Question 1

What is the NDPA and how does it compare to GDPR?

Accepted Answer

The Nigeria Data Protection Act (NDPA) 2023 is Nigeria's comprehensive data protection law that replaced the earlier Nigeria Data Protection Regulation (NDPR) of 2019. The NDPA shares many structural similarities with the EU's GDPR, including principles of lawful processing, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. Both laws grant data subjects rights of access, rectification, erasure, and portability. Key differences include the NDPA's establishment of the Nigeria Data Protection Commission (NDPC) as the dedicated supervisory authority, different threshold requirements for appointing a Data Protection Officer, specific provisions for cross-border data transfers from Nigeria, and a penalty framework scaled to the Nigerian regulatory context. Organisations already compliant with GDPR will find approximately 70 to 80 percent of their existing controls applicable to NDPA compliance.

Question 2

Who must comply with the NDPA?

Accepted Answer

The NDPA applies to any data controller or data processor that processes personal data of Nigerian data subjects, regardless of whether the processing takes place in Nigeria or outside its borders. This includes Nigerian companies, foreign companies offering goods or services to people in Nigeria, organisations monitoring the behaviour of Nigerian data subjects, and any entity processing personal data within Nigeria. The NDPA applies to both the private and public sectors. Data controllers of major importance, as designated by the Nigeria Data Protection Commission based on factors like the volume of data processed and the nature of processing activities, face additional obligations including mandatory registration with the NDPC and conducting annual Data Protection Impact Assessments.

Question 3

What are the data subject rights under the NDPA?

Accepted Answer

The NDPA grants Nigerian data subjects several fundamental rights: the right to be informed about the processing of their personal data, the right of access to their personal data held by a controller, the right to rectification of inaccurate or incomplete personal data, the right to erasure (deletion) of their personal data under certain conditions, the right to restrict processing in specific circumstances, the right to data portability in a structured, commonly used, and machine-readable format, the right to object to processing based on legitimate interests or for direct marketing purposes, and the right not to be subject to decisions based solely on automated processing including profiling. Data controllers must respond to data subject requests within a reasonable period as defined by the NDPC. Venvera tracks data subject requests with deadline monitoring and workflow management.

Question 4

What are the breach notification requirements under the NDPA?

Accepted Answer

The NDPA requires data controllers to notify the Nigeria Data Protection Commission of any personal data breach that is likely to result in a risk to the rights and freedoms of data subjects. Notification must be made within 72 hours of becoming aware of the breach. The notification must include the nature of the personal data breach, categories and approximate number of data subjects affected, the name and contact details of the Data Protection Officer or contact point, a description of the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects. If the breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller must also communicate the breach to the affected data subjects without undue delay. Venvera automates breach notification workflows with deadline tracking and pre-formatted notification templates.

Question 5

What is the Nigeria Data Protection Commission (NDPC)?

Accepted Answer

The Nigeria Data Protection Commission (NDPC) is the independent regulatory body established under the NDPA 2023 to oversee and enforce data protection in Nigeria. It replaced the former National Information Technology Development Agency (NITDA) in this role. The NDPC is responsible for monitoring and enforcing compliance with the NDPA, issuing regulations and guidelines, registering data controllers of major importance, investigating complaints from data subjects, conducting audits and assessments, promoting public awareness of data protection rights, and cooperating with data protection authorities in other jurisdictions. The NDPC also maintains a register of data controllers of major importance and has the power to impose administrative penalties for non-compliance. Organisations processing personal data of Nigerian residents should monitor NDPC guidance and ensure their data processing activities are registered where required.

Question 6

What are the penalties for NDPA non-compliance?

Accepted Answer

The NDPA establishes a tiered penalty framework for non-compliance. For data controllers of major importance, fines can reach up to 2% of annual gross revenue in the preceding financial year or 10 million naira, whichever is greater. For data controllers other than those of major importance, fines can reach up to 2% of annual gross revenue or 2 million naira, whichever is greater. Beyond financial penalties, the NDPC can issue enforcement notices, order the cessation of data processing activities, require the deletion of improperly processed data, and publish findings of non-compliance. Individuals also have the right to seek compensation through the courts for damages suffered as a result of NDPA violations. Organisations that demonstrate proactive compliance efforts, such as appointing a DPO, conducting regular DPIAs, and maintaining processing records, are better positioned to negotiate with the NDPC in the event of an investigation.

Question 7

How does the NDPA handle cross-border data transfers?

Accepted Answer

The NDPA permits cross-border transfers of personal data from Nigeria to other countries or international organisations subject to certain conditions. Transfers are allowed to countries or territories that the NDPC has determined provide an adequate level of data protection. In the absence of an adequacy determination, transfers can proceed where appropriate safeguards are in place such as binding corporate rules, standard contractual clauses approved by the NDPC, or codes of conduct with binding enforcement mechanisms. Transfers can also occur based on specific derogations including the explicit consent of the data subject, necessity for the performance of a contract, important reasons of public interest, or the establishment or defence of legal claims. Data controllers must conduct transfer impact assessments when relying on safeguards. Venvera tracks all cross-border transfers, documents the legal basis for each, and flags transfers to jurisdictions without adequacy determinations.

NDPA COMPLIANCE SOFTWARE: NIGERIA DATA PROTECTION ACT MANAGEMENT

PROCESSING ACTIVITY RECORDS FOR NDPA COMPLIANCE

DATA SUBJECT RIGHTS REQUEST TRACKING AND FULFILMENT

BREACH NOTIFICATION WITH 72-HOUR NDPC REPORTING

CROSS-BORDER TRANSFER TRACKING AND SAFEGUARD DOCUMENTATION

DATA PROTECTION OFFICER MANAGEMENT AND OVERSIGHT

COMPLIANCE REPORTING FOR NDPC AND BOARD OVERSIGHT

NDPA COMPLIANCE: VENVERA VS MANUAL TRACKING

FREQUENTLY ASKED QUESTIONS ABOUT THE NDPA

COMPLETE YOUR DATA PROTECTION STACK

GDPR

Control Crosswalk

Incident Management

Pricing

READY TO MANAGE YOUR
NDPA COMPLIANCE?