examine the major points as contained in the draft GAID highlighting notable provisions as well as innovations contained therein and its potential implications on the processing of personal data.
HIGHLIGHTS
Categorisation of Data Subjects
With respect to Data Subjects entitled to enjoy “Data Subject’s rights” under the NDPA, the GAID has expanded the scope of application of the NDPA to the processing of personal data of Nigerians residing in a foreign country, taking into consideration the provisions of international law rules. The Directive also applies to data subjects within Nigeria, regardless of nationality and migration status; data subject whose personal data has being transferred or is in transit through Nigeria.
Compliance Audit Report
The GAID further clarifies the obligations of Data Controllers and Data Processors. Notably, the Commission has classified data controllers and processors into three categories of data processing: Major Data Processing-Ultra High Level (MDP-UHL); Extra High Level (MDP-EHL) or Ordinary High Level (MDP-OHL) categories. Data Controllers/Processors in the MDP-UHL and MDP-EHL categories are mandated to register once with the Commission and afterwards file a Compliance Audit Report (CAR) annually, while Data Controllers/Processors in the MDP-OHL category are required to only renew their registration annually without an obligation to file an annual CAR.
Internal Semi-Annual Data Protection Report by Data Protection Officers (DPO)
Further to the above, the provisions of Article 13 of the GAID further make provisions to the effect that DPOs are to ensure that a semi-annual data protection report is compiled and submitted to the management of Data Controllers and Data Processors. The Report is to, amongst other things contain the compliance status of the Data Controller or Processor taking into consideration applicable data protection principles, lawful basis of data processing, the need for a Data Protection Impact Assessment (DPIA), Legitimate Interest Assessment, ease of exercising rights by Data Subjects, complaints and remediation for Data Subjects; Guidance sought from the DPCO, Assessment of data security, legal grounds for cross-border data transfer, amongst others.
Lawful Bases for Data Processing
The GAID notes that a data controller must carefully assess the lawful basis for data processing and may rely on any lawful basis of data processing in order to process personal data. It lists consent, contractual obligation, legal obligation, vital interest, public interest & legitimate interest as possible lawful basis for data processing.
It also introduces Special Rule of Law Indexes (SRLI) in relation to consent as a lawful basis for processing data. The SRLI are to the effect that in the event of any complaint to the Commission as to whether consent was not obtained before data processing, the Commission is to consider whether reliance on consent would effectively defeat the rule of law. The Commission is to account for the clear and present risk to fundamental rights & freedom of the data subject and third parties; the security implication; public welfare; sustainable development; equality, neutrality and impartiality; prior relationship between data controller and subject and the proportionality and necessity of the scope of the processing.
Schedules
Pursuant to the GAID, Data Controllers and Data Processors are required to prepare, implement and analyse schedules for monitoring, evaluating and maintain data security systems. They schedules are to contain technical and organisational measures including all trainings, certifications, software updates, vulnerability tests of databases, hardware assessments, encryption reviews, authentication checks and quality assurance on products and services being used for data confidentiality, integrity and availability. The schedule shall be vetted and certified by a duly certified information security officer and a data controller is to carry out monitoring, evaluation and maintenance of data security systems as frequently as possible.
Data Processing Software
Further, the GAID imposes an NDPA compliance obligation on Data Controller and Processors deploying data processing software for tracking or enabling swift processing of personal data and creating a communication link with the Data Subjects. It also mandates data controllers or processors deploying software to, among other things, carry out a DPIA before the deployment of the software; ensure that the software is designed in accordance with the principles of privacy by design and by default; follows data security guidelines; provide data privacy policy within the software and provide a privacy statement prior to installation of the software.
Benchmarking with Interoperable Data Privacy Measures
The GAID also makes provisions to reemphasize the need to advance data protection and privacy rights and the measures meticulously designed for this purpose in the globally interconnected and constantly evolving data protection ecosystem. Further, subject to the approval of the Commission, a data controller or processor may benchmark its data processing with Interoperable Data Privacy Measures (IDPMs). Notably, IDPMs may be used in anonymisation, automated decision making, child online protection, data portability, data subject access requests, DPIA, amongst others.
Data Subject’s Standard Notice to address Grievance
The Directive also introduces the use of the Standard Notice to Address Grievance (SNAG) by an aggrieved Data Subject to notify a data controller or processor where they reasonably believe that their right to data privacy has being violated. However, it is vital to note that SNAG shall not be regarded as a condition precedent for a Data Subject to lodge a complaint with the NDPC or to institute an action in a court of law. It is merely a template for demanding internal remediation in an organization which may be violating a data subject’s privacy. Notably, upon receipt of a SNAG, a data controller or processor shall communicate its decision on the SNAG to the Commission.
Emerging Technologies
The GAID also makes provisions for Emerging technologies (ETs) such as artificial intelligence, internet of things, and blockchain. The Directive obliges Data Controllers and Data Processors deploying ETs to take data protection laws as well as public policy into consideration and carry out basic protection structures like the Data Protection Impact Assessment (DPIA) amongst others, etc. It also mandates data controllers or processors to establish technical and organizational parameters in accordance with the provisions of law taking into consideration the rights of data subjects, safeguards for the processing of sensitive personal data; child rights and other vulnerable groups; as well as regulation of cross-border data flows and privacy by design and default.
CONCLUSION
The presence of the GAID has reestablished the relevance of information privacy. further strengthening data protection in Nigeria by addressing gaps, developments and emerging trends and technologies. It is however worth noting that the GAID are yet to be formally issued by the NDPC; however, upon publication by the NDPC, we hold the view that the Directives would be helpful in clarifying the provisions of the NDPA and entrenching trust and confidence in Nigeria’s data protection policies by Data Subjects within and outside Nigeria.
Authors:
Ifeoma Madu, CDPO (Managing Associate)
Ifeoma is a Certified Data Protection Officer, and leads our Regulatory Compliance and Company Secretarial Group
Chidiebere Mbah, CDPO (Associate)
Chidiebere is a Certified Data Protection Officer and an Associate in the firms’ Regulatory Compliance and Company Secretarial Group
Join BusinessDay whatsapp Channel, to stay up to date
Open In Whatsapp
