Data Protection Audit for 2020 Financial Year - How Compliant is Your Organisation?

Friday, January 29, 2021 / 06:23 PM / By KPMG Nigeria / Header Image Credit: Andersen Tax

On 25 January 2019, the National Information Technology Development Agency (NITDA or "the Agency") issued the Nigeria Data Protection Regulation (NDPR or "the Regulation") which provides guidelines for the use of personal data collected and/or processed by organizations.  Specifically, the NDPR requires all public and private organizations in Nigeria that control data of natural persons to publicise their respective Data Protection Policies.  In addition, all Data Controllers and Processors who collect and process more than 2,000 data subjects within a 12-month period must conduct an independent Data Protection Audit (DPA) and file their DPA reports with the Agency, not later than 15 March of the following year.  

Based on the above, companies who collected and/or processed data from January to December 2020 have until 15 March 2021 to submit their DPA reports to the NITDA.  Failure to file the DPA report within the statutory timeline may attract a fine of up to 2% of a company's annual gross revenue for the preceding year.

Only licensed Data Protection Compliance Organizations ("DPCO") can perform the independent DPA, in line with the provisions of the Regulation.  The DPA will, amongst other things, assess an organisation's compliance with the requirements of the NDPR across various areas, including data protection governance, policies and processes, information systems security and controls over personal data.

The following compliance steps are recommended for Data Controllers who have:

1.         filed their initial Data Protection Audit Report 

• Assess remediation status of compliance gaps noted from initial audit
• Develop roadmap for remediation of existing compliance gaps and execute accordingly
• Perform annual data audit and file report with NITDA before 15 March 2021

2.         not filed their initial Data Protection Audit Report 

• Immediately engage a DPCO to commence initial Data Protection Audit
• Remediate quick-wins to improve compliance posture
• File annual report with NITDA before 15 March 2021

KPMG is licensed by NITDA as a DPCO, and can assist your organization to achieve compliance with the NDPR through the following services: 

• Compliance audit and report filing
• Remediation support
• Training and capacity development
• Data Protection Impact Assessment
• Implementation of technology solutions to improve your maturity in privacy management

Credits

* This statement was first published in the Issue 1.8/ January 2021 Newsletter of KPMG of Friday, January 29, 2021. For further enquiries, please contact the authors, Abimbola Omolola and John Anyanwu via aomolola@kpmg.com and/or janyanwu@kpmg.com

Related News

1.       Proshare Nigeria, 633 Others Listed Among Data Protection Compliant Organizations in Nigeria

2.       SEC, NITDA Collaborate on Data Protection

3.       FG Licenses 27 Data Protection Companies

4.       Data Protection for Hotels - Legal Alert

5.       Breach of Nigeria Data Protection Regulation by the Lagos State Internal Revenue Service

6.       The Nigeria Data Protection Regulation - Compliance Requirements

7.       National Data Protection Regulations - Legal Alert

8.       European General Data Protection Regulations - Highlights

9.       How The General Data Protection Regulation Will Affect Your Business