An Overview of Nigeria’s Data Protection Act, 2023

I. Introduction

In today’s digital economy, data serves as a fundamental asset. It is core to business operations and drives strategic insights. A significant portion of this data contains personal and sensitive information, which is subject to regulatory protections under most global data privacy frameworks. Recognizing this, Nigeria has passed comprehensive legislation aimed at safeguarding the fundamental rights and freedoms of data subjects as enshrined in the nation’s Constitution.

On June 12, 2023, President Bola Ahmed Tinubu signed the Nigeria Data Protection Bill, 2023, into law as the Nigeria Data Protection Act, 2023 (NDPA). This landmark legislation effectively repeals and replaces the Nigerian Data Protection Regulations (NDPR) 2019 and the NDPR Implementation Foundation 2019, published under the National Information Technology Development Agency (NITDA), and establishes a robust framework for personal data protection in Nigeria.

II. Who Needs to Comply with NDPA

A. Material Scope

The NDPA is applicable to the processing of personal data by automated means or otherwise in any of the following situations:

1. The data controller or data processor is based in, resides in, or conducts business in Nigeria;
2. The data processing takes place within Nigeria; or
3. The data controller or data processor, though not based, resides in, or conducts business in Nigeria, but processes personal data of data subjects in Nigeria.

B. Territorial Scope

The NDPA has extraterritorial reach and applies to data controllers or data processors outside Nigeria that process personal data of data subjects in Nigeria.

C. Exemptions

The NDPA does not apply to the processing of personal data in the following contexts:

1. Conducted solely for personal or household purposes without infringing upon the data subject’s fundamental right to privacy;
2. Processing conducted by competent authorities for crime prevention, investigation, prosecution, or enforcement of penalties under applicable laws;
3. Processing for preventing or controlling a national public health emergency by competent authorities;
4. Processing carried out by a competent authority for national security;
5. Processing for publication in the public interest, or for journalistic, educational, artistic, or literary purposes, to the extent that  fully applying the Act's obligations would hinder or prevent these purposes;
6. When personal data processing is necessary for the establishment, exercise, or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

The Act also empowers the Commission to create further exemptions as needed.

III. Definitions of Key Terms

Understanding the specific terminology used in the NDPA is crucial for compliance. Below are the definitions of some core terms:

A. Commission

Commission refers to the Nigeria Data Protection Commission (NDPC), the independent regulatory body established by the NDPA to oversee data protection and privacy matters.

B. Consent

Any freely given, specific, informed, and unambiguous indication via an affirmative action or a written or spoken statement of an individual’s agreement to the processing of personal data about them or another individual on whose behalf they have the authority to grant such consent.

C. Data Controller

Any individual, private entity,  public authority, or any other organization that determines, either alone or jointly with others, the purposes and means of processing personal data.

D. Data Processor

Any individual, private entity, public authority, or any other organization that processes personal data on behalf of or under the supervision of a data controller or another data processor.

E. Data Controller or Data Processor of Major Importance

Refers to a data controller or processor that is domiciled, resident in, or operating in Nigeria and processes or intends to process personal data of more than such number of data subjects within Nigeria as the Commission may prescribe, or such other class of data controller or data processor that is processing personal data of particular value or significance to the economy, society, or security of Nigeria as the Commission may designate.

F. Personal Data

Any information that identifies an individual, directly or indirectly, using an identifier, such as a name, identification number, location information, online identifier, or one or more characteristics unique to the person's physical, physiological, genetic, psychological, cultural, social, or economic identity.

G. Data Subject

The individual to whom personal data relates.

H. Sensitive Personal Data

Personal data relating to an individual’s health, sex life, political opinions or affiliations, trade union memberships, race or ethnic origin, religion or similar beliefs, sex life, genetic and biometric information for the purpose of uniquely identifying a natural person, and any other information specified by the Commission as sensitive.

IV. Obligations for Organizations Under NDPA

A. Principles of Personal Data Processing

Data controllers and processors are responsible for adhering to the core principles of data processing under the Act. These principles include:

1. Lawfulness, Fairness, and Transparency: Processing must be fair, lawful, and transparent.
2. Purpose Limitation: Data collection should be for specified, explicit, and legitimate purposes, without incompatible further processing.
3. Data Minimization: Only the minimum adequate and relevant information necessary for stated purposes should be collected and processed.
4. Storage Limitation: Personal data must not be retained for longer than necessary for its intended purpose.
5. Accuracy: Data must be accurate, complete, non-misleading, and updated as necessary.
6. Security and Integrity: Processing must be carried out in a manner that ensures appropriate security against unauthorized access, loss, destruction, damage, or breaches. This requires implementing robust organizational and technical safeguards to ensure data availability, confidentiality, and integrity.

Controllers and processors must also demonstrate accountability and exercise a duty of care in handling personal data.

