DATA PROTECTION AND THE NEED FOR COMPLIANCE WITHIN NIGERIAN ORGANIZATIONS
Happy New Year and welcome back to our monthly series of privacy notes! Hope you missed us and much as we missed you all. We promise to keep you educated as much as entertained this year. To kick off the year, we would be educating you or reminding some of you (*wink*) on the meaning and importance of data protection compliance.
Data Protection Compliance is a practice that ensures information of data subjects gathered by organizations and businesses is safeguarded and managed in such a way as to enable organizations meet up with lawful and constitutional regulations. These organizations often establish internal policies that outline how data protection compliance is to be achieved.
Under the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation 2019 (NDPR), in order to be compliant, an organization (also referred to as a data processor) who processes the personal data of data subjects (the individual or natural person whose data is to be protected) shall ensure that they exercise the highest level of care in collecting, storing and managing the personal/sensitive data of the data subject. ‘The Personal Data’ herein referenced means any information relating to an identified or identifiable natural person (‘Data Subject’). Such a person is one who can be identified, directly or indirectly, in particular by reference to a name, an identification number, location data, an online identifier or by factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Nigerian Data Protection Commission (NDPC) has established that only a Data Protection Compliance Organization (DPCO) duly licensed by it can for train, audit, be consulted, and render services and products for compliance with the NDPA/NDPR or any foreign Data Protection Law or Regulation having an effect in Nigeria. Upon being licensed as a DPCO, the organization is saddled with the provision of data protection compliance and breach services for data controllers and data administrators, hence when organizations cannot appoint a Data Protection Officer (DPO) or comply with the NDPR provisions, engaging the services of a DPCO should be prioritized.
Compliance with data laws and regulations is critical because it protects individuals’ privacy rights and prevents data breaches. Non-compliance can result in harsh penalties such as fines and reputational harm.
CONSEQUENCES OF NOT BEING COMPLIANT WITH THE NIGERIAN DATA PROTECTION LAWS.
The Nigerian Data Protection Laws provides for a plethora of obligations required of organizations with respect to being complaint. For this episode, we shall focus on filing data protection audit report. The NDPC requires organizations to file an annual audit report which helps organizations assess their compliance level on an annual basis.
The annual Audit Cycle for 2024 has commenced and the deadline for filing the 2023 Data Protection audit report is 15th March 2024.
Failure to conduct the annual data protection audit or file the audit report with the NDPC can be severe, it can expose the organisation to financial and operational penalties. Section 47(1) of the NDPA provides for Compliance orders that the Commission may make where the provisions of the Act or subsidiary legislations related to Data Protection are flouted. The failure to conduct and or file the audit report with the Nigeria Data Protection Commission (NDPC) would amount to a breach of the provision of R 2.10 of the NDPR.
Consequently, the NDPC is empowered to impose penalties and non-compliance depending on the number of data subjects whose data are in the custody of the Data Controllers/Processors, Per the NDPR, a fine of 1% of annual gross revenue of the preceding year or #2,000,000 (Two Million Naira) or 2% or 10,000,000 (Ten Million Naira), whichever is greater depending on the number of data subjects are the consequences Data Controllers/Processors would face for non-compliance.
Taxaide Technologies Limited, a licensed DPCO, would be glad to assist you meet the deadline by conducting your annual audit and filing same with the NDPC to avoid penalties.