Adeseyoju: Why Organisations Must Beef up Digital Security


Data Privacy Day is observed annually on January 28th. It is a global day aimed at raising awareness about the importance of data privacy and is also celebrated in the European Union, United States and Canada. The issuance of the Nigeria Data Protection Regulation in 2019 showcased Nigeria’s commitment to Data Protection and Privacy of its citizens. To commemorate the 2021 celebration, Abimbola Adeseyoju, the Managing Director of DataPro Limited, a compliance solutions company in Nigeria, and one of the licensed Data Protection Compliance Organisations speaks with Adedayo Adejobi on Nigeria’s effort to drive the Data Protection compliance regime as well as the fundamentals of Data Protection and Privacy

The Nigeria Data Protection Regulation (NDPR) was issued on 25th January 2019, to drive data protection and privacy compliance. Two years later, what achievements has the regime recorded?

The issuance of the NDPR 2019 saw Nigeria record a significant growth in Data Protection and Privacy compliance.

Between 2019 and 2020, National Information Technology Development Agency (NITDA), the regulatory agency charged with driving data protection compliance in Nigeria, received audit fillings from 635 entities warehoused on the NDPR portal, a verifiable database. Based on the audit report filings received, financial services sector recorded the highest level of compliance with audit report filing. Notably, the data protection compliance market recorded revenue upwards of N2.2 billion between 2019 and 2020. Additionally, NITDA licensed 70 Data Protection Compliance Organisations (DPCOs), of which DataPro Limited is one, to provide data protection compliance services, audit and training for data controllers and processors among other functions, thereby creating 2686 jobs. In the performance of its oversight function, NITDA issued 230 compliance and enforcement notices. The regulator also conducted 15 investigations on alleged data breaches. As a DPCO, DataPro has provided advisory and compliance services such as Data Protection and Privacy policy formulation, data protection and privacy training and capacity building programs, Data Protection Impact Assessment (DPIA) and annual audit for several organisations across various sectors. With the achievements recorded so far, DataPro predicts a higher level of compliance with the regulation, as corporate entities become increasingly aware of their obligations in regard to data protection and privacy.

What is the impact of the NDPR 2019 on organisations in Nigeria?

The NDPR 2019 provides an array of obligations for Data Controller and Processors in Nigeria. Data Controllers and Processors are obligated to appoint a Data Protection Officer for the purpose of ensuring company-wide adherence to the regulation; develop a Data Protection and Privacy policy which should set the tone of Data Protection and Privacy practices in the organisation; conduct training and awareness on Data Protection and Privacy for all staff; conduct Data Protection Impact Assessment (DPIA); and implement adequate security measures to protect data. Similarly, data controllers and processors who process the personal data of more than 2000 data subjects in a period of 12 months are required to conduct annual Data Protection Audit and file the report with NITDA. This is to showcase their level of compliance with the provisions of the NDPR. Furthermore, with the advent of the NDPR, it has become expedient for organisations to only collect relevant data necessary for the purpose of their business relationship with data subjects and maintain transparency in the processing of data.

How has the Covid – 19 pandemic affected data protection?

The Covid -19 pandemic has disrupted the traditional way of doing business. Many organisations have resorted to working remotely, which has posed significant data privacy risks as a lot of personal information is being obtained and processed over less secured networks. As a result, organisations have become more susceptible to data breaches. To mitigate the risk of data breaches, organisations have been challenged to beef up security measures in order to ensure that their digital platforms are highly secured against cyber threats. With the heightening of cyber-security issues, organisations are required to be forward looking and employ creative security measures such as the use of Virtual Private Networks (VPN) and encryption of computers. The prevailing situation which has forced organisations to adopt stringent cyber security measures will subsequently help improve data security standards.

What are the rights of Nigerians under the NDPR?

The NDPR dictates several rights for Data subjects. The rights include: The right of access – Data subjects have the right to access their personal data being processed by a Data Controller or Processor; the right to rectification – Data subjects have the right to request for the correction of inaccurate personal data and to have incomplete personal data updated without delay; the right to erasure – Data subjects have the right to request the erasure of their personal data from a Data Controller and Processor system; the right to restrict processing – Data subjects have the right to request Data Controllers and Processors restrict the processing of their personal data under certain circumstances; the right to data portability – Data subjects have the right to request a transfer of their personal data from one Data Controller or Processor to another; the right to object to processing – Data subjects have the right to object to the processing of their personal data under certain circumstances; the rights in relation to automated decision making and profiling – Data subjects have the right to object to a decision solely based on automated profiling or decision making, which significantly affects them.

It is important that Nigerians are aware that to exercise any of these rights, they must contact the Data Controller or Processor managing their personal data.

What notable steps have been taken by the regulator to drive the NDPR compliance regime?

One of the notable steps taken by NITDA in the quest to drive data protection compliance is the fining of a public institution the sum of N1 million for personal data breach offence, making it the first sanctioned entity since the issuance of the NDPR. This move reinforced the government’s commitment to safeguarding the data of Nigerian citizens. It has also propelled compliance with Data Protection and Privacy among corporate organisations. Additionally, the regulator served 51 enforcement notices on Data Controllers perceived to have breached the provisions of the NDPR 2019. It also served 180 compliance notices on Ministries, Departments and Agencies of the Nigerian government. Likewise, NITDA inaugurated a Data Breach Investigation team in conjunction with the Office of the Inspector General of Police to conduct effective investigation of data breach and misuse.

The NDPR portal was also launched to enable reporting of data breaches. The steps taken so far to enforce Data Protection compliance in Nigeria is commendable and showcases NITDA’s commitment to ensuring that Nigeria continues to improve on its current standing as relating to data protection and privacy.