Nigeria Issues New Data Protection Regulation
3 Minute Read
On January 25, 2019, Nigeria’s National Information Technology Development Agency (“NITDA”) issued the Nigeria Data Protection Regulation 2019 (the “Regulation”). Many concepts of the Regulation mirror the EU General Data Protection Regulation (“GDPR”).
Key elements of the Regulation include:
- Application: The Regulation applies to all residents of Nigeria, all citizens of Nigeria residing outside of Nigeria and all organizations processing personal data of such individuals.
- Data Processing Principles: Personal data may only be processed if at least one of five legal bases are met: (1) the data subject provides consent, or if the processing is necessary; (2) for the performance of a contract; (3) to meet a legal obligation; (4) to protect the vital interests of the data subject; or (5) for the performance of a task carried out in the public interest.
- Consent: There are specific requirements for obtaining consent.
- Privacy Policy: Organizations must display a “simple and conspicuous” and easily understandable privacy policy that contains specified content.
- Data Security: Organizations must develop security measures to protect personal data, including setting up firewalls, implementing access controls, encrypting personal data, and developing internal policies for handling personal data.
- Third-Party Contracts: A data controller must enter into a written contract with any third-party processing data on its behalf that requires adherence to the Regulation.
- Data Subject Rights: Data subjects have the right to: (1) object to the processing of their personal data for marketing purposes; (2) access their personal data (and have their personal data transferred to another data controller where feasible); (3) obtain information about the processing of their personal data; (4) have their personal data deleted (where certain criteria are met); (5) have their personal data corrected; (6) restrict the processing of their personal data (where certain criteria are met); (7) withdraw consent to the processing of their personal data; and (8) lodge a complaint with the NITDA or another relevant regulator.
- Data Transfers: Transfers of personal data out of Nigeria may take place only if certain specified criteria are met.
- Transparency: Within three months of the issuance of the Regulation, all public and private organizations in Nigeria that process personal data must make available to the general public their data protection policies, which must comply with the Regulation.
- Appointment of a DPO: Every data controller must designate a Data Protection Officer (“DPO”) to ensure compliance with the Regulation.
- Privacy and Data Protection Audit: Within six months of the issuance of the Regulation, each organization subject to the Regulation must conduct a detailed audit of its privacy and data protection practices, in compliance with the requirements of the Regulation.
- Data controllers who processed the personal data of more than 1,000 data subjects in a six-month period must provide a soft copy of the audit summary to the NITDA.
- Data controllers who processed the personal data of more than 2,000 data subjects within a 12-month period must, not later than the March 15th of the following year, submit a summary of its audit to the NITDA.
- Penalties: The Regulation states that any entity found to be in breach of the privacy rights of any data subject will be liable, in addition to any other criminal liability, for the following:
- For data controllers “dealing with more than 10,000 data subjects,” a fine of 2% of annual gross revenue of the preceding year or 10 million Naira, whichever is greater; or
- For data controllers “dealing with less than 10,000 data subjects,” a fine of 1% or 2 million Naira, whichever is greater.
Tags: Consent, Data Controller, Data Processor, Data Transfer, GDPR, Nigeria, Penalty, Personal Data, Privacy Policy
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code