Private or public statutory organisations which fail to file their Data Protection Audit Report before the March 15, 2021 deadline – only three weeks away – risk heavy sanctions by the National Information Technology Development Agency (NITDA). The agency has ruled out possible extension.
The Nigeria Data Protection Regulation (NDPR) applies to all storage and processing of personal data conducted in respect of Nigerian citizens and residents.
As at the time of filing this report, IT Edge News findings show many organisations from the public and private sectors are liable to be blacklisted as defaulters. The penalties are hefty.
The NDPR mandates all organizations that process the personal data of more than 1000 data subjects in a period of six months and 2000 data subjects in a period of 12 months to submit a Data Protection Audit Report to NITDA not later than 15th March every year. The implication is that thousands of corporate entities across Nigeria are subject to the NDPR.
Last year, due to the COVID-19 lockdown, the IT regulator had extended the deadline for filing the mandatory Data Protection Audit Report by data controllers to 15th May, 2020.
This year, the regulator has warned that defaulting companies will be made to pay financial penalties and/ or be blacklisted from public projects.
The NDPR defines a data controller as ‘a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed. Data Protection Compliance Organisations (DPCOs) are data protection professionals or organisations licensed under the NDPR to assist data controllers in their data compliance journey.
Compliance critical to data integrity – NITDA’s boss
Early last month during the International Data Privacy Week, Director General of NITDA, Mallam Kashifu Inuwa Abdullahi, insisted that compliance is critical to achieving data integrity in terms of privacy and security. He affirmed that NITDA remains committed to achieving the terms of the NDPR across all spectrum of industries.
Compliance is “about creating trust and awareness to ensure stakeholders see the need to comply,” said Abdullahi, adding that sanctions or penalties are not designed to make money for the government or to stifle the business environment.
“Ignorance of the law is not an excuse. Many companies, organisations including those of governments across the states will be caught on the wrong side of the law,” said Managing Director of Data Protection Services Limited (DSPL) , Tunde Balogun. DSPL is a licensed DPCO.
Licensed DPCO, “ Andersen, notes “the obligation to conduct a self-audit and file a Data Protection Audit Report is a requirement under Paragraph 4.1.5 of the Nigeria Data Protection Regulation 2019 (NDPR) which requires Data Controllers to conduct a data protection audit and file an audit report with the Agency. Data Controllers are also required to conduct this audit and file the audit report through a licensed DPCO.”
NDPR compliance steps
According to KPMG, one of the licensed DPCOs, the following compliance steps are recommended for Data Controllers who have:
- filed their initial Data Protection Audit Report
- Assess remediation status of compliance gaps noted from initial audit
- Develop roadmap for remediation of existing compliance gaps and execute accordingly
- Perform annual data audit and file report with NITDA before 15 March 2021
- not filed their initial Data Protection Audit Report
- Immediately engage a DPCO to commence initial Data Protection Audit
- Remediate quick-wins to improve compliance posture
- File annual report with NITDA before 15 March 2021
The obligation to conduct a self-audit and file a Data Protection Audit Report is a requirement under Paragraph 4.1.5 of the Nigeria Data Protection Regulation 2019 (NDPR) which requires Data Controllers to conduct a data protection audit and file an audit report with the Agency. Data Controllers are also required to conduct this audit and file the audit report through a licensed DPCO. NITDA has now extended the filing deadline to 15th May, 2020 for organisations that applied or will apply for an extension.
“Government organisations are the biggest data controllers in Nigerians for obvious reasons. A number of private sector players are also heavy controllers of data. As a licensed DCPO, Data Protection Services Limited (DSPL) , has been assisting a number of its clients including private companies and government ministries, departments and agencies (MDAs) meet the compliance requirements,” said Balogun.
He added: “We have been able to evolve implementable approaches helping MDAs to adopt the NDPR guideline applicable to all public institutions in Nigeria including publicly funded ventures, and incorporated entities with government shareholding, either at the federal, state or local levels, while processing the personal data of a Nigeria citizens and residents. Our government clients include Oyo state Plateau State notably the Plateau State Internal Revenue Service (PSIRS).”
The NDPR targets to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a sound data protection regulation.