Frequently Asked Quetions

Nigeria Data Protection Regulation

  • To safeguard the rights of Natural Persons to Data Privacy;
  • To foster safe conduct of transactions involving the exchange of Personal Data;
  • To prevent manipulation of Personal Data; and
  • To ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which (framework) is in tune with best practice. (See Article 1.1, NDPR)

  • NDPR applies to all transactions that involve the processing of Personal Data;
  • NDPR applies to natural persons residing in Nigeria or residing outside Nigeria (but who are citizens of Nigeria);
  • NDPR does not limit, abridge or deny the full protection a natural person is entitled to under any law, regulation, policy, contract for the time being in force in Nigeria or in any foreign jurisdiction. (See Article 1.2, NDPR)

Data Processing means: any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. (See Article 1.3 xxi, NDPR)

The consent of a data subject is very important in data processing. A Data Controller must seek this consent either in writing or by any other action through which the Data Subject knows he is giving consent. There are exceptions where duly constituted authorities can process data without consent in public interest or where private organizations may have lawful and cogent basis (albeit rebuttable) for data processing. These exceptions are without prejudice to the principles of data protection. Hence every data controller whether acting in public interest or in private interest can be held to account under the NDPR. (See Articles 2.1-2.4, NDPR)

Privacy right is a fundamental right that is recognized and enforceable through executive powers vested in the executive arm and the judicial powers vested in the judicial arm of government. In the exercise of the executive powers vested in the President by virtue of Section 5, 1999 Constitution of the Federal Republic of Nigeria (CFRN, as amended), the NDPB was established to implement the NDPR (See About Us). Through its synergy or collaboration with relevant government agencies such as the National Information Technology Development Agency (NITDA), Nigeria Police Force, Federal Competition and Consumer Protection Commission, Independent Corrupt Practices and Related Offences Commission (ICPC), Central Bank of Nigeria etc. NDPB takes effective executive measures in protecting the Privacy Rights of Data Subjects.

The NDPR recognizes the need for cross-border transfer of data in an era of globalized and high-speed business transactions. Article 2.11 of the Regulation, which touches on transfer to a foreign country, addresses this issue. To comply with the provision and other aspects of the Regulation, the Data Controller is under legal obligation to provide the following:
  • I) The name(s) of the country where personally identifiable information of Nigerian citizens are transferred on a regular course of business.
  • II) The consent of the data subject in line with the principles of data protection.
  • III) The Data Protection Laws and contact of National Data Protection Office / Administration of such of the named country (in I above)
  • IV) The Privacy Policy of the Data Controller which must comply with the provisions of the NDPR.
  • V) An overview of encryption method and data security standard.
  • VI) Any other detail that assures the privacy of personal Data is adequately Protected in the named country (in “(I)” above).

Data Controllers are expected to file their data audit report annually before the 15th of March of a new year. (See Article 4.1 (7) NDPR)

Data Privacy Audit is a legal standard and an obligation imposed on all Data Controllers regardless of the number of data subjects processed. (See Article 4.1(5) NDPR). A data controller who neglects to abide by this legal requirement and to demonstrate compliance by filing the audit returns with the Bureau faces the risk of legal action on the part of data subjects and the Bureau. Failure to demonstrate compliance is a justiciable threat to the fundamental right to privacy. NDPR does not limit the right of a data subject, rather it advances the right. The PAR filed by a Data Controller is the first certifiable public document that has probative value whenever and wherever proof of NDPR compliance is required.

PAR is to be filed with the Bureau through a Licensed DPCO (See the List of Licensed DPCOs).

Yes. NDPR covers all sectors and all aspects of data privacy. Sectorial guidelines or regulations are usually directed at customers or persons to whom you (as a Data Controller or Processor) may owe a fiduciary duty. NDPR, in line with section 37 of 1999 Constitution of the Federal Republic of Nigeria, imposes a duty of care in respect of customers, employees, guests, visitors and all other categories of data-subjects whose data may be in your custody or come into your custody for any reason?

  • Breach of data privacy by a non-compliant Data Controller or Processor attracts administrative and criminal sanctions.
  • Data Subjects have the right to take civil actions against the Controller on the basis of the NDPR.
  • The business implication of non-compliance includes brand image damage, loss of customers, restriction from international market opportunity, lack of support from national Supervisory Authority against foreign investigation of breach by an international authority.
  • Negative perception/reputation of the organization.

According to Article 2.10 of the NDPR:
Any person subject to this Regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable, in addition to any other criminal liability, to the following:
  • In the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater;
  • In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.

Professionals are not restricted from performing their professional duties; however, only licensed DPCOs can provide competent verification statement on an Privacy Audit Returns.