Nigeria: One year of the Data Protection Regulation
The National Information Technology Development Agency (‘NITDA’) on 25 January 2019 released the Nigeria Data Protection Regulation1 (‘NDPR’). The release of the NDPR ushered in a wave of compliance in the country. In July 2019, the NITDA released the Draft Data Protection Implementation Framework2 (‘the Draft Framework’), which is expected to set the tone for implementation and enforcement. However, the Draft Framework is yet to be adopted and published. Ridwan Oloyede, Partner at Tech Hive Advisory, discusses the effects of the NDPR on data protection and what challenges there have been with its implementation so far.
Prior to the release of the NDPR, Nigeria had a fragmented and sector-specific data protection framework. The implication of this was the lack of an adequate data protection framework in the country. Over the past year, the NITDA has announced a number of investigations and responded to a number of complaints, but are yet to impose any penalty for violation of the NDPR.
The journey so far
As a result of the release of the NDPR, the awareness of organisations in the country grew concerning increased responsibility for data processing and their businesses. However, the awakening was a slow one, such that the NITDA had to move the deadline of the initial audit submission date from 25 July 2019 to 25 October 2019, citing appeal by organisations who requested more time to enable them comply. According to the NDPR, after it has been in effect for six months, data controllers processing data of over 1,000 data subjects are mandated to file an initial audit report. If processing the data of more than 2,000 data subjects, data controllers are mandated to file the annual statutory audit report on, or before, 31 March 2019 with the NITDA. Another issue was the delay of the NITDA in appointing the Data Protection Compliance Organisations (‘DPCO’). The DPCO’s are responsible for ‘training, auditing, consulting, and rendering services and products for the purpose of compliance.’ The NITDA announced the first batch of DPCOs in July 2019, which meant it was impossible for companies who were willing to comply to do so within the stipulated time.
The extension was a nudge to the industry and created an awakening on the potential implications of data protection in the country. The progression is evidenced by increased effort from companies and government agencies working towards attaining compliance. The requirement of filing an audit report is spurring a reaction. At the time of publication, about 27 organisations3 have been licensed as a DPCO and the NITDA is still looking to license more, consequently creating jobs and opportunities for professionals. According to NITDA, only 94 companies had fully complied with the NDPR, while 200 firms had been granted an extension to submit their initial data audit reports based on requests that they had made to the NITDA. In September 2019, the Director General of the NITDA, Kashifu Inuwa, inaugurated the Data Breach Investigation Team, a 15-member team which will investigate all breaches under the NDPR. The NITDA is making effort in developing engagement and awareness about the NDPR through various stakeholder events.
Investigations and enforcement landscape
The NITDA announced, in 2019, that it was investigating some organisations for non-compliance with the provisions of the NDPR. This included a web portal which exposed personal information of tax payers in Nigeria. The NITDA is still, at the time of publication, conducting an investigation into the data. In January 2020, the NITDA disclosed that it was investigating a possible data breach by a betting company, which was reported to have affected the data of over 2 million customers’.
The NDPR has ignited conversations and effort geared towards compliance, however the enforcement and wider compliance with the NDPR remains a challenge. Data protection is still a nascent substance in Nigeria and the NITDA did not allow ample time before the NDPR took effect. The shortage of professionals in the space is also a concern. A greater damage than a data breach is compliance built on misinformation from privacy professionals. The NITDA may need to impose professional liability on culpable organisations, and DPCOs and focal persons in organisation will need to invest in building competence.
Another consideration is the lack of cooperation from government agencies. A number of government agencies are yet to initiate a compliance effort. This is visible from the number of government agency websites without a privacy notice or revised notice mirroring their processing activities, and alleged instances of data breach, which begs the question, if the NITDA is independent enough to act as a supervisory authority and sanction sister agencies. The NITDA will need to grow in strength and act tough against government agencies, who act as either or both controllers and processors, in order to protect data subjects from the risk and danger of potential data breaches, and uphold the sanctity of the NDPR. There was also a possible conflict in the exercise of its regulatory powers, and the NITDA was quick to clear up the air with the prospect of the NDPR conflicting with the Nigeria Communication Commission’s directive to telecommunications companies4.
A further concern is also the cost of compliance. This can be seen from the prism of organisations who want to comply but cannot afford to do so, or organisations who are not willing to invest in compliance. Part of the feedback from the NITDA’s data protection officer workshop event, in January 2020, was that the NITDA should license more DPCOs, such that the market forces can dictate pricing. Also, while the NDPR remains a historic law, the legislation still omits a number of provisions that are recognised globally in a model data protection law.
The NITDA should ensure there is verifiable and expert certification for DPCOs and evidence based knowledge to avoid creating a licensing regime for merchants of misinformation that will not help the clients they serve, the data subject involved, and the growth of the data protection in the country. The NITDA will need to regularly issue guidelines and notices to clarify grey points and provide context to provisions of the NDPR. The ultimate destination will be to see the NDPR create a pathway for a proper legislation from the government. The NDPR should ensure that the data protection authority is independent, as contained in notable global statutes. The NITDA should publish the Draft Framework, as this will bring clarity to the NDPR and forgo the obligation to report a breach and notify data subjects.
The NITDA will need to maintain consistency in its enforcement regime against both public and private organisations, and also create guides, tools, and templates to assist both professionals and organisations.
The journey to compliance is a marathon, and the NITDA has done something remarkable by releasing the NDPR. However, there is still so much to do in order to make Nigeria an adequate data protection safe hub.
Ridwan Oloyede Partner
Tech Hive Advisory, Lagos