Data Privacy Regulation For Businesses In Nigeria

Data Privacy regulation is an integral part of regulations for modern businesses in the digital age. This is because the tide of businesses and recent occurrences in the past has shown that Data is the new oil. The collection and use of personal information if not effectively controlled could result in authorised application of sensitive information some of which may cause damage to the individuals whose data are exploited. 

In Nigeria, the need for protection of Data rights are well recognized, but regulators can scarcely find a unified system of law to rely on.  A foundation of the right to privacy of citizens is laid down in section 37 of the 1999 constitution (as amended) which provides that:

The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.

Nigeria, just like the USA does not have a uniform Data Protection law unlike what is seen in the European Union where the General Data Protection Regulation is enforceable all over the EU countries. However, a pocket of laws can be referred to when discussing Data Privacy regulation for businesses in Nigeria. 

Hence, any business in Nigeria that purports to collect and process personal information  of its customers or of members of the public must be seen to adhere strictly to the provisions of these laws and regulations. 

Laws on Data Privacy Regulation In Nigeria

The Nigerian Constitution 

There are different Data Privacy laws in Nigeria chief of which is the Nigerian Constitution as mentioned above. 

Besides the brief mention of the right to Privacy in section 37, no other provision of the law discussed extensively the right to privacy. It is therefore important to look at other sources of regulation. 

The National Health Act, 2014

Similar to the USA’s HIPAA, the NHA seeks to protect the unauthorised use or disclosure of the health and personal information of patients by the covered entities. 

Thus health and medical facilities are bound by the provisions of the law when dealing with the records of their patients. Disclosure of health or personal records can only be permitted on grounds contained in the law. 

The Nigeria Data Protection Regulation, 2019 

The Nigerian Data Protection Regulation is Nigeria’s version of the European Union’s GDPR. However, the NDPR, unlike the GDPR, is not a legislative enactment. It was made by the National Information Technology Development Agency pursuant to the powers conferred on it by the NITDA Act of 2009. By making the NDPR, the NITDA seeks to regulate the use of Data in Nigeria as well as enforce Data Privacy breaches through invoking fines on defaulters. 

Data Privacy Consideration For Businesses in Nigeria 

As a business owner or compliance personnel, it is crucial to observe all the laws stated above. The most comprehensive regulation to be discussed in detail is the NDPR. 

This regulation stipulates the requirement of notice, right to forget, format for Privacy Policies as well as fines and penalties defaulting organizations would face in the event of breach of the provisions of the Regulation. 

Notice

First point to note is that a business seeking to collect the data of members of the public must ensure that the reason for collection is known. Hence you must notify the data subject of the information and the purpose. The data subject must also give his/her consent. Furthermore, you must provide information on how such a person can subsequently withdraw their consent. Notice must also be given if the information you are collecting would be shared with a third party and the purpose of sharing it. 

Right To Forget

As stated earlier, a business collecting data of individuals must also give information on the procedure for application for erasure of the collected data. For instance if a previous customer wants their personal information expunged from your records, he or she should be able to make a request. Upon the request, you are obliged to delete the customer’s information from your system.

Privacy Policy 

Every business collecting data in Nigeria is required to display a privacy policy menu item on their website, web app, mobile app or on any platform through which the data is collected. The privacy policy among other things should contain the following information: 

1. a) what constitutes the Data Subject’s consent; b) description of collectable personal information; c) purpose of collection of Personal Data; d) technical methods used to collect and store personal information, cookies, JWT, web tokens etc.; e) access (if any) of third parties to Personal Data and purpose of access; f) available remedies in the event of violation of the privacy policy; g) the time frame for remedy; and h) provided that no limitation clause shall avail any Data Controller who acts in breach of the principles set out in this Regulation. 

Data Security 

Any business collecting personal or sensitive information has to ensure that adequate measures are put in place to protect the information. Sensitive information if obtained by unauthorised persons or entities can be used for illegal purposes hence the need to adopt security measures. 

Want To Know More About How Data Privacy Laws Affect Your Business In Nigeria?

Understanding Data Protection laws in Nigeria is quite essential for every business. Hence Classic Attorney’s business department can help startups and growing businesses define and structure their privacy policies. 

You can contact us through our communication channels to get started.