Nigeria Data Protection Regulation (NDPR)

What is NDPR Act?

NDPR (Nigeria’s data protection regulation)is the current national law in Nigeria issued in January 2019. NITDA as the Regulatory Authority for Data Protection aims at innovating data protection management in Africa through inclusive regulatory strategies, partnerships, and continuous improvement, all geared towards ensuring NDPR compliance

The objective of Nigeria’s data protection regulation is to safeguard the rights of natural persons to data privacy, foster safe conduct for transactions involving the exchange of Personal Data and to prevent manipulation of Personal Data.

Who must comply with Nigeria Data Protection Regulation (NDPR)?

Ensuring NDPR compliance is essential for organizations operating in Nigeria to safeguard data privacy and meet regulatory requirements. Nigeria’s NDPR regulation is applicable in the following cases:

  • Applies to all transactions intended for the processing of Personal Data, to the processing of Personal Data.
  • NDPR Regulation applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.

Enforcement under Nigeria Data Protection Regulation (NDPR)

Any person subject to Nigeria’s data protection regulation who is found to be in breach of the data privacy rights of any Data Subject shall be liable, in addition to any other criminal liability, to the following:

  • In the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million Naira, whichever is greater,
  • In the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of the fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million Naira, whichever is greater.
Nigeria Data Protection Regulation - Mandatly Inc.

Key highlights of NDPR:

Personal DataAny information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.
Data Subject RightsThe NDPR provides the data subject rights, which largely mirror those provided by the GDPR.
ConsentConsent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action.
Privacy AssessmentsControllers are required to perform and document Data Protection Impact Assessments for each processing activity “that presents a heightened risk of harm” to consumers.

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Download White Paper
Know the difference between Virginias CDPA, CCPA and CPRA - Mandatly Inc.

Data Subject Rights under (NDPR) Nigeria Data Protection Regulation

  1. Right to be Informed
    Any medium through which Personal Data is being collected or processed by business shall display a simple and conspicuous privacy policy that the class of Data Subject being targeted can understand.
  2. Right to Object
    A Data Subject shall have the option to:

    • Object to the processing of Personal Data relating to him which the Data Controller intend to process for the purpose of marketing,
    • Be expressly and manifestly offered the mechanism for objection to any form of data processing free of charge.
  3. Right to Access
    The Controller shall take appropriate measures to provide any information relating to processing to the Data Subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, and for any information relating to a child.
  4. Right to Deletion
    The Data Subject shall have the right to request the Controller to delete Personal Data without delay, and the Controller shall delete Personal Data.
  5. Right to Restriction on Processing
    The Data Subject shall have the right to obtain from the Controller restriction of processing where the processing is unlawful or the Personal Data is no longer needed for the purposes of the processing
  6. Right to Rectification
    The Controller shall communicate any rectification or erasure of Personal Data or restriction to each recipient to whom the Personal Data have been disclosed.
  7. Right to Data Portability
    The Data Subject shall have the right to receive the Personal Data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the Personal Data have been provided.

If the Controller does not act on the request of the Data Subject, the Controller shall inform the Data Subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority.

Data Protection Officer

The Data Controller and the Data Processor shall designate a data protection officer in the following circumstances:

  1. The Data Controller or the Data Processor is a public authority as prescribed and announced by the Committee.
  2. The activities of the Data Controller or the Data Processor in the collection, use, or disclosure of the Personal Data require a regular monitoring of the Personal Data or the system, by the reason of having a large number of Personal Data as prescribed and announced by the Committee.
  3. The core activity of the Data Controller or the Data Processor is the collection, use, or disclosure of the Personal Data according to section 26.

How Mandatly helps you achieve Nigeria NDPR compliance?

Mandatly’s NDPR compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks. Our commitment to NDPR compliance ensures your business operates with the highest standards in data protection and privacy management.

Data Subject Rights (DSR) - Mandatly Inc.
Consumer RightsEnd-to-end DSAR fulfillment solution with automated identity verification and data discovery to fulfill the consumer request timely, securely, and efficiently.
Data Inventory and Mapping - Mandatly Inc.
Data Inventory and MappingMaintain your data sources and map data flows to meet the NDPR "Lookback" requirements.
Assessment Portal - Mandatly Inc.
Privacy AssessmentsBundled with intelligence to uncover and assess privacy risks that your business can be exposed to.
Privacy Notices - Mandatly Inc.
Privacy NoticesGenerate privacy notices for your website or applications to keep your customers informed about how their Personal Information is collected, processed, and shared.
Automated 'Do Not Sell' Requests Handling - Mandatly Inc.
Do not sell my informationEnables customers to opt-out of the cookie based and non-cookie based sale of personal information.
Reporting and Governance - Mandatly Inc.
AnalyticsReporting features are built into the system to get a holistic view of the compliance program for different stakeholders.

Start with our forever free edition

Get Started Free

No credit card required

Recent Articles

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024

Navigating the Evolving Data Privacy Landscape: Insights and Updates for 2024Understanding New Data Privacy LawIn the ever-ex...
Read more
The Role of Employee Training in GDPR Compliance and Data Security - Mandatly Inc.

The Role of Employee Training in GDPR Compliance and Data Security

The Role of Employee Training in GDPR Compliance and Data SecurityOverview: GDPR Training For EmployeesIn today's rapidly evo...
Read more
The Intersection of GDPR & Cybersecurity - Mandatly Inc.

Explore the Link Between Cybersecurity and GDPR Compliance

The Intersection of GDPR & CybersecurityWhat is GDPR?Enforced since May 2018, GDPR is a comprehensive set of regulations ...
Read more
Cross Border Data Transfer & Legal Framework - Mandatly Inc.

International Data Transfers: Understanding Legal Frameworks

Cross Border Data Transfer & Legal FrameworkA Legal Framework For Data ProtectionBefore delving into the legal mechanisms...
Read more
Future Data Privacy Trends in the Digital Age - Mandatly Inc.

Navigating the Complex Landscape of Data Privacy Compliance

Data Privacy Compliance in E-commerce: Navigating the Complex LandscapeIn the digital age, data privacy has emerged as a crit...
Read more
The GDPR and the EU-U.S. Data Privacy Framework: A Symbiotic Relationship - Mandatly Inc.

EU-U.S. Data Privacy & GDPR: A Symbiotic Bond

The GDPR and the EU-US Data Privacy Framework: A Symbiotic RelationshipEU-US Data Privacy Shield FrameworkThe EU US Data Priv...
Read more