The 2021/2022 audit report filings by Data Protection Compliance Organisations (DPCOs), as required by the Nigeria Data Protection Regulation (NDPR), has been extended to 30th June, 2022, according to the country’s data ombudsman – Nigeria Data Protection Bureau (NDPB).
Under the NDPR, DPCOs must submit annual data audit reports every first quarter of the year. But DPCOs have been having challenges to submit compliance audits on the NDPR portal.
The data watchdog explained that the challenge is as a result of the transitioning process from NITDA to the bureau’s new portal.
The NDPR is the country’s principal legislation on data protection. Issued by the National Information Technology Development Agency (NITDA) in 2019, it applies to public and private sector processing of personal data within and outside Nigeria.
Since its creation in February, the NDPB not NITDA now has mandate over all data protection and privacy issues in Nigeria.
“This issue is being addressed as you are aware that Nigeria Data Protection Bureau (NDPB) has recently been created and we are currently transitioning from NITDA to the Bureau’s portal,” explained Hauwa Ibrahim Hadejia of the Legal Unit, NDPB.
“We encourage all DPCOs to register on the portal before submission of audit reports. Also, certificates for renewal of license would be issued by the bureau upon registration. The 2021/2022 audit report filing has also been extended to 30th June, 2022.”
By law, organisations (data controllers) that processed the personal data of more than 1,000 data subjects in a six-month period must provide a soft copy of the audit summary to the the newly created NDPB.
Also, data controllers that processed the personal data of more than 2,000 data subjects within a 12-month period must, not later than the March 15th of the following year, submit a summary of its audit to the authorities
All organisations that process personal data in excess of 2,000 data subjects including the immigration services, banks, telecommunications companies, pilgrims boards and other ministries, departments and agencies whether federal or states, are under obligation to appoint DPCOs to assist them in complying with the requirements of the NDPR or meeting the annual requirements for NDPR compliance audit.
Under the NDPR , a data subject is “any person who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.”
DPCOs are entities licensed by NITDA (now NDPB) to conduct trainings, auditing, consulting and rendering services for the purpose of compliance with the NDPR or any foreign Data Protection law or regulation having effect in Nigeria.
There are currently about 103 licensed DPCOs and they are principally IT service providers; professional service consultancy firms, audit firms and law firms.
“NDPB has been mandated by the government to ensure the coordination of all the existing laws in which data protection, data privacy or data confidentiality has been mentioned,” the minister said adding that data protection regulations were vital to attracting international investors as data protection has become a major criterion to determine digitally compliant countries,” said Minister of Communications and Digital Economy, Prof Isa Ali Ibrahim Pantami, at the recent launch of the organisation’s logo, website and core values.
According to Dr. Olatunji, the NDPB is focusing on driving the “objectives of the NDPR to safeguard data privacy; foster safe conduct of transactions involving personal data and to make Nigerian institutions globally competitive and relevant.”
The law imposes penalties on organisations that fail to meet the audit compliance of the NDPR. Sanctions vary from blacklisting a company, shutting it down and may also include N2 million fine or the forfeiture of one or two per cent of the previous year’s gross annual revenue of companies that breached the NDPR.