NITDA launched the ground-breaking Nigeria Data Protection Regulation (NDPR) in early 2019, cementing a culture of data privacy and protection for all Nigerians. By mirroring Europe's GDPR Framework, NITDA demonstrated its commitment to safeguarding citizens' online security.
Private organizations, such as mobile development companies that control or process data, must comply with this regulation to stay operational. Fortunately, we're here to help you avoid any costly missteps.
Follow our 5-step process for confidently navigating the NDPR compliance requirements!
Why is it Important to Comply with Nigeria's Data Protection Regulation?
Non-compliance with NDPR can lead to the following:
- Hefty Fines: Organizations that don't respect data privacy in Nigeria or are non-compliant with the regulation may have to pay 2% of their annual turnover or 10 million Naira, whichever is higher.
- Sanctions: The National Information Technology Development Agency might impose sanctions on organizations that fail to comply with the NDPR. They can revoke your license or impose a temporary or permanent ban impacting your operations.
- Reputational Damage: Non-compliance with personal data protection laws such as NDPR can also lead to reputational damage. This can lead to a loss of customer trust & brand value and, eventually, customer churn. And this can further impact your business's bottom line.
- Civil Liabilities: Companies may also be liable for any damage caused to individuals because of their voluntary or involuntary actions.
In a nutshell, non-compliance with NDPR can be detrimental to your business. Therefore, it's essential that you start implementing the guidelines. But how? Read along to find out.
Please Note. As the NDPR is relatively new, and penalties & mechanisms are still being developed and tested, the above list might vary with time.
5 Easy Steps to Comply with the Nigeria Data Protection Regulation (NDPR)
1) Determine if Your Organization is a Data Controller or Data Processor
The first step towards being compliant is finding if you're a data processor or a data controller. Here's the difference between the two:
- Data Controller: Data controller is the one that determines the purpose of data and decides in which manner it will be processed. The data controller decides how the data is collected, used, and disclosed according to data protection compliance. It's the duty of the data controller to ensure that personal data is obtained with explicit user consent.
- Data Processor: On the other hand, the data processor processes users' personal data on behalf of the data controller.
Why is it important to determine what type of data handler you are?
Well, it's important because most data compliance obligations are imposed on the data controller. The data controller will be held liable for any violation done by the data processor or the data controller.
After pinpointing the exact nature of your organization, it's crucial to ensure that data collection and storage processes are in line with all necessary NDPR regulations. Taking a step back to determine compliance can be an invaluable investment for any business - allowing you to understand where exactly you stand when protecting confidential information!
2) Mitigate the Issues
Once you know what processes your organization follows and where it stands in terms of data protection, you need to deal with the issues.
Let's say you find that your organization isn't collecting data appropriately. The first step should be tweaking the data collection processes so you collect data only with explicit consent from the users. And if your organization isn't storing or handling personal data appropriately, you may have to opt for data encryption technologies.
3) Appoint a Data Privacy Office (DPO)
Similar to GDPR, to comply with NDPR, you must appoint a Data Privacy Office (DPO), which can be an individual or an entity. Here are the primary roles of a Data Privacy Officer:
- Monitoring Internal Compliance: The DPO monitors your organization's compliance with the NDPR and other data protection regulations. They ensure you take appropriate organizational and technical measures to protect personal data.
- Offering Guidance: The DPO provides advice and guidance on data protection matters. This includes ensuring the employees are aware of the obligations under data protection laws and providing training on data protection topics.
- Serving as a Contact Point: The DPO also acts as a contact person between your organization and the NITDA on data protection matters.
- Conducting Data Protection Impact Assessment: The DPO is liable to conduct data protection impact assessments or DPIAs to identify and deal with any potential risks linked to the processing of personal data.
4) Submitting Reports to National Information Technology Development Agency (NITDA)
The data controllers who process the personal data of over 1000 subjects in 6 months must submit a soft copy of the audit to the NITDA through their appointed DPOs. Moreover, data controllers who process the personal data of over 2000 individuals in 12 months need to submit a copy of the audit every year. Here's what the audit must contain:
- A detailed description of data processing activities, including the type of data you collect and the purpose. Also, you need to reveal the parties with whom the data is shared.
- Detailed information on the data protection procedures and policies your organization has in place.
- Proof of compliance with the NDPR. You can attach data protection impact assessment records, evidence of obtaining the consent of the users before collecting their data, etc.
- Results of risk assessments, compliance reviews, and internal audits your organization has conducted.
5) Explicitly Train your Staff
In addition to following the above steps, you also need to train your staff. Because only if your staff/employees know the importance of NDPR will they be able to follow the regulations and help you stay compliant. And to ensure that, you can reach out to training agencies or individuals certified by the NITDA.
Are you ready to launch your mobile app in Nigeria? Follow the 5-step process and adhere to NDPR guidelines. To ensure data privacy is preserved, consult our Security checklist for guidance when developing or publishing a mobile application (iOS/Android). Make sure your organization and its products are held up to Nigerian standards - now let's get that app out there!