DataPro joins the rest of the World and Nigeria in celebrating Data Privacy Day. It is observed annually on January 28th, and aims at raising awareness about the importance of data privacy. Data Privacy Day is also celebrated in the European Union, United States, Canada and Israel. The issuance of the Nigeria Data Protection Regulation (NDPR) in 2019 showcased Nigeria’s commitment to Data Protection and Privacy of its citizens.

To commemorate the 2022 celebration, Ademikun Adeseyoju, Team Lead, Data Protection & Privacy Compliance Department of DataPro Limited; a leading Compliance Solutions Company in Nigeria, and one of the licensed Data Protection Compliance Organisations (DPCO) speaks on the history and significance of the day as well as the achievements of the NDPR regime, 3 years later.

What is the history and significance of Data Privacy Day?

Data Privacy Day initially kicked off as an educational event for the purpose of raising awareness among businesses to promote data subject privacy and protect data subjects’ personal data. Over the years, it has expanded to include individuals across board.

The first event, in commemoration of the day, held in 2007 by the Council of Europe and was referred to as the “European Data Protection Day”. Upon attaining international status, it became renamed as “Data Privacy Day”.

With the growing rate of data thefts, breaches and cybercrime cases, it is expedient that all stakeholders join hands in ensuring that adequate measures are put in place for the protection of personal data and adhered to. The global day therefore seeks to reinforce the importance of privacy by sensitizing individuals and disseminating privacy practices and principles. In essence, the goal is to provoke personal ownership of privacy responsibilities in order to create a culture of privacy.

What are Data Protection & Privacy Requirements for Businesses in Nigeria?

The Nigeria Data Protection Regulation (NDPR) 2019 was issued in January 2019 by the National Information Technology Development Agency (NITDA), the regulatory agency charged with driving Data Protection compliance in Nigeria. The issuance of the NDPR 2019 provided an array of obligations for Data Controller and Processors in Nigeria. Data Controllers and Processors are obligated to appoint a Data Protection Officer for the purpose of ensuring company-wide adherence to the regulation.

Additionally, they are required to develop a Data Protection and Privacy policy which should set the tone of Data Protection and Privacy practices in the organisation; conduct training and awareness on Data Protection and Privacy for all staff; conduct Data Protection Impact Assessment (DPIA); and implement adequate security measures to protect data.

Similarly, Data Controllers and Processors who process the personal data of more than 2000 data subjects in a period of 12 months are required to conduct annual Data Protection Audit and file the report with NITDA. This is to showcase their level of compliance with the provisions of the NDPR. For more information on compliance implementation, please contact us

It has been 3 years since the issuance of the NDPR 2019. In your opinion, has the regime recorded continued success?

The reception to the regime has continued to improve resulting in significant compliance by entities. Between 2020 and 2021, NITDA received audit fillings from 1230 entities.

This is a 94% growth from 2019/2020 filings. The list of all Audit-Compliant Organisations is available on the Agency’s website.

Similarly, in its commitment to the creation of job opportunities, 42 additional entities were granted Data Protection Compliance Organisation (DPCO) license in 2021, bringing the total number of DPCOs to 102, of which DataPro is one.

The Agency also has not regened on the performance of its oversight function. This is evident in its effort to hold entities accountable. In particular, a private entity was fine the sum of N10,000,000.00 naira for privacy invasion. This is the highest fine meted out by the agency.

All of these point to the fact that NITDA is steadfast in its quest to ensuring that Nigeria continues to improve on its standing as relating to data protection and privacy.

We are aware that a Data Protection Bill is currently in the works. What is to be expected from new Bill?

The Bill will provide a more robust and efficient regulatory framework for the protection of personal data, to regulate the processing of information relating to data subjects, and to safeguard their fundamental rights and freedoms as Nigerians. The Data Protection Bill will be passed into Law by the National Assembly. It also touches on the establishment of a Data Protection Commission. This new commission will be charged with the responsibility of protection of personal data, rights of data subjects, regulation of the processing of personal data and for related matters. The Bill is expected to be passed into Law soon.

What are some of the data protection & privacy trends for 2022 and their implications?

Firstly, it is imperative to note that there is an increased trend of privacy regulation and enforcement around the globe as countries continue to pass data protection legislation.

Notably, countries such as Zambia, Rwanda, China, Russia, Saudi Arabia, Turkey, Kuwait, the UAE, Uzbekistan and Kazakhstan enacted/amended laws on data protection in 2021. This trend is expected to continue in the coming years and will be a major decisive factor in the relationship between countries. Therefore, it is impressive that Nigeria has joined the bandwagon.

Another note-worthy trend is privacy tech taking centre stage. Due to pressure being mounted on business models by regulators, consumers and other stakeholders, companies will resort to technology to help them achieve their business goals. 2021 saw the rise of privacy-enhancing technologies, it is predicted that they will take centre stage in 2022.

However, companies must ensure that they understand the solutions they are considering as well as their implications before making a decision.

Finally, Global Privacy Controls is expected to gain traction. Global Privacy Control (GPC) is a proposed specification designed to allow Internet users to notify businesses of their privacy preferences, such as whether or not they want their personal information to be sold or shared. It consists of a setting or extension in the user’s browser or mobile device and acts as a mechanism that websites can use to indicate they support the specification.

It is currently required under the California Consumer Protection Act (CCPA) and General Data Protection Regulation (GDPR) that Data Subjects should be able to exercise their legal privacy rights in one step via GPC. It is proposed that more countries will hop on this trend and make the implementation of GPC by entities operating within them mandatory, as a way of enhancing the privacy of Data Subjects.

For emphasis, could you provide insight into the rights of Nigerians under the NDPR?

The NDPR dictates several rights for Data subjects. The rights include:

The right of access – Data subjects have the right to access their personal data being processed by a Data Controller or Processor.

The right to rectification – Data subjects have the right to request for the correction of inaccurate personal data and to have incomplete personal data updated without delay.

The right to erasure – Data subjects have the right to request the erasure of their personal data from a Data Controller and Processor system.

The right to restrict processing – Data subjects have the right to request Data Controllers and Processors restrict the processing of their personal data under certain circumstances.

The right to data portability – Data subjects have the right to request a transfer of their personal data from one Data Controller or Processor to another.

The right to object to processing – Data subjects have the right to object to the processing of their personal data under certain circumstances.

The rights in relation to automated decision making and profiling – Data subjects have the right to object to a decision solely based on automated profiling or decision making, which significantly affects them.

It is important that Nigerians are aware that to exercise any of these rights, they must contact the Data Controller or Processor managing their personal data.