The Nigeria Data Protection Bureau (the “NDPB”) recently established the National Data Protection Adequacy Programme (the “NaDPAP”) Whitelist pursuant to section 37 of the 1999 Constitution of the Federal Republic of Nigeria (the “CFRN”). The Whitelist contains a list of organisations deemed to have taken steps to comply with the standard duty of care required in ensuring data protection. The NaDPAP Whitelist will be published on NDPB website, in major newspapers and in addition, shared with local and international establishments to serve as a reference for compliant organisations in relevant transactions and proceedings.

In a compliance notice on the NaDPAP Whitelist (the “Notice”) recently published by NDPB, organisations were directed to take the following steps on or before November 25, 2022, to be included on the NaDPAP Whitelist:

1. To read and understand the Nigeria Data Protection Regulation (the “NDPR”) 2019, because it applies to various situations and persons involved in data processing;
2. To develop and implement a Privacy Policy that is consistent with the NDPR;
3. To notify employees, customers and online visitors of the Privacy Policy;
4. To designate at least one or two members of staff as Data Protection Contacts (“DPC”). The Names of the DPCs (not more than 3) should be forwarded to NDPB for a free Induction Course in Data Protection Regulation Compliance, following which any one of them may be appointed as the organisation’s Data Protection Officer (“DPO”);
5. Where there is subsisting DPO, his contact should be forwarded to the NDPB; and
6. To mandate service providers (agents, licensees, and contactors) to comply with the NDPR.

The Notice also reminds the public that adequate technical and organizational measures for data protection are obligatory for every organization (as data controllers/processors) in Nigeria and that the penalty for breach by an organization of this obligation is, in the case of a Data Controller dealing with more than 10,000 data subjects, 2% of annual gross revenue of the preceding year or payment of the sum of 10 million naira (whichever is greater), and in the case of a Data Controller dealing with less than 10,000 data subjects, payment of the fine of 1% of the annual gross revenue of the preceding year or payment of the sum of 2 million naira (whichever is higher).

Disclaimer

This article is intended to provide a general guide to the subject matter and does not by itself constitute a legal advice to readers. Specialist advice should be sought about readers’ specific circumstances.

For further information, kindly contact [email protected]