In performing its functions as stipulated in the Nigeria Data Protection Act (NDPA) 2023, the Nigeria Data Protection Commission (NDPC) recently issued a Guidance Notice NDPC/HQ/GN/VOL.01/23 pursuant to Section 6(c)-(d) of the NDPA on the Filing of Data Protection Compliance Audit Returns.
The Guidance Notice was primarily issued to ensure effective compliance with the preservation requirements of Data Protection Compliance Audit Returns (CAR) prescribed under the NDPA 2023, and under the Nigeria Data Protection Regulation (NDPR) 2019 on data controllers and data processors in Nigeria. As indicated in the notice, the objective of filing CAR is to promote transparency and accountability in the processing of personal data and to foster a culture of respect for the privacy of data subjects.
The Guidance Notice indicates the Commission’s intention to embark on a new cycle of CAR filings in 2024 in accordance with the provisions of the NDPA and its General Application and Implementation Directive (GAID). It is an opportunity for Data Controllers and Data Processors to demonstrate accountability and be included on the National Data Protection Adequacy Programme (NaDPAP) Whitelist in line with the compliance metric outlined in the Guidance Notice.
The collaborative roles of Data Protection Compliance Organizations (DPCOs) for operationalizing the requirements of the country’s data protection laws are highlighted in the Guidance Notice. These include: facilitating CAR filing on behalf of Data Controllers and Data Processors with the Commission, offering pro-bono services as a Corporate Social Responsibility (CSR) to start-ups, non-profit organizations, and low-revenue organizations when necessary. Other responsibilities are, providing practical training to designated Data Protection Officers (DPOs) and other members of staff, issuing evidence of practical training that would entitle designated DPOs to Continuous Professional Development (CPD) Credit. CPD is an essential audit parameter under the NDPA GAID which will be issued in the 1st Quarter of 2024 by the Commission. DPCOs are expected to inform their clients or prospective clients about the provisions of the Guidance Notice.
The notice identifies essential focus areas that must be underscored in the audit questionnaire while filing CAR at the Commission. Data Controllers and Data Processors are obligated to emphasise on the following focus areas:
- Capacity Building,
- Compliance Directives to Employees, Contractors, Agents, etc.
- Availability of Data Protection Officers,
- Categories of Personal Data being processed (the principles applied and the Lawful Basis for Processing,
- Technical Measures for ensuring Confidentiality, Integrity, and Availability of Personal Data (with a focus on Privacy by Design and by Default),
- Grievances Redress Mechanism, and
- List of agents or contractors being engaged for data processing and due diligence as to their training and general compliance with the NDPA.
For the year 2022, agents or contractors of data controllers who carry out data processing for data controllers are required to provide details of their Technical and Organizational Measures (TOM) for data protection in the Digital TOM form provided by the Commission.
The Guidance Notice stipulates that Data Controllers and Data Processors may develop a time-bound framework to regularize their processing activities in accordance with the NDPA in a memorandum. The memorandum should contain the focus areas identified above, be signed by the designated DPO of the organization, and be submitted to the Commission as part of the CAR. The memorandum will be held by the Commission as a bona fide commitment to NDPA compliance. The time-bound intention must not be later than 31st March 2024.
Furthermore, the Guidance Notice indicates that free induction training for designated DPOs will be conducted by the Commission in January 2024 and the objective of the training is focused on compliance obligations of data controllers and data processors and the rights of data subjects contained in the NDPA and its GAID.
As provided under the NDPA and NDPR, the deadline for filing is fixed as the 15th of March annually. The Notice introduces a default fee which is 50% of the filing fee and the applicable date for 2022 CAR under the Guidance is the 15th of March 2023. Hence, data controllers or data processors that could not file on or before the said deadline for 2022 CAR are required to pay the default fee in addition to the filing fee.
The effect of non-compliance with the provisions of the Guidance Notice is disqualification of organizations from being listed on the National Data Protection Adequacy Programme (NaDPAP) Whitelist. The Whitelist is an essential tool of accountability as it consists of the functional data of data controllers and data processors. There is a rebuttable presumption that a data controller or a data processor on the list is committed to taking adequate technical and organizational measures in safeguarding data-subjects rights. It is important to note that the NaDPAP Whitelist is not an immunity list or shield against data subjects’ complaints. An appropriate enforcement order or penalties prescribed under the NDPA may be imposed on data controllers and data processors if found violating the Guidance Notice that relates to specific provisions of the NDPA.
Compliance Metrics for the qualification of the NaDPAP Whitelist are provided in the schedule to the Notice. The Metrics are credit points that will be utilized to evaluate the processing activities of Data Controllers and Data Processors. The credit points are awarded to organizations to estimate the level of compliance undertaken by Data Controllers and Data Processors.
The Guidance Notice is a welcome development by the Commission to ensure effective and voluntary compliance from Data Controllers and Data Processors and to promote data privacy rights and protection in Nigeria.
To read more on the Guidance Notice, please visit https://ndpc.gov.ng/Files/guidance_notice.pdf