{"id":3593,"date":"2024-03-12T11:37:20","date_gmt":"2024-03-12T17:37:20","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=regulations&p=3593"},"modified":"2024-03-21T12:32:37","modified_gmt":"2024-03-21T18:32:37","slug":"nigeria-dpa","status":"publish","type":"regulations","link":"https:\/\/trustarc.com\/regulations\/nigeria-dpa\/","title":{"rendered":"Data Protection Act (DPA) – Nigeria"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tRegulation<\/span>\n\t\t\t\t\t\t\t\t\t\t

Data Protection Act (DPA)<\/h1>\n\t\t\t\t\t

One of the goals of the DPA, among others, is to protect the fundamental rights, freedoms, and interests of data subjects as ensured by the 1999 Constitution of Nigeria.<\/p>\n\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t

Are you subject to the DPA?<\/h2>\n

Nigeria’s DPA applies to: (1) the data controller or data processor who is domiciled, ordinarily resident, or ordinarily operating in Nigeria, (2) the processing of personal data within Nigeria, and (3) the data controller of the data processor who is not domiciled, ordinarily resident, or ordinarily operating in Nigeria, but is processing personal data of a data subject in Nigeria.<\/p>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t

Key obligations under the DPA<\/h2>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Data protection impact assessment<\/h4>\n

The Act emphasizes the necessity of conducting a data protection impact assessment (DPIA) when processing personal data poses a potential high risk to the rights and freedoms of data subjects based on its nature. The Act requires the controller to seek consultation with the Commission before proceeding with the processing if the DPIA identifies a high risk.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Data breach notification<\/h4>\n

In the event a breach occurs, the DPA requires the data processor to inform the controller or the engaging data processor promptly about the breach’s details and address any information inquiries from them. If the breach is expected to pose a risk to individuals’ rights, the controller must notify the Commission within 72 hours of becoming aware, with the ability to extend if necessary to properly assess the breach’s extent.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Appointment of a Data Protection Officer (DPO)<\/h4>\n

Controllers and data processors are required to appoint a DPO, responsible for overseeing compliance with the DPA and serving as a point of contact for data subjects and regulatory authorities.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t

Cross-border data transfers<\/h4>\n

According to the DPA, the transfer of personal data from Nigeria to another country is permissible only if the recipient of the data is bound by a law, binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms that ensure an adequate level of protection for the personal data. The Act also grants the Commission the authority to periodically compile a ‘blacklist,’ identifying jurisdictions or entities that do not comply with the legislation.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t

\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Records of processing activities<\/h4>\n

Controllers and data processors must maintain records of their processing activities, including information about the purposes of processing, categories of data subjects, categories of personal data processed, recipients of personal data, and security measures implemented. The controller and data processor are also mandated to keep a record of all personal data breaches.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/section>\n\t\n\n\t\t

\n\t\t\t
\n\t\t\t\t\"\"\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tWebinar<\/span>\n\t\t\t\t\t\t\t\t\t\t\t\t

Building Trust and Competitive Advantage: The Value of Privacy Certifications<\/h2>\n\t\t\t\t\t\t

Join our experts in this webinar as they go over the importance of how privacy certifications can unlock business value and help you stay ahead of the competition in today\u2019s privacy-conscious landscape.<\/p>\n\t\t\t\t\t\t