As a licensed Data Protection Compliance Organisation (DPCO), we are now fully equipped to monitor, audit, report and offer comprehensive data protection compliance services to organisations across various industries.
To help you better understand our new role and how we can support your organisation’s data protection needs and audit compliance, we have prepared a set of FAQs.
FAQs on Data Protection Audit and Compliance Services
1. Who is a DPCO?
A DPCO is an entity licensed by the Nigeria Data Protection Commission (NDPC) to train, audit, consult and render services and products, to ensure compliance with the NDPA and any foreign data protection law and regulation having effect in Nigeria. (Section 33 of the NDPA).
2. What services do we provide as a licensed DPCO?
As a licensed DPCO, Credence now offers a wide range of data protection services, including data protection audits, compliance training, gap analysis, policy development, and advisory services, to help organisations in different industries comply with the NDPA and other relevant data protection requirements and laws. (Section 33 of the NDPA)
3. What is a data protection audit?
This is the process, measures and assessment designed by a licensed DPCO like Credence to evaluate an organisation’s data processing risks and activities, including how personal data is collected, processed and shared, to ensure that the organisation complies with the provisions of the NDPA and other applicable data protection laws. (Section 33 of the NDPA).
4. Which organisations are required to engage a DPCO and conduct data privacy audits?
All organisations (regardless of size or industry) located in Nigeria, handling data within Nigeria, or processing personal data of major importance of individuals in Nigeria — even if the controller or processor is based outside the country — must request the services of a licensed DPCO, who shall, on behalf of the organisation, conduct data protection audits and render other required data protection services. (Section 2, 5(d)and 32 (1) of the NDPA).
5. What qualifies as major importance?
An entity qualifies as a data controller or processor of major importance if it processes large volumes of personal data (over 200 data subjects in six months) or handles data critical to the economy, society, or security. This includes organisations in key sectors like finance, telecommunications, education, electric power, aviation, tourism, healthcare, insurance, oil and gas, and ICT service providers. Entities processing these types of personal data must follow strict data protection standards (including engaging a DPCO) due to their significant impact on national security, the economy, and society. Additionally, a data controller or processor in a fiduciary relationship, entrusted with confidential information (or who has signed a confidentiality agreement), is considered to be of major importance due to the potential harm to the data subject if they fail to meet data protection obligations. (Sub-paragraph 1(1) a-c (2), Guidance Notice on Registration of Data Controllers and Data Processors of Major Importance NDPC/HQ/GN/VOL.02/24, dated 14 February 2024 (“Guidance Notice”)
6. Who is a data controller and data processor?
A data controller is an individual, private entity, public commission, agency, or any other organisation that determines, either alone or in collaboration with others, the purposes and methods of processing personal data. The data controller is responsible for ensuring that personal data is collected, handled and used in compliance with applicable data protection laws. A data processor, on the other hand, is an individual, organisation, public body or entity that handles personal data under the instructions of a data controller or another data processor. The NDPA further defines data controllers and processors of major importance as one domiciled, resident in, or operating in Nigeria and process or intend to process personal data of more than 200 data subjects who are within Nigeria, as the NDPC may prescribe. (Section 65 of the NDPA)
7. What qualifies as personal data?
This covers any information that directly or indirectly relates to an identified or identifiable natural person, including names, contact details, identification numbers, and more. (Section 65 of the NDPA).
8. When should my organisation register with the NDPC to carry out the required audit?
Your organisation is required to register with NDPC to conduct a detailed audit through a licensed DPCO like Credence, to state its adequate measures of handling personal data and security policies to guide the, notice, access, transfer, of personal data of data subjects etc. within six (6) months after the commencement of the NDPA, being 6 months from 12 June 2023 (which would lapse by December 12, 2023). However, all existing data controllers and processors in existence prior to June 12, 2024 were required to register with the NDPC between January 30, 2024 and June 30, 2024. Failure to register by the due date will be considered a default under the NDPA and subject to penalties. Consequently, all companies that have not registered and engaged a DPCO are expected to do so immediately to ensure compliance. (Section 44(1) (2) a-h of the NDPA and sub-paragraph 3(2)-(3) of the Guidance Notice)
9. Why are data controllers and processors classified, and what are the different categories?
Data controllers and processors are classified to ensure that they meet the appropriate level of data protection standards based on the volume and sensitivity of personal data they handle. The classification helps tailor the regulatory requirements and obligations according to the potential risk and impact of data breaches. The NDPC classifies data controllers and processors into three categories: (x) Ultra High Level (MDP-UHL): these are organisations processing over 5,000 data subjects’ personal data, such as banks, telecoms, tertiary institutions, social media app developers, multinationals etc., required to abide by global and highest attainable standards; (y) Extra High Level (MDP-EHL): entities processing over 1,000 data subjects’ data, including government agencies, hospitals etc., which are generally expected to abide by global best practices of data protection; and (z) Ordinary High Level (MDP-OHL): entities processing over 200 data subjects’ data, like SMEs and schools, which are expected to abide by global best practices of data protection . (sub-paragraph 3 of the Guidance Notice)
10. Are there fees I am required to pay as a data controller or processor?
The NDPA grants the NDPC authority to prescribe regulatory fees or levies for data controllers and data processors of major importance. In its Guidance Notice, the NDPC outlines the applicable fees based on several factors, including the volume of data processed and the industry in which the data controller or processor operates. Currently, fees range from NGN10,000 to NGN250,000, depending on the classification of the entity