The National Data Protection Adequacy Programme (the “NADPAP”) Whitelist is expected to be issued by the Nigeria Data Protection Bureau (the “NDPB”) in the last quarter of 2022 or first quarter of 2023. The NDPB is the Nigerian agency responsible for data protection and privacy in Nigeria. The NDPB earlier this month issued a compliance notice of its intention to publish a Whitelist of organizations that have met the standards prescribed under the Nigerian Data Protection Regulation (NDPR), 2019 and its Implementation Framework, 2020.
1. STEPS TO BE TAKEN
The critical questions for organisations that fall under the regulatory oversights of NDPB, is what needs to happen on or before the deadline of November 25th, 2022.
The compliance notice is indeed instructive on the requirements for organisations that fall within the regulatory purview of NDPB, so, what must organisations do to make the desired Whitelist? The following are essential steps:
- Read and understand the NDPR – as it applies to various situations and persons involved in data processing (The NDPR is available at www.ndpb.gov.ng );
- Develop and implement a Privacy Policy that is consistent with the NDPR;
- Notify employees, customers, and online visitors of its Privacy Policy;
- Designate at least one or two members of staff as Data Protection Contacts (DPCs). These officers may, after training[1], become Data Protection Officers (DPOs) for the organization;
- Mandate its service providers (agents, licensees, contractors etc) to comply with the NDPR.
According to the notice, organizations are also expected to notify the NDPB of the technical and organizational measures it is taking for data privacy and protection. Organizations that do not comply with the steps outlined above before the 25th of November 2022 will be excluded from the Whitelist. The possible penalty for a breach of this obligation in the case of a Data Controller dealing with more than 10,000 data subjects, is 2% of annual gross revenue for the preceding year or payment of the sum of 10 million Naira (whichever is greater), and in the case of a Data Controller dealing with less than 10,000 data subjects, payment of the fine of 1% of the annual gross revenue for the preceding year or payment of the sum of 2 million Naira (whichever is higher).
2. WHAT IS THE WHITELIST AND ITS BENEFITS?
A whitelist is a mechanism which explicitly allows some identified entities to access a particular privilege, service, mobility, or recognition i.e., it is a list of things allowed when everything is denied by default. In terms of data protection, it refers to a list of organization that have met the relevant standard of care.
Inclusion on the NADPAP Whitelist is therefore a must have, other than avoiding the penalties associated with non-compliance, inclusion of an organisation on the list is a validation by the NDPB of such organisation’s compliance with its regulations. Also significant is the proposed publicised announcement by the NDPB of the NADPAP Whitelist in the local and international space. It is intended that the Whitelist will serve as a reference point in relevant transactions and proceedings and provide comfort to data subjects and other local and foreign third-party entities that wish to transact with an organization in Nigeria.
3. WHAT ORGANISATIONS DOES THIS APPLY TO?
It applies to Data Processors and Data Controllers that process the data of Nigerian citizens. The nature of the NDPR is that it applies to organisations within and outside Nigeria to the extent that they process data of Nigerian citizens or foreign residents in Nigeria. Notwithstanding, we have assumed that the notice issued by the NDPB is mainly applicable to organizations in Nigeria that fall under the classification of Data Processors and Data Controllers.
Organizations are encouraged to comply with the notice before the deadline indicated above.
Aluko & Oyebode is available to assist where required.
[1] (Article 4.1(3) of the NDPR provides that a Data Controller or Processor shall ensure continuous capacity building for Data Protection Officers and the generality of her personnel involved in any form of data processing).
