In January 2019, the National Information Technology Development Agency (NITDA) prescribed the Nigeria Data Protection Regulation (NDPR). This law was established to serve as a guide to organizations on handling and storing information on Nigerians and to spell out the rights Nigerians have with their data. Before this, the state of data protection in Nigeria was very poor. With more than a year gone since the introduction of the NDPR, we review the impact of the law on data protection in Nigeria.
NITDA has gone about implementing the regulations by requiring data audit reports from all organizations carrying out business in Nigeria except those processing less than 2000 data subjects. Training and awareness events have also organized to educate organizations on information security best practices. They also issued warnings to organizations, such as the Lagos Internal Revenue Service, who failed to meet the stipulation of the NDPR.
However, NITDA announced that as of December 2019, only 94 companies had complied with the regulations with 200 businesses granted an extension to submit their reports. With over 3 million organizations registered with the Corporate Affairs Commission as of March 2019, this shows a 3 percent compliance rate a year after the law was passed. Interestingly, the agency did not announce penalties for organizations that failed to comply. Is it that enforcement actions are being taken without being publicized? Certainly, this is possible but it unlikely as it signals lack of transparency which is against the principles of the NDPR. What is more likely is that there has been no strict enforcement of the regulations. The fact is that unless the agency adopts more drastic enforcement actions, the NDPR will fail to serve its purpose.
Another factor in how effective the NDPR has been is the contents of the regulations themselves. While the NDPR requires organizations to report breaches to the NITDA, it does not mandate businesses to notify the owners of the exposed data. This is unlike the data protection laws prescribed in other jurisdictions like the United Kingdom and Kenya. Also, the regulations do not restrict the collection and use of personal information like racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health, data concerning sexual orientation, etc. The NDPR rather stipulates that they should be processed with higher security which allows organizations to still legally make decisions based on sensitive and personal data, such as when hiring.
With the advances in data science and artificial intelligence, organizations, governments, and individuals are increasingly becoming reliant on data to make the right decisions. The potential economic gains provide vital arguments to allow data collection and processing to be as seamless as possible but the right to privacy and strict data protection must be prioritized as well. It is imperative that the NITDA reviews the NDPR with the aim of making it more secure and truly empowering for Nigerians. The agency must also become bold in performing its enforcement duties.