NITDA: What the New Nigerian Data Protection Regulation Could Mean for Business

Uchechukwu Ajuzieogu
4 min readDec 31, 2019

On October 4th, 2019 the attention of the National Information Technology Agency (NITDA) was drawn to the potential breach of privacy rights of Nigerians by the Truecaller Service. The Agency, in accordance with Section 6(f) of the NITDA Act 2007, which empowers the it to render advisory services in all information technology matters to the public and private sectors, informed the public that it commenced investigation of the potential breach.

Initial findings revealed that the Truecaller Privacy Policy is not in compliance with global laws on data protection and the Nigeria Data Protection Regulation (NDPR) in particular. The findings also revealed that there are over seven million Nigerians who are active users of the Service, hence the need to enlighten the public on some of the areas of non-compliance as well as guide those affected. T wo months after this statement, the National Information Technology Agency (NITDA) has not released any public statement on the outcome or process of the Truecaller Service investigations that proved that Truecaller was invading the Privacy of Nigerians.

The Truecaller Privacy Policy, available on the Truecaller Policy Webpage, is made of two sets — one for those in the European Economic Area (EEA) and the other for those outside the EEA. Nigeria falls under the second category. Furthermore, every Nigerian user is contracting with Truecaller India. There are marked differences between both policies. Critical assessment of the policy revealed non-compliance with the NDPR.

In this light, what does the National Information Technology Agency (NITDA) done to stop such acts from happening? Is the new process invoke and operational? If so, what do you or your organization know about the new data laws that’s equivalent to the GDPR?

The Rise of the Nigerian Data Protection Regulation (NDPR)

The spate at which Nigerian’s data is being breached by service provider has assumed an epidemic rate. On a daily basis, personally identifiable information of Nigerians is being used by unauthorized persons to further their own interest without the consent of the Data Subject.

The NDPR was issued on 25th January, 2019 pursuant to Section 6 (a,c) of the NITDA Act, 2007. The NDPR was made in recognition of the fact that many public and private bodies have migrated their respective businesses and other information systems online. These information systems have thus become critical information infrastructure which must be safeguarded, regulated and protected against atrocious breaches. Government further takes cognizance of emerging data protection regulations within the international community geared towards security of lives and property and fostering the integrity of commerce and industry in the data economy.

What the New NDPR Represents

To be honest the scope of the regulation is strictly critical as this Regulation applies to all transactions intended for the processing of Personal
Data, to the processing of Personal Data notwithstanding the means by which
the data processing is being conducted or intended to be conducted in respect of natural persons in Nigeria. The NITDA — NDPR regulation applies to natural persons residing in Nigeria or residing outside Nigeria who are citizens of Nigeria.

This Regulation does not operate to deny any Nigerian or any natural person the privacy rights he is entitled to under any law, regulation, policy, contract for the time being in force in Nigeria or in any foreign jurisdiction.

Why There’s a Need to Act — For Organizations

To be frank, the NITDA and the stated NDPR are not meant to be taken lightly. In simpler terms, organizations are not to joke with the new policy. Take for example the terms on page 18 of the regulation act, it states the following:

“All public and private organizations in Nigeria that control data of natural persons shall, within three (3) months after the date of the issuance of this Regulation, make available to the general public their respective data protection Policies; these Policies shall be in conformity with this Regulation.”

How do large and even small scale public and private organization keep up to speed with this? It’s another critical act to consider as not following up will imply fine and some other sanctions.

Within six (6) months after the date of issuance of this Regulations, each
organization shall conduct a detailed audit of its privacy and data protection
practices with at least each audit stating:

a. personally identifiable information the organization collects on employees
of the organization and members of the public;

b. any purpose for which the personally identifiable information is collected;
c. any notice given to individuals regarding the collection and use of personal
information relating to that individual;

d. any access given to individuals to review, amend, correct, supplement, or
delete personal information relating to that individual;

e. whether or not consent is obtained from an individual before personally
identifiable information is collected, used, transferred, or disclosed and
any method used to obtain consent;

f. the policies and practices of the organization for the security of personally
identifiable information; and more.

Nigerians needed an equivalent of the GPDPR and yes they’ve gotten it but it’s high time to pay the ultimate price on the part of the corporate and even small scale business bodies. How prepared are they to follow up on this? That’s another article for another time.

Uchechukwu Ajuzieogu

Uchechukwu Ajuzieogu is an Author, Blogger, Researcher, Content Curator, Tech Entrepreneur, and Educationist with vast experience in Technology Applications.