The Nigerian Data Protection Act, 2023 (NDPA) is the primary
legislation governing data protection in Nigeria. However, despite
its robust provisions, the NDPA has left the task of crafting
specific regulations and directives for the implementation of the
NDPA to the Nigerian Data Protection Commission (NDPC). While this
approach provides adaptability to changing circumstances, it also
underscores the urgent need for NDPC's intervention in
providing the necessary regulatory framework to effectively
implement the NDPA.
In response to this need, the NDPC recently inaugurated the
National Committee for NDPA General Application and Implementation
Directive ('GAID") to ensure the implementation of the
NDPA. It is a welcome development as it holds the potential to
bring much-needed clarity to the interpretation and application of
critical and novel provisions within the NDPA. This article
highlights key areas and issues where we anticipate GAID's
guidance and offers some recommendations on the implementation of
the NDPA.
A. Designation of data controllers or processors of
major importance
The NDPA introduced the designation "data controllers or data
processors of major importance" and empowered NDPC to
ascertain the specific threshold for qualifying as such. This
designation carries additional compliance obligations, such as
mandatory registration with the NDPC and the appointment of Data
Protection Officers (DPOs). This marks a departure from the NDPR,
which requires all data controllers and processors to have
designated DPOs. Hence, further guidance from NDPC is needed to (a)
clarify which data controllers and processors are exempt or
required to comply with these additional obligations and (b)
ascertain the registration procedure and requirements for data
controllers and processors of major importance.
In addition, GAID may consider the possibility of limiting the requirement to submit annual audit reports to data controllers and processors of major importance, streamlining the compliance process, and concentrating efforts on key data protection stakeholders...
To Read The Full Article, Kindly Download The PDF
Originally published on 2023-10-31
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.