12 Processes Towards

Nigeria Data Protection Regulation (NDPR) Compliance

By
David Harry

1
Outline
 Introduction.
 Raise Awareness.
 Information Mapping And Data Audit.
 Notices & Privacy Communications.
 Data Subjects Rights Under NDPR.
 Subject Access Requests.
 Legal basis for processing.
 Collecting and Managing Consent.
 Processing Personal Data of Children.
 Data security and breaches.
 Privacy by design and default.
 Duties of a Data protection officer.
 Requirements for Data transfers.
 Conclusion.
 Recommendation.
2
Introduction
NDPR was issued on the 25th of January, 2019.

What is NDPR?
Nigeria data protection regulation(NDPR) are set of rules about how an
organization should process personal data of individuals.

NDPR’s objectives include:

To safeguard the rights of natural persons to data privacy.
 To foster safe conduct of transactions involving the exchange of
personal data.
To prevent manipulation of personal data which may lead to breach of
public peace and national security.
Raise Awareness
 An organization’s data is touched by different people and
teams.
 Decision-makers and key members of the organization
must be aware that the laws has changed.
 They need to appropriately anticipate the impact and the
potential risk of NDPR.
 They need to identify areas that could cause compliance
problems under NDPR.
 Training must be organized to create awareness to the
whole organization.

5
Information Mapping And Data Audit
 All personal data an organization holds should be
documented, where it came from, how it was collected and
with whom and how it is shared.
 All sources of data and all types of data relationship must be
identified.
 Undertaking a formal information audit must be considered.
 Question to be asked may include:
 Who are your data subjects?,
 Who has access to sensitive data?
 Where do we keep personal data?
 Where do we transfer personal data to?

6
Notices & Privacy Communications
 A full review of current privacy notices must be done.
 These privacy notices must align with the requirement under
NDPR.
 These notices must:
 Indicate the processing activities occurring at the time
personal data is collected.
 Be present at all points where personal data is collected.
 Right to lodge complaint.
 Recipients and transfers of data.
 State the right to withdraw consent at any time.

7
 Data Subject Rights
 Under NDPR, the rights of data subjects are well recognized.
 Organizations must be able to demonstrate that they can respond to a
data subjects personal data request.
 Generally, response to a request must be done within a stipulated
time.
 In compliance, organizations must be able to demonstrate that they
can:
 Validate the identity of the requesting data subjects.
 Enable a data subject to request access to their personal data.
 Respond to request for personal data access
 Request rectification and rectify personal data.
 In the event of data breach, contact those entities for data erasure.
 Discontinue data processing and demonstrate compliance.

8
 Subject Access Requests
 In organizations, procedures should be updated and a plan on
how request will be handled to take account to new rules must
be implemented.
 An organization can refuse or charge for requests that are
excessive.
 If a request is refused, the individuals should be told why and
should also be that they have the right to complain to the
supervisory authority and to a judicial remedy.
 An organization could develop systems that allows individuals
to access their information easily online, if the organization
handles a large number of access request.

9
Legal Basis For Processing

 Organizations are required to review their data processing activities and

document the legal basis for each type.
 Organization must ensure that:
 No personal data is collected beyond the minimum necessary for each
specific purpose of the processing.
 No personal data is retained beyond the minimum necessary for each
specific purpose of the processing.
 No personal data is disseminated to non-public third parties for
purposes other than those for which they were collected.
 No personal data is sold.
 A privacy impact assessment(PIA) is performed when data processing is
likely to result in a high risk to the rights and freedom of individuals.
 This includes:
 A description of the processing.
 Involvement of the data protection officer where one is designated.

10
Collecting and Managing Consent

 Organizations should review how they seek, record and

manage consent and whether they need to make any changes.
 Existing consents should refreshed immediately if they don’t
meet the NDPR standard.
 Consent must be freely given, specific, informed and
unambiguous.
 Consent has to be verifiable and individuals generally have
more rights where consent is relied upon to process their
data.
 If individual consent is relied upon to process data, it must
meet the NDPR standard on being specific, clear, prominent,
properly documented and easily withdrawn.

11
Processing Personal Data of Children

 Organizations should contemplate the need to put systems

in place to verify individuals ages and to obtain parental or
guardian consent for any data processing activity.
 The NDPR sets ’16’ as the age a child can give their own
consent for the processing of personal data.
 If a child is under the age of ’16’, consent must be gotten
from a person holding the ‘Parental Responsibility’ tag of
the child.
 Privacy notice when collecting children’s data must be
written in language that children will understand.

12
 Data Security And Breaches

 Data security is very important in NDPR and requires that

appropriate procedures are in place to detect, report and
investigate data breaches.
 This includes:
 Providing mechanism(s) to encrypt or otherwise secure
personal data.
 Providing mechanisms to restore the availability and access
to personal data.
 Facilitating regular testing of security measures.
 Notifying the data protection authority within the stipulated
time in the event of a data breach incident.
 Notifying affected data subjects of a high-risk data breach
incident.
13
 Privacy By Design And Default
 Privacy by design requires that all consumer interactions
and touch points have privacy designed right into them,
and their default mode is one of compliance.
 This would require:
 Processing activities have to be planned, designed and
performed with data security and more generally,
compliance with the NDPR in mind.
 By default, only personal data which is necessary for
each specific purpose of the processing should be
processed.
 By default, personal data is not made accessible without
the individual’s intervention to an indefinite number of
individuals.
14
Duties of a Data Protection Officer
 Any organization that manages data as a “core activity” or does that on a
large scale or uses data collected via tracking and monitoring tools will
need to appoint a data protection officer.
 The DPO will need to ensure that they:
 Maintain audit trails to demonstrate accountability and compliance.
 Maintain an inventory of data detailing categories of data subjects.
 Maintain auditable trails of processing activities.
 Carry out data protection impact assessment of processing operations.
 Monitor compliance with data protection laws.
 Liaise and assist supervisory authorities.

15
Requirements For Data Transfers

 Ensure that the data collected can be transferred or given

back to customers.
 Personal data can be requested for at anytime.
 An organization should have the ability to provide data in
the following ways:
 In a structured and commonly used, machine-readable
format.
 In a way that can easily be transferred to another data
controller(this is known as “Data Portability”)
 Organizations need to be able to support this data
transfer and give customers the ability to receive their
personal data in a legible, common format.

16
 Conclusion
 In conclusion:
 Organizations must be aware of NDPR regulations and must organize
trainings to enlighten its staffs.
 All personal data held by an organization must be documented.
 Full review of privacy notice must be done and it must align with NDPR
requirements.
 Organizations should be able to respond to requests of personal data by data
subjects over a stipulated time.
 Organizations should ensure that only necessary personal data a processed.
 Organizations must seek consent from individuals to process their personal
data.
 Organizations that manage data on a large scale must appoint a DPO.
 Organizations must ensure that personal data can be transferred to customers
at any time.
 These steps must be followed judiciously in order to be in full compliance with
the NDPR regulations.

17
 Recommendation
 It is of great significance that organizations commence the
implementation of NDPR, the benefits outweighs the
drawbacks.
 The benefits include:
 Brand image and competitive advantage are improved.
 Customer trust and customer confidence are built.
 Risk from data breaches and hackers are decreased.
 Security incidents are minimized.
 Avoidance of payments of fines.

18