The National Data Protection Commission (NDPC) has taken a significant step towards making data protection a legal requirement in Nigeria by implementing the Nigeria Data Protection Act (NDPB) 2023.
During the implementation of the Nigeria Data Protection Act 2023, the National Commissioner of NDPC, Dr. Vincent Olatunji revealed that this legislation establishes the duty of care and standard of care expected from all participants in the data processing ecosystem.
Olatunji emphasised that having a principal law is “just the beginning, not the end,” of their goal. It provides a foundation for building a sustainable digital economy. The government aims to create 1 million jobs through the digital economy sector and measures are being put in place to generate 500,000 jobs within the data protection ecosystem, which accounts for 50 per cent of the sector’s job creation target.
“The essence of the NDPC is rooted in respect – respect for our citizens’ personal data, respect for privacy and respect for digital rights. This respect is now firmly established in the NDPA. The change in legislation is not a mere addition to our law books; it is a transformative step towards fostering a culture where the protection of personal data is a cherished principle and an inviolable obligation.
“We should not perceive this development as a burden; instead, let us view it as an exciting journey towards earning trust, establishing robust data protection structures, and strengthening our position in the global digital economy landscape,” he stated.
Olatunji outlined the targets the NDPC aims to achieve in the next two quarters of this year:
Public Awareness Campaigns: The NDPC recognizes that awareness is the first step towards compliance. Therefore, they will expand their public awareness campaigns to educate and empower organisations and individuals about their roles, rights, and responsibilities under the Act.
Development of Implementation Framework: Standardisation is crucial. Hence, the NDPC will develop a standardised framework for implementation to ensure consistency and clarity across all sectors. This will involve issuing guidance notices on key provisions of the law, particularly those related to the lawful basis of data processing, data subjects’ rights, compliance audit returns, and cross-border data transfer.
Capacity-building for Data Protection Officers (DPOs): DPOs play a crucial role in this endeavour, and the NDPC aims to enhance their capacity-building opportunities through the National Data Protection Adequacy Programme (NaDAP), enabling them to effectively lead their organizations towards compliance.
Issuance of DPCO Practice Guidelines and Sectorial Guidance Notices: The regulatory frameworks for Data Protection Compliance Organisations (DPCOs) will be strengthened, and sector-specific guidelines will be issued, especially for the financial and telecom sectors. These guidelines will provide flexible frameworks that address specific vulnerabilities, risks and opportunities while ensuring a clear path to compliance. Additionally, more DPCOs will be licensed to provide services and enhance competition within the ecosystem.
Upscale of Registration Process: Simplifying compliance pathways and encouraging participation, the registration process for data controllers and data processors will be streamlined, taking into account the importance of ease of processes in the digital age.
Compliance Audit Filing Calendar: The NDPC will introduce a definite calendar for filing annual Compliance Audit Returns. The target is to have organizations file within the first quarter of each year, from January to December. Only compliant organisations will be eligible for inclusion on the NDPA Whitelist. This calendar will help organisations stay up-to-date with their compliance obligations.
Olatunji urged the media to continue playing a vital role in the era of the Fourth Industrial Revolution, emphasising the importance of their active engagement in raising awareness and fostering compliance with data protection regulations.
