Who is enforcing data protection regulations in Nigeria?

As internet penetration continues to increase in Nigeria, more people are exposed to cyber vulnerabilities. Especially because, only a few people care to read documents on the internet before providing their data.

In 2021, Nigeria ranked 47th out of 182 countries on the Global Cybersecurity Index for 2020 and occupied the fourth position in Africa. According to a 2022 report by Sophos, a global cybersecurity firm 71% of (surveyed) Nigerian businesses suffered ransomware attacks in 2021.

Sophos revealed that the average cost of rectifying cyber-attack in the country also went up from $0.46 million in 2020 to $3.43 million in 2021.

Most of these data breaches are not disclosed by the affected organisations. In April 2022, WebsitePlanet discovered unsecured AWS S3 data buckets belonging to the Plateau State Contributory Healthcare Management Agency (PLASCHEMA), although the agency denied the allegations, WebsitePlanet maintained that the buckets were not closed until late July 2022.

In the Nigeria Data Protection Regulation 2019 (NDPR), companies are not obligated to report data breaches, experts argue that this omission is a "critical missing piece": "Although organisations feel reporting incidents can damage their reputations, reporting incidents act as a deterrent for poor cyber practices," Oruaro Ogbo, a technology consultant, stated.

Nigerian president, Muhammadu Buhari in February 2022 approved the establishment of the Nigeria Data Protection Bureau (NDPB) to take charge of data protection enforcement instead of the National Information Technology Development Agency (NITDA). This Bureau will work with the Data Protection Bil 2020.  

How does Nigeria Data Protection Bureau (NDPB) work?

The NDPB is mandated to collaborate with stakeholders in achieving the objectives of the NDPR, namely, to:

• Safeguard the rights of natural persons to data privacy;
• Foster safe conduct of transactions involving the exchange of Personal Data;
• Prevent manipulation of Personal Data; and
• Ensure that Nigerian businesses remain competitive in international trade through the safeguards afforded by a just and equitable legal regulatory framework on data protection and which is in tune with best practices.

Understanding the Data Protection Bill 2021

A Data Protection Bill[pdf] will be passed by the National Assembly before December 2022, it will replace the NDPR 2019. The objective of the Bill is to create a regulatory framework for the protection and processing of personal data and to safeguard the rights and freedoms of data subjects which are guaranteed under the Nigerian Constitution.

According to the Bill, the privacy of personal data will not apply when the data is processed to protect members of the public from:

• financial loss or malpractice
• dishonesty or malpractice in the provision of professional services
• misconduct or mismanagement in the administration of a non-profit making entity health, safety and welfare of persons at work; or to protect non-working persons against the risk to health or safety arising out of or in connection with the action of persons at work; and
• on the grounds of public interest which may include the prevention or detection of crime, the assessment or collection of tax or duty or the publication of literary or artistic material.

The latest data protection bill covers the following data:

• Personal and biometric data revealing a data subject's identity, racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation or trade union membership.
• Personal banking and accounting records.
• Personal data revealing a data subject's flight reservation or itinerary.
• Student's academic transcripts records.
• Personal medical and health records.
• Telephone calls, call data records, messages, websites, and other information are stored on any electronic device.
• Personal subscription data that reveals data subject behaviour.

According to Ridwan Oloyede, a cybersecurity expert, "the bill is silent on requirements that could strengthen accountability, like data protection by design and default and documenting a record of processing activities, among other things. However, the bill grants the commission broader power to issue regulations that may address these missing provisions."