Friday, January 29, 2021 / 06:23 PM / By KPMG Nigeria / Header Image
Credit: Andersen Tax
On 25 January 2019, the National Information Technology Development Agency (NITDA or "the Agency") issued the Nigeria Data Protection Regulation (NDPR or "the Regulation") which provides guidelines for the use of personal data collected and/or processed by organizations. Specifically, the NDPR requires all public and private organizations in Nigeria that control data of natural persons to publicise their respective Data Protection Policies. In addition, all Data Controllers and Processors who collect and process more than 2,000 data subjects within a 12-month period must conduct an independent Data Protection Audit (DPA) and file their DPA reports with the Agency, not later than 15 March of the following year.
Based on the above, companies who collected and/or processed data from January to December 2020 have until 15 March 2021 to submit their DPA reports to the NITDA. Failure to file the DPA report within the statutory timeline may attract a fine of up to 2% of a company's annual gross revenue for the preceding year.
Only licensed Data Protection Compliance Organizations ("DPCO") can perform the independent DPA, in line with the provisions of the Regulation. The DPA will, amongst other things, assess an organisation's compliance with the requirements of the NDPR across various areas, including data protection governance, policies and processes, information systems security and controls over personal data.
The following compliance steps are recommended for Data Controllers who have:
1. filed their initial Data Protection Audit Report
2. not filed their initial Data Protection Audit Report
KPMG is licensed by NITDA as a DPCO, and can assist your organization to achieve compliance with the NDPR through the following services: