Data is king but with conditions under Nigeria’s Data Protection Law

Corporations possessing large data of Nigerians must develop data management processes to protect the data.

Affected firms should conduct audits of their data management processes by 25th July 2019.

A Nigerian entity transferring data to a foreign entity must seek appropriate regulatory approvals or consent from the data subjects.

Photo by AbsolutVision on Unsplash

In January 2019, Nigeria joined a growing number of nations fighting to protect the privacy of personal data used in online transactions. Persons obtaining personal data of Nigerians both home and abroad have a duty of care to ensure the data is not compromised either by acts of omission or commission. In a digital economy where cybersecurity is core to a firm's survival, the duty of care isn't an easy one to observe. However, abiding by the rules will save corporations a ton of money in damages arising from misuse of data or penalties from failure to comply. The question is, what are these rules? This article discusses the core aspects of the Nigerian Data Protection Regulation ('The Regulation'), which any person using or controlling personal data of others must observe.

Affected Firms

Any firm in possession of data which is identifiable to a person falls within the scope of the Regulation. Identifiable information includes names, identification numbers, the location of persons, or other methods of identifying a person, whether by physical, physiological, or cultural features. Examples of firms that could be affected include banks, fintech companies, government departments, HR firms; news, entertainment or blogging platforms with subscription forms that collect data from users on their websites; large corporations with a database of their employees, payment platforms that store information of customers, banks, and so on. Affected firms must obtain such data lawfully.

The Regulation only applies when personal data collected relates to Nigerian residents or persons of Nigerian descent who are resident abroad ('Nigerian person').

Affected firms in public and private sectors were required to publish their data protection policies in compliance with the Regulation by 25th April 2019. They are also expected to appoint a data protection officer in charge of ensuring compliance with the Regulation. In recent times Nigeria experienced growth of tech startups primarily in the fintech industry. These firms will be affected by the Regulation because of their access to private information of many Nigerians. Thus it is necessary they develop a unit solely focused on managing the data, and reporting their data protection policies to the National Information Technology Development Agency (the "Agency").

When data processing is lawful

A person in possession of personal data can lawfully process it if granted consent, or if acting according to a legal obligation or a contract with the Nigerian subject, or for the protection of the Nigerian person or the public.

A firm obtains consent validly where there is an absence of fraud, coercion, or undue influence, and the person can give consent. For persons obtaining data through online platforms, it is necessary that data collection forms allow users to accept the collection of their personal information expressly. Users must also know the specific reasons why their data is collected. Some online platforms notify users in their cookie policies that their information is collected to enrich their experience when using the platform. Others notify users in their privacy policy on how they use their data. As a firm interested in collecting data from users, you can include the following clause in your privacy policy, which should be linkable from your contact collection form:

In the course of using our Service, we may ask that you provide personally identifiable information so we can contact or identify you ("Personal Data"). Such information includes, but is not limited to:

  • Email address

  • First name and last name Phone number

  • Cookies and Usage Data

We use your Personal Data for legitimate business purposes to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You have the right to decline future receipt of any, or all such communications from us by clicking the unsubscribe link or instructions provided in any email we send.

A firm must restrict the use of such data to the purposes listed in their privacy policies which must be available on their online platforms.

Additionally, the forms should contain opt-in options where users confirm their legal age is above 18 to ensure they have the legal capacity to give such consent.

Safeguards required by the Act

The data held by some firms in Nigeria have enormous value. An example, for instance, is Firm A who has information on software developers and their skill sets. At the moment, they are in high demand in Nigeria because various companies are migrating to the cloud and need persons that can manage their database and information systems. Rather than company B's HR department to engage in a wild goose chase searching for software developers, they can pay Firm A to provide direct information on developers with specific skill sets.

Individuals whose information Firm A controls also need protection. Thus the Regulation imposes a duty of care on Firm A in regards to the data they possess. It must create a system that protects their database from cyber-attacks, thefts, breaches, and any form of manipulation or damage by natural elements such as rain or fire. It is advisable Firm A develops an internal policy for accessing such data. For instance, restricting access to certain persons within the IT department and engaging in continuous training on management of the database. Any policy developed must extend to third parties who process the data.

Over time, it is advisable firms conduct audits of their pri