Did you know you that:

  • Regulation 2.6 of the Nigeria Data Protection Regulations 2019 ("NDPR") places an obligation on any person or organisation that is involved in the processing of Personal Data or organisations that control data to develop security measures to protect the Personal Data of its users or customers from unauthorised access or use.
  • Some of the security measures recommended under the NDPR that your organisation can use to protect the Personal Data in its custody include the following:
    1. Taking steps to protect computer systems and other devices from hackers;
    2. setting up firewalls and employing data encryption technologies;
    3. storing data securely with access given to specific authorized individuals;
    4. developing organisational policy for handling Personal Data (and other sensitive or confidential data);
    5. protecting emailing systems of staff members; and
    6. ensuring continuous capacity building and trainings for staff members with regard to the protection of Personal Data.
  • Where your organisation fails to take steps to secure the Personal Data under its control, this could amount to a breach of the NDPR, and your organisation could be liable where such default results in a data breach.
  • Furthermore, the Nigeria Data Protection Bureau ("NDPB") Compliance Notice 2022 provides that there shall be a National Data Protection Adequacy Programme (NaDPAP) Whitelist published on the NDPB website and major newspapers, as well as shared with local and international establishments. The NaDPAP Whitelist shall include the names of organisations and establishments that have complied with the provisions of the NDPR and notified the NDPB of the technical and organizational measures they take for data privacy and protection.
  • The penalty imposed on Data Controllers and/or Processors for any breach of the provisions of the NDPR is the payment of a fine of a sum that represents 2% of the Annual Gross Revenue of the preceding year orN10,000,000, whichever is greater, with respect to a Data Controller that processes the Personal Data of more than 10,000 Data Subjects or the payment of the fine of 1% of the Annual Gross Revenue of the preceding year or the payment of the sum of N2,000,000, whichever is greater, for a Data Controller that processes the Personal Data of less than 10,000 Data Subjects.
  • In addition, a breach of the NDPR is also construed to be a breach of the provisions of the National Information Technology Development Agency Act, 2007, ("NITDA Act") and consequently, the penalties stipulated under the NITDA Act could also apply where there has been a breach of any provision of the NDPR in such instance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.