1. What is Personal Data?

• Personal data refers to any information relating to an identified or identifiable natural person.
• Examples include:
  • Names
  • Home and email addresses
  • Phone numbers
  • Identification numbers (e.g., National ID, passport)
  • Financial information
  • IP addresses and online identifiers
  • Biometric data

2. Core Principles of the NDPR

To comply with NDPR, businesses must adhere to the following principles when handling personal data:

• Lawfulness, Fairness, and Transparency
  • Data must be collected and processed lawfully and fairly.
  • Data subjects (individuals whose data is collected) must be clearly informed about why their data is collected and how their data will be used.
• Purpose Limitation
  • Personal data should only be collected for specified, explicit, and legitimate purposes.
  • Data cannot be used for unrelated purposes without additional consent.
• Data Minimization
  • Only data that is strictly necessary for the purpose should be collected. Avoid excessive or irrelevant data collection.
• Accuracy
  • Data must be accurate and kept up-to-date. Businesses should correct or delete inaccurate data promptly.
• Storage Limitation
  • Data should not be retained longer than necessary for the purpose it was collected.

3. Obligations of Businesses Under NDPR

• Publish a Data Protection Policy
  • Your business must have a clear, accessible policy that explains how personal data is handled.
• Obtain Consent Before Processing Data
  • Consent must be freely given, specific, informed, and unambiguous.
• Appoint a Data Protection Officer (DPO)
  • Required for organizations that process large volumes of data or sensitive data.
• The DPO oversees compliance and acts as a point of contact for data subjects and regulators.
• File an Annual NDPR Compliance Audit Report
  • Businesses must conduct regular audits and submit reports to NITDA demonstrating compliance.
• Implement Adequate Security Measures
  • Protect data from unauthorized access, accidental loss, or destruction using appropriate technical and organizational measures.
• Report Data Breaches
  • Notify NITDA and affected individuals promptly in the event of a data breach.

4. Rights of Data Subjects

Under NDPR, individuals have several rights regarding their personal data:

• Right to Access
  • Individuals can request access to the data held about them.
• Right to Correct Inaccuracies
  • They can ask for corrections or updates to incorrect or incomplete data.
• Right to Withdraw Consent
  • Consent for data processing can be withdrawn at any time, subject to legal or contractual restrictions.
• Right to Be Forgotten.
  • In certain circumstances, individuals can request the deletion of their personal
• Right to Data Portability
  • Individuals can request their data be transferred to another organization in a structured, machine-readable format.

5. Penalties for Breach

• The NDPR empowers NITDA to impose penalties for non-compliance, which may include:
  • Fines of up to 2% of annual gross revenue or ₦10 million (whichever is greater) for serious violations.
  • Public reprimands, directives to cease processing, or suspension of data processing activities.
  • Legal action and reputational damage.

Conclusion

Data protection is essential for building trust and loyalty with your customers and partners and failing to comply with NDPR risks costly fines and damage to your brand’s reputation.

Protect your business and your clients.

At Chenyung Orokodo & Co, we offer:

• NDPR compliance audits
• Drafting of data protection policies
• Staff training on data protection best practices

Contact us today to ensure your business meets Nigeria’s data protection standards.