B. Lawful Basis Requirements

Under NDPA, personal data may be processed only if it is carried out based on any of the following legal bases:

1. Consent: The data subject has given specific consent for the said processing and has not withdrawn it.
2. Contractual Necessity: Processing is essential for fulfilling a contract with the data subject or for pre-contractual steps requested by them.
3. Legal Obligation: Processing is necessary to comply with a legal obligation imposed on the controller or processor.
4. Vital Interests: Processing is crucial to protect the vital interests of the data subject or another individual.
5. Public Interest/Official Authority: Processing is necessary for a task carried out in the public interest or the exercise of official authority vested in the controller or processor.
6. Legitimate Interests: Processing is for the legitimate interests pursued by the controller, processor, or a third party, unless these interests are overridden by the data subject's fundamental rights, freedoms, and interests, are incompatible with other lawful bases, or are outside the data subject's reasonable expectation of processing.

C. Consent Requirements

The NDPA places the burden of proof on data controllers to establish a data subject’s consent. Consent must be freely given, specific, informed, and unambiguous, and can be indicated by an affirmative action or a written or spoken statement. Requests for consent must be in clear and simple language and in an accessible format.

When determining if the consent was truly freely given for personal data processing, data controllers must assess if the provision of the service was made conditional upon the data subject providing consent for the said processing, in which case the consent is not freely given.  Silence or inactivity shall not constitute a freely given, explicit consent.

In cases where processing of personal data solely depends on the data subject’s consent, the data subject must be made aware of their right to withdraw consent before consent is granted by them. However, withdrawing consent will not affect the legality of the processing that was conducted prior to the withdrawal of consent.

D. Consent Requirements for Children and Persons Lacking Legal Capacity

When processing personal data of children or individuals lacking legal capacity, data controllers must secure consent from parents or legal guardians while implementing appropriate age and consent verification mechanisms using available technology. However, parental consent is not required when processing is vital for safeguarding the individual's interests, necessary for providing social services, healthcare, or education under professional confidentiality while maintaining anonymity, or required for court proceedings involving them. For children aged 13 and above who request online services or information, the Commission will establish specific guidelines for handling their personal data in accordance with the NDPA's objectives.

E. Legal Requirements for Data Subject Notification

Data controllers must provide the following information to data subjects before collecting personal data from them directly:

1. Controller's Identity & Contact: Lawful Basis & Purpose.
2. Data Recipients.
3. Data Subject Rights.
4. Data Retention Period.
5. Automated Decisions.

This same information must be provided even if personal data is not collected directly from data subjects (e.g., obtained from another source), unless the data subject has already received such information or providing it would require disproportionate effort and expense. Additionally, all necessary information must be included in a clear, easily accessible, and readable privacy policy.

F. Data Protection Impact Assessment Requirements

A data controller must conduct a data privacy impact assessment (DPIA) before processing personal data, if doing so will likely put the rights and freedoms of data subjects at high risk, considering the nature, scope, context, and purpose of the processing. Additionally, if the DPIA indicates that the intended data processing would still result in a high risk to data subjects despite proposed measures, the data controller must consult the Commission before proceeding with the proposed processing. The Commission may also issue directives or publish regulations, specifying the categories of processing and data subjects, subject to the DPIA requirement.

G. Registration Requirements

Data controllers and processors of significant importance are mandated to register with the NDPC within six months of the NDPA's implementation or upon achieving that status. This registration entails notifying the Commission of their name and address, their Data Protection Officer's details, categories and volume of personal data, specific processing purposes, intended cross-border transfers, details of any subprocessor or representative, a general overview of risks and security measures, and any other information the Commission may require. Furthermore, any material changes to this submitted information must be reported to the Commission within 60 days

H. Security, Integrity, and Confidentiality Requirements

The NDPA requires data controllers and processors to implement organizational and technical safeguards protecting personal data against unauthorized access, loss, or misuse. Organizations must consider data sensitivity, potential harm, volume, retention period, and available technologies when designing protections. Key safeguarding measures include pseudonymization or de-identification, encryption, secure processing systems, backup and recovery mechanisms, regular audits and assessments, and system updates to address evolving risks. These protections are essential not only for legal compliance but also for maintaining customer trust.

I. Data Breach Requirements

Despite the strongest preventative measures, data breaches can occur. The NDPA outlines clear, stringent requirements for how data controllers and processors must respond in case of a data breach to ensure transparency and minimize harm.

A data controller must notify the NDPC of a breach that could undermine an individual’s rights and freedoms within 72 hours of learning about it. If at all possible, the data controller must also describe the type of breach involving personal data, including the types and approximate numbers of data subjects and personal data records involved.

If a breach involving personal data that a data processor stores or processes occurs, the data processor must, upon learning of the breach, ensure the following:

• Promptly inform the relevant data controller or data processor, outlining the specifics of the breach of personal data, including, if practical, the types and approximate numbers of concerned data subjects and personal data records; and
• Reply to any information requests made by the data controller or data processor.

If a personal data breach is likely to put a data subject's rights and freedoms at high risk, the data controller must notify the data subject immediately in plain and clear language. The data controller must also guide the data subject on the different steps they can take to mitigate any potential negative effects of the data breach.

