The National Information Technology Development Agency (NITDA or “the Agency”) on 25 January 2019, issued the Nigeria Data Protection Regulation (NDPR or “the Regulation”) which provides guidelines on the use of personal data by organizations that collect and/or process such data. As part of its mechanism to enforce compliance with the NDPR, NITDA mandates all public and private organizations in Nigeria that control data of natural persons to publicise their respective Data Protection Policies. This means that irrespective of the quantity of data controlled by any organization, it is expected that each organization puts in place a Data Protection Policy where none exists.
Also, all Data Controllers and Processors must conduct an independent Data Protection Audit and file the Audit report with the Agency within a defined timeline. The initial timeline given by NITDA to conduct the Audit was 25 October 2019, and all 2019 reports were due to be filed with the Agency by 15 March 2020.
In February 2020, NITDA issued a communique exempting Data Controllers, Data Processors and other concerned entities that submitted the statutory Initial Data Audit Report between 2019 and 15 March 2020 from further submitting the 2020 Annual Data Audit Report. Rather, such entities were required to put necessary processes in place to remediate gaps identified during the 2019 audit and improve their systems to ensure data protection compliance and information security.
With the onset of the Coronavirus pandemic in Nigeria, companies which had not met the 15 March 2020 deadline and had applied for an extension of time to comply, through a licensed Data Protection Compliance Organisation (DPCO) were permitted to submit their 2019 Data Audit Report by Friday, 15 May 2020.
With just a few days to the deadline, concerned organizations are advised to take necessary steps to ensure timely compliance with the NDPR.
KPMG is able to support your organizations with drafting / reviewing your Data Protection Policies for compliance with the NDPR. Our Firm is also licensed by NITDA as a DPCO to perform Data Protection Audits, Implementation Support and Capacity Building/Training Programs and help affected organizations comply with the Regulation.
For further enquiries on our service offerings on data protection compliance please contact:
Partner, Tax Regulatory & People Services
Partner, Technology Advisory