NINE OBLIGATIONS THAT THE NDPR 2019 CREATES FOR YOUR ORGANIZATION

Updated: Jul 26, 2021

The NDPR is an interesting piece of regulation that has the sole aim of protecting the personal data of Nigerian citizens, but how does that affect your organization?





In 2019, through a statutory mandate placed by the NITDA Act 2007, the National Information Technology Development Agency developed the Nigerian Data Protection Regulation 2019 (herein referred to as ‘the regulation' or ‘NDPR 2019’). The primary aim of the aforementioned regulation is to safeguard the rights of natural persons to data privacy and advance all existing safeguards that data subjects have (Rule 2.9 NDPR 2019). The regulation applies to all organizations based in Nigeria that process data identifiable to a natural person.


Below are obligations that organizations who process data have under the regulation:

1. Appoint a Data Protection Officer (DPO)


A data protection officer (DPO) is an enterprise security leadership role required by the Nigerian Data Protection Regulation (NDPR) 2019. Data protection officers are responsible for overseeing a company's data protection strategy and its implementation to ensure compliance with NDPR requirements

According to Rule 4.1(2) &(3) of the regulation, all data controllers are directed to appoint Data Protection officers who have the assignment of ensuring compliance with the regulation and all related laws. In relation to the DPO, the Data Controller/Organization also has the responsibility of ensuring that DPOs have “continuous capacity building” for the DPO and all other persons involved in data processing in the organization. If your organization is a start-up or a growing company, a person who is qualified can dual function (with adequate compensation of course) until you can afford to expand your staff capacity.


2. Lawful Processing


It seems quite obvious that Data controllers have a huge responsibility on their hands to handle the data of data subjects in the best way possible. This is necessary, not just because of regulatory reasons, but also because of economic reasons. Well, it is not enough to do your best as regards data protection, your best must be done in accordance with what the regulation refers to as “Lawful processing”. The NDPR 2019 states in Rule 2.2 that for data processing to qualify as ‘Lawful’ there are conditions are must be fulfilled. Some of these conditions are consent, tasks carried out in public interest or in order to protect the vital interest of a person, processing necessary to fulfill a legal obligation, etc.

3. Consent


clear and plain language

Rule 2.3 of the regulation deals with the issue of consent and how it is to be obtained. The first responsibility saddled upon the data controller (where processing is based on consent) is to ensure that the data subject is aware of the fact that his/her consent can be withdrawn and the medium through which such should be done. Also, no data shall be acquired and processed unless the data subject knows exactly why the data is to be processed. The regulation states unequivocally in Rule 2.3 (2)(b) that the request for consent must be in ‘clear and plain language”. It must be emphasized that lawyers can protect their clients and still communicate in clear terms.


Consent should not be obtained by fraud, coercion, or undue influence. Consequently, when consent has been obtained, the data controller must be able to prove (if necessary) that the data subject consented, with requisite legal capacity. In a situation where the data is to be transferred to a third party under any circumstances, the data subject is to be informed. Where the consent is sought in writing and other matters are communicated through the same medium, the request for consent must be clear and not muddled up so that the data subject understands.


Consent is invalid ab initio if it will “engender direct or indirect propagation of atrocities, hate, child rights violation, criminal acts, and anti-social conducts” (Rule 2.4).




4. Data Security


Rule 2.6 mandates “Anyone involved in data processing or the control of data” to put in place adequate infrastructure and measures to protect the data that they handle and process. Some of the ways to achieve this as suggested by the regulation are:


  • protecting systems from hackers

  • setting up firewalls

  • storing data securely with access to specific authorized individuals

  • employing data encryption technologies

  • developing organizational policy for handling Personal Data (Create data protection policies )

  • continuous capacity building for staff.


Achieving data security isn't limited to the points stated above, and according to ITProPortal, cybersecurity cost the world over 1 trillion dollars in 2020. This should paint a picture of how difficult, delicate, and high-priority cybersecurity is in a world that is digitalized, now more than ever.


5. Third Party Duties


According to Rule 2.7, a data controller has the duty to ensure that any data processing relationship with a third party is governed by a written contract. This is because it is the Data Controller's duty to ensure that the third party complies with the regulation in the process of processing the data. Consequently, a party to a data processing contract (excluding the data subject) must verify in form of due diligence that the other party does not have records of violating principles set out in part 3 of the regulation and that the party is subject to NITDA or any other recognized data protection regulatory authority in or out of the Nigerian jurisdiction.



6. Privacy Policy



The heading for Rule 2.5 clearly spells out the regulation’s theme for privacy policies: Publicity and Clarity. Every organization has a duty to display a privacy policy in simple and easy-to-understand terms. The goal of this part of the regulation is to make sure that data controllers have done everything to make sure that data subjects are informed. You can read up on our post on Privacy Policies to understand what a compliant privacy policy looks like.


A privacy policy is often displayed on websites of organizations but privacy policies are not restricted to websites. They are mandated to appear on every medium through which an organization collects data.



7. Transfer to a foreign country


When personal data is to be transferred to a foreign country for any reason, Rule 2.11 states that it has to be under the supervision of the Honourable Attorney General of the Federation (AGF). Where the consent and supervision of the AGF has not or can not be obtained, a few listed exceptions have been stated by the regulation as grounds on which the transfer can occur. Some of the exceptions stated are Consent on the part of the data subject, transfer for the fulfillment of a contract between the data controller and the data subject, public interest, a transfer done in defense of legal claims etc.


8. File Annual Report


When a data controller has processed the data of more than one thousand (1000) people in six(6) months or two thousand (2000) people in the space of a year, the data controller is mandated to submit a detailed audit containing certain information stated in the regulation.


This can be done by a licensed Data Protection Compliance Organization(DPCO) engaged in a professional capacity by the data controller.


9. Capacity building

“'Data Controller' means a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed;

As a way to further the implementation of the regulation, it is mandated in Rule 4.1(3) that Data Processors and Data Controllers ensure that they facilitate the continuous development of their appointed DPOs and those in charge of processing data. This is to ensure that they are up to date with global trends on data security and have the requisite skills to handle, process, and protect data adequately to the best of their abilities.




In conclusion, pursuant to Rule 2.10 of the regulation, an organization could lose a percentage of its annual gross revenue or more in the form of a fine if the organization is found in breach of the data privacy rights of a data subject. No one wants to lose their hard-earned money in form of fines or lose loyal customers who feel betrayed by a breach of data privacy rights or even attract any form of criminal liability.


Please do not take any of the information above as legal advice. We consistently try to do our best to provide you useful information in the form of articles, nothing can substitute actual professional legal advice in terms of compliance with the regulation. You can reach out by clicking here for legal advice.


155 views