Data Protection in Nigeria - Draft General Application and Implementation Directive

In a bid to further tighten the nuts and bolts of data protection in Nigeria, the Nigeria Data Protection Commission published on May 31, 2024, a draft General Application and Implementation Directive which is to guide the interpretation and implementation of the provisions of the Nigeria Data Protection Act.

 

In a bid to further tighten the nuts and bolts of data protection in Nigeria, the Nigeria Data Protection Commission (the “Commission”) published on May 31, 2024, a draft General Application and Implementation Directive (the “Directive”) which is to guide the interpretation and implementation of the provisions of the Nigeria Data Protection Act (the “Act”). For more information on the Act, please see our previous newsletter.

In this article, we have provided useful information in connection with the Directive.


1. The scope and applicability of the Directive

The Directive applies to data controllers, processors and data subjects as set out below.

a. Data controllers or processors that process or target the personal data of data subjects in Nigeria.

b. Data subjects whether Nigerians or foreigners who reside in Nigeria

c. Nigerian citizens who reside outside Nigeria.

d. Data subjects whose personal data are transferred to Nigeria

e. Data subjects whose personal data are in transit through Nigeria to other jurisdictions, provided that the data controller or processor’s obligation to transfer such data is limited to confidentiality, integrity and availability.


2. Introduction of the material context of data processing

The Directive introduces a general duty of care on persons and organisations that process personal data to examine the material context of its processing of personal data and to ensure that such processing is consistent with the constitutional right to privacy.

It also states that the duty of care is tied to items listed under the exclusive legislative list in the Nigerian Constitution. It is however unclear how the exclusive legislative list is to apply to this provision.


3. Additional obligations of Data Protection Officers (DPOs)

The Directive requires a DPO to compile a semi-annual data protection report and submit same to the management of its company. This report is to form part of the Record of Processing Activities of the company, which is to be verified by the Data Protection Compliance Organisation during the  audit.

The Commission is also required to conduct an annual assessment for DPOs to ensure that they continue to maintain the level of professionalism required to carry out their responsibilities.

 

4. Lawful basis for processing personal data

As stated in our previous newsletters, a data controller or processor is required to rely on any of the lawful basis for processing personal data, which are consent, contract, legitimate interest, vital interest, legal obligation and public interest.

The Directive provides further guidance on the various lawful basis, including the following:

a. Contract – where data is obtained as part of the preliminary stage (due diligence) of a contract and a substantive agreement is not entered into, the collected personal data is to be destroyed within six (6) months.

b. Consent – when relying on consent, it must be for a lawful purpose and the data controller or processor is required to make the process of withdrawing consent easy. In addition, where cookies are used on any website the consent of the data subject is to be freely given, informed and specific.

c. Legal obligation – some instances where this can be relied on include where there is a duty imposed by law; or an order of a court of competent jurisdiction.

5.Additional provisions on Data Privacy Impact Assessment (DPIA)

The Directive provides instances where a DPIA is to be conducted. One of the instances include where a new technology is introduced on a large scale which may result in unintended, adverse consequences to the lives and livelihood of data subjects, or their fundamental rights and freedom become threatened.

 

Conclusion

 

The information provided above is not exhaustive as the Directive provides more guidance on the various provisions of the Act including the right of data subjects and cross-border transfer of personal data. There are however a few provisions in this Directive which are unclear, such as the provision which connects the duty of care required for processing data to the exclusive legislative list contained in the Nigerian Constitution as mentioned in 2 above. We expect that when the final Directive is published, such provisions will be clarified.

 

--

Read the original publication at Pavestones