REGULATORY UPDATE: THE NIGERIA DATA PROTECTION BUREAU (NDPB) COMPLIANCE NOTICE FOR THE NATIONAL DATA PROTECTION ADEQUACY PROGRAMME (NADPAP) WHITELIST
The Nigeria Data Protection Bureau (NDPB) was established to enforce the Nigeria Data Protection Regulation 2019 (NDPR), a duty previously carried out by the Nigeria Information Technology Advancement Agency (NITDA). In line with this duty, the NDPB recently published a compliance notice that established the National Data Protection Adequacy Programme. This enumerates the compliance requirements expected of businesses and institutions that act as data controllers and data administrators.
By virtue of the notice, all companies handling the personal data of Nigerian citizens must read and understand the relevant data protection regulation in Nigeria and do the following:
- Develop and implement a privacy policy that is consistent with the NDPR. This needs to be periodically updated and all employees, customers and online visitors must be notified of these changes.
- Designate between one and three persons as their Data Protection Contacts (DPCs). The names and details of these persons to the Bureau for an induction course in Data Protection Regulation Compliance for Nigeria and the Economic Community of West African States. These DPCs may subsequently become Data Protection Officers (DPOs) after this training. The main responsibility of the data protection officer (DPO) is to make sure that the processing of personal data by her organization of its employees, clients, suppliers, or any other individuals (also known as data subjects) complies with the relevant data protection laws.
- Ensure and enforce compliance of your service providers (agents, licensees, contractors, etc) with the NDPR else they may pose a liability threat to the organization.
Organizations are mandated to comply with this on or before the 25th of November, 2022.
An organization will not be eligible to be listed on the National Data Protection Adequacy Programme (NaDPAP) Whitelist if it does not comply. This may hinder the Organization’s ability to do business under certain circumstances. A list of organizations that have been determined to have taken the necessary procedures to ensure data protection is contained in the Whitelist.
The NaDPAP Whitelist will be shared with local and foreign establishments, published on the NDPB website, and used as a resource for compliant organizations in pertinent transactions and proceedings.
Where appropriate, a fine for the NDPR violation may also be levied. Organizations are advised to comply to avoid liability and penalties.