The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the Nigeria Data Protection Regulation (‘NDPR’) both aim to guarantee strong protection for individuals regarding their personal data and apply to businesses that collect, use, or share personal data, whether the information is obtained online or offline.
The GDPR, which went into effect on 25 May 2018, is one of the most comprehensive data protection laws in the world to date.
TheNational Information Technology Development Agency (‘NITDA’) released the NDPR on 25 January 2019 and it is strongly influenced by the GDPR, with several articles containing very similar, or identical phrasing. Both the GDPR and the NDPR provide for data controllers and data processors which are referred to as ‘data administrators’ under the NDPR, for definitions of data breaches, for accountability requirements, and for the right to erasure.
The material scope of the two laws is also very consistent and both provide similar definitions for ‘processing,’ ‘personal data’ and ‘sensitive personal data’. However, the GDPR applies to the processing activities of data controllers and data processors that do not
have any presence in the EU, but where their processing activities are related to the offering of goods or services to individuals in the EU, or to the monitoring of the behaviour of individuals in the EU. The personal and territorial scope of the NDPR is, however, defined by citizenship and physical presence, with the NDPR applying to residents of Nigeria, as well as Nigerian citizens abroad.
In addition, the NDPR does not explicitly require any of the record-keeping obligations required by the GDPR, and does not outline how NITDA will calculate fines.
In July 2019, NITDA released the Draft Data Protection Implementation Framework (‘the Draft Framework’). The Draft Framework refers to provisions which are not included in the NDPR. In particular, the Draft Framework requires data handlers to report data breaches to NITDA within 72 hours of their knowledge of the breach, and also outlines the information which must be included in such a report.
Furthermore, the Draft Framework highlights the conditions under which a DPO must be appointed, and lists countries which have adequate data protection law or regulation that can guarantee minimum privacy for Nigerian citizens’ data. The Draft Framework also stipulates which documentation is required to demonstrate compliance with the NDPR, and expands on NITDA’s supervisory role.
However, it is important to note that the Draft Framework has not been approved and is therefore not in effect.
This guide aims to highlight the similarities and differences between the NDPR and the GDPR to assist organisations in their compliance programs with both.