On 25 January 2019, the Nigeria Information Technology Development Agency (the “NITDA”) issued the Nigeria Data Protection Regulation, 2019 (the “Data Protection Regulation”).
The key objectives of the Data Protection Regulation include to:
- safeguard of the rights of natural persons to data privacy;
- foster safe conduct of transactions involving the exchange of personal data;
- prevent manipulation of personal data; and
- ensure that Nigerian businesses remain competitive in international trade.
On 11 July 2019, the NITDA issued a draft version of the Nigeria Data Protection Regulation 2019: Implementation Framework (the “Draft Framework”). The Draft Framework focuses on the implementation of the Data Protection Regulation particularly in the areas of compliance and enforcement. The Draft Framework provides for the registration of Data Protection Compliance Organizations (DPCOs), who will provide auditing and compliance services for data controllers by the NITDA. Under the Draft Framework, the categories of persons who can be DPCOs include professional service consultancy firms, information technology service providers, Audit firms and law firms subject to certain qualifications.
The enforcement process for cases of breach of personal data under the Draft Framework is hinged on surveillance, complaint filing, investigation, notice of enforcement, administrative penalties as well as criminal prosecution.
The introduction of the Draft Framework is likely to result in a more efficient enforcement of the provisions of the Data Protection Regulation and effectively the imposition of penalties by the NITDA. However, the Draft Framework still remains a draft and may likely go through additional changes.