By 
By Nwakaego Alajemba
The National Information Technology Development Agency (NITDA) is not going back on sanctioning organisations that fail to file their Data Protection Audit Report before June ending – less than four weeks from now.
Sanctions vary from blacklisting a company, shutting it down and may also include N2 million fine or the forfeiture of two per cent of the previous year’s gross annual income of companies that breach the NDPR.
The Nigeria Data Protection Regulation (NDPR) mandates all statutory organisations whether public or private that process the personal data of more than 1000 data subjects in a period of six months and 2000 data subjects in a period of 12 months to submit a Data Protection Audit Report to NITDA not later than 15th March every year.
NITDA extended the deadline to June 30 to allow organisations more time to submit the 2020/2021 regulatory audit as required by Article 4.1.6 of the NDPR, and must be conducted by a Data Protection Compliance Organization (DPCO) as licensed by NITDA.
Many private companies, government ministries, departments and agencies (MDAs) are already under watch by the IT regulator for possible sanction, IT Edge News learnt.
RELATED
NITDA Moves NDPR Compliance Deadline To June
Companies Risk NITDA’s Sanction As NDPR March 15 Compliance Deadline Looms
Oyo Commences NDPR Implementation For Eight MDAs
The Nigeria Data Protection Regulation (NDPR) applies to all storage and processing of personal data conducted in respect of Nigerian citizens and residents.
Due to the COVID-19 lockdown in 2020, the IT regulator had extended the deadline for filing the mandatory Data Protection Audit Report by data controllers to 15th May, 2020. Because it considers that the pandemic hangover still lingers, the agency also extended the deadline in 2021 from March to June, said a senior official of NITDA to IT Edge News.
NDPR is Nigeria’s principal data protection legislation
Nigeria’s principal data protection legislation is the NDPR issued by the NITDA on 25 January 2019 pursuant to Section 32 of the NITDA Act 2007 as subsidiary legislation to the NITDA Act 2007.
The NDPR defines a data controller as ‘a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed. Data Protection Compliance Organisations (DPCOs) are data protection professionals or organisations licensed under the NDPR to assist data controllers in their data compliance journey.
NDPR compliance steps
According to KPMG, one of the licensed DPCOs, the following compliance steps are recommended for Data Controllers who have:
- filed their initial Data Protection Audit Report
- Assess remediation status of compliance gaps noted from initial audit
- Develop roadmap for remediation of existing compliance gaps and execute accordingly
- Perform annual data audit and file report with NITDA before 15 March 2021
- not filed their initial Data Protection Audit Report
- Immediately engage a DPCO to commence initial Data Protection Audit
- Remediate quick-wins to improve compliance posture
- File annual report with NITDA before 15 March 2021
The obligation to conduct a self-audit and file a Data Protection Audit Report is a requirement under Paragraph 4.1.5 of the Nigeria Data Protection Regulation 2019 (NDPR) which requires Data Controllers to conduct a data protection audit and file an audit report with the Agency. Data Controllers are also required to conduct this audit and file the audit report through a licensed DPCO. NITDA has now extended the filing deadline to 15th May, 2020 for organisations that applied or will apply for an extension.
“Government organisations are the biggest data controllers in Nigerians for obvious reasons. A number of private sector players are also heavy controllers of data. As a licensed DCPO, Data Protection Services Limited (DSPL) , has been assisting a number of its clients including private companies and government ministries, departments and agencies (MDAs) meet the compliance requirements,” said Managing Director of DSPL, Tunde Balogun. DSPL is a licensed DPCO.