When direct communication with data subjects is impractical or disproportionately expensive, data controllers may publish public notices in widely preferred media outlets. All breach notifications must outline likely consequences, mitigation steps,  and contact information. Data controllers and processors must document breaches, including facts, consequences, and corrective measures for the Commission’s review. If information cannot be provided immediately, it may be provided gradually but without excessive delay.

J. Data Protection Officer Requirement

Data controllers of major importance must appoint a Data Protection Officer (DPO) with expert knowledge of data protection laws and practices and who is capable of fulfilling the obligations outlined under the NDPA and related laws. A data controller may employ a DPO  or engage one via a service contract.

The DPO must monitor compliance with the NDPA and internal policies, advise the controller or processor and their staff on NDPA obligations, and act as the contact point for the NDPC on data processing matters.

K. Cross-Border Data Transfer Requirements

A data controller or data processor must not transfer or permit to transfer personal data from Nigeria to another country unless the transfer is made under a law, binding corporate rules, code of conduct, certification mechanisms, or contractual clauses in recipient country that offers equal or adequate level of protection for the personal data as provided for in the NDPA.

A data controller or processor must also document the basis for transferring personal data outside of Nigeria, along with the available adequate safeguards in the recipient country. Additionally, the Commission may enact rules mandating data controllers and processors to inform the Commission of all the measures in place for such transfer and explain the adequate safeguards in the recipient country.

Based on the categories of personal data and the risks to data subjects, the Commission may restrict the transfer of designated categories of personal data that are subject to further limitations or conditions.

V. Data Subject Rights

A cornerstone of the NDPA is empowering individuals with significant control over their personal data. Understanding and facilitating these 'Data Subject Rights' is a fundamental obligation for all data controllers and processors.

A. Right to Confirmation

Data subjects have the right to obtain confirmation from the data controller, without constraint or unreasonable delay, whether a data controller or a data processor acting on their behalf is storing or otherwise processing their personal data.

B. Right to Access Data

Data subjects have the right to access a copy of their personal data in a generally used electronic format unless doing so would result in the data controller incurring unreasonable expenses, in which case the data controller may request the data subject to cover some or all of those costs.

C. Right to Correction

Data subjects have the right to correction of inaccurate, out-of-date, incomplete, or misleading personal data, or erasure of such data if correction is not practical or appropriate.

D. Right to Erasure

Data subjects have the right to request the data controller to erase their personal data without undue delay where retaining it is no longer necessary for the purposes for which it was collected or processed, or the data subject has withdrawn their consent and the data controller has no other lawful basis for retaining it.

E. Right to Withdraw Consent

Data subjects have the right to withdraw consent to the further processing of their personal data at any time. The data controller must ensure that withdrawal of consent is made as easily available as giving consent.

F. Right to Object

Data subjects have the right to object to the processing of their personal data. In all such events, the data controller must discontinue processing their personal data unless it can demonstrate a public interest or other legitimate grounds that override the data subject's fundamental rights, freedoms, and interests.

G. Right Not to be Subject to Automated Processing

Data subjects have the right not to be subjected to a decision based solely on automated processing of personal data where such processing may produce legal or other significant effects on the data subject, including profiling.

H. Right to Data Portability

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format from the data controller without undue delay and, where technically feasible, to have the personal data transmitted directly from one data controller to another.

VI. Regulatory Authority

The NDPA is enforced by the NDPC. Data subjects aggrieved by a data controller's or data processor's decision, action, or inaction, in violation of the NDPA or its subsidiary laws, may file a complaint with the Commission. Additionally, the Commission will maintain and publish on its website a register of duly registered data controllers and data processors of major importance.

Penalties for Non-Compliance

The NDPA establishes a tiered penalty system for non-compliance, overseen by the Nigeria Data Protection Commission. The penalties are structured as follows:

• For Data Controllers and Processors of Major Importance: A fine of ₦10,000,000 (ten million Naira) or 2% of their annual gross revenue from the preceding year, whichever amount is higher, may be imposed.
• For Other Data Controllers and Processors: A fine of ₦2,000,000 (two million Naira) or 2% of their annual gross revenue from the preceding year, whichever amount is higher, may be imposed.

VII. How Can an Organization Operationalize the NDPA

Organizations can operationalize the NDPA by ensuring the following:

• Conduct a comprehensive data mapping of data assets and their residency;
• Appoint a data protection officer (DPO) to supervise the organization’s operations and efforts to ensure compliance with the NDPA;
• Establish internal governance frameworks and data protection policies;
• Obtain an individual’s consent prior to processing or sharing their personal data, particularly when dealing with children’s personal data;
• Implement a process to honor data subject requests, such as the right to access, correction, withdraw consent, and others outlined in the NDPA;
• Conduct data protection impact assessments (DPIAs) and maintain a record of processing activities;
• Establish a clear data breach response plan to detect, assess, and notify of breaches within legal timeframes; and
• Conduct regular training and assign individuals roles and responsibilities.

VIII. How Securiti Can Help

Navigating ever-evolving privacy requirements can be complex, particularly when it comes to cross-border data transfers. Fortunately, Securiti’s suite of automation modules offers a comprehensive solution for organizations seeking to ensure compliance with Nigeria’s Data Protection Act, 2023.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.