• Talk to an Expert - UAE & India: +97144030609, +971524047212, +971585829649 | UK: +447951033955, +441212432676, +447951033788 | Europe: +48518056055, +48662002185 | Nigeria: +2342012809124, +2349154169455
Location
Nigeria Poland United Arab Emirates United Kingdom
eLegal Consultants
All You Need To Know About Data Protection Law In Nigeria
Mojisola Enoch September 10, 2024 Blog

In a bid to safeguard the fundamental rights, freedoms, and interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria, the Nigerian government has enacted the Data Protection Act pdf which is the primary law regulating data protection in Nigeria.

The primary aim of enacting the Data Protection Law in Nigeria by the government is to protect the personal information of the citizens of other Nigeria. Other reasons for this act include but not limited to the following;

  • Establishing the Nigeria Data Protection Commission for the regulation of the processing of personal information;
  • Promoting data processing practices that safeguard the security of personal data and privacy of data subjects;
  • Protect data subjects’ rights, and provide means of recourse and remedies, in the event of the breach of the data subject’s rights; and
  • Strengthening the legal foundations of the national digital economy and guaranteeing the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data

A subsidiary law is the Nigeria Data Protection Regulation (NDPR) which is personal and territorial. This regulation applies to the citizens of Nigeria who are present in Nigeria and in the diaspora and it provides legal safeguards for the processing of their data.

The NDPR is saddled with the responsibility of ensuring a tailored implementation of the data protection regime in Nigeria. It serves as a guide to data controllers/processors to understand the standards required for compliance within their organizations.

Scope of the Regulation

The extent of the data protection law in Nigeria is on data controllers and data processors engaged in processing personal data of subjects within Nigeria and applies to entities domiciled, resident, or operating within Nigeria. The Act also covers data controllers or data processors outside Nigeria who process the personal data of Nigerians. This provision differs from the NDPR 2019 Regulations and Implementation Framework which focuses on individuals residing in Nigeria or Nigerians residing outside Nigeria.

Although, the Act does not apply to the processing of personal data by individuals exclusively for personal or household purposes, on the condition that such processing for personal or household reasons does not violate the fundamental right to privacy of the data subject.

A data controller or data processor is precluded from the provisions of the Act if the personal data processing is;  subject to the rights and freedom under the 1999 Constitution,

  1. Carried out by a competent authority for the prevention, investigation, detection, prosecution, or adjudication of criminal offense or the execution of a criminal penalty, or control of national public health emergencies, or national security.
  2. For public interest publications (such as journalism, education, art, and literature) to the extent it conflicts with obligations and rights of data subjects, or
  • Required for establishing, exercising, or defending legal claims in court, administrative, or out-of-court proceedings.

All the above are subject to the rights and freedom of the subject under the 1999 Constitution.

Lawful Basis for Processing Personal Data

Data processors or controllers are provided with these principles to abide by while processing the data of their subjects;

  1. Personal data must be processed in a fair, lawful, and transparent manner. This means that businesses must communicate plainly with data subjects about the purposes and their methods of data processing.
  2. Collection of data must be for specific, explicit, and legitimate purposes, and not be further processed in any way that is inconsistent with the original intent. This principle requires businesses to be more precise and transparent about their data collection practices. Therefore, it is advised that affected companies may need to revise their existing data processing procedures and policies to ensure that they comply with the provisions of the Act.
  3. Personal data should be adequate, relevant, and limited to the minimum necessary for the purposes for which it was collected or processed. Consequently, businesses will need to ensure that they collect only the data required for the stated purpose, limiting the risk of holding unnecessary and potentially sensitive information of the data subject. To ensure compliance, businesses must adopt a more targeted, direct, and streamlined approach in their data collection strategies to ensure that they only collect the needed data.
  4. The retention period for personal data should not be longer than necessary to achieve its lawful purposes. The retention principle implies that businesses will need to institute clear data retention and deletion policies to ensure that they delete data once it is no longer needed.
  5. Data must be kept complete, not misleading, and up to date. For businesses, this necessitates the implementation of data validation processes and periodic reviews of stored information to ensure its accuracy and completeness.
  6. Consistent with the central objective of the Act, businesses are required to process data in a manner that ensures appropriate protection against unauthorized or unlawful processing, access, loss, destruction, damage, or data breaches. This would require data controllers and data processors to adopt robust security measures, including encryption, access controls, and other data protection mechanisms to ensure the absolute security of data collected and/ or processed.

Considerations for Processing of Personal Data

Consent

The consent of the data subject is a vital consideration to be gained by unequivocally by the data processor or controller as stipulated by the Act. It can be provided in writing, orally, or electronically, but it cannot be assumed from silence or inactivity.

In the case of a child, a person who is below the age of 18 years and as such lacks legal capacity, the Act provides that the data controller must obtain consent from a parent or legal guardian. The data controller must employ suitable methods to verify the age and consent, using available technological means.

Data Protection Impact Assessment

The concept of Data Protection Impact Assessment (DPIA) is stipulated by the act as a process designed to identify the risks and impact of processing personal data. This may involve systematically describing the envisaged processing and its purpose, assessing the necessity and proportionality of the processing in relation to the purpose, evaluating the risks to the rights and freedoms of a data subject, and outlining measures to mitigate the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.

Data Protection Officers

Data controllers of major importance who are domiciled, resident, or operating in Nigeria are mandated by the Act to appoint a Data Protection Officer (DPO) who has expert knowledge of data protection law and practices. The DPO will be responsible for providing expert opinion and guidance to the organization on data protection matters and shall act as a contact point with the regulators.

Conclusion

The Act contains some very important provisions that are pivotal in ensuring the personal data protection of data subjects in Nigeria. It is noteworthy that the transitional provisions of the Act preserve all orders, rules, regulations, decisions, directions, licenses, and other documents that were in effect before the enactment of the Act, to the extent that they do not conflict with the provisions of the Act.

In the event you need clarification on any of the provisions of the Act and regulation on data protection in Nigeria, you can contact us for a free consultation.

We offer several legal services ranging from company formation and management, family dispute and resolution, immigration, debt recovery, Alternative dispute resolution, real estate, and a host of others in the United Kingdom, India, Africa, and Asia.

We at eLegal Consultants are ready to journey with you to help you actualize your dreams. Contact us today.

 

 

 

We maximise our efficiency and quality with hightech systems

About Company

As our name suggests, we offer you the best comprehensive legal solution online and offline.

Contact Details

UAE & India

  • 1901, 19th Floor, 48 Burj Gate Tower, Sheikh Zayed Road, Downtown,
    Dubai UAE.
  • Office 190 Creative Tower Fujairah, Fujairah Emirate UAE
  • +971524047212,
    +97144030609,
    +971585829649.
  • info@elegalconsultants.co.uk

Other Details

United Kingdom

  • 128 City Road, London EC1V 2 NX.
  • Office 622, 1, Victoria Square, Birmingham B1 1BD
  • +447951033955
  • +441212432676
  • +447951033788

Europe

  • Al. Niepodległości 156/13 02-554 Warszawa
  • +48518056055
  • +48662002185

Nigeria

  • The Waterside 5 Admiralty Road off Admiralty Way Lekki Phase 1, 101224, Lagos, Nigeria
  • +2342012809124
    +2349154169455

Toll Free Number

  • 800 ELEGAL

Practice Areas

We accept Reliable
Payment System

Recent News

Need Help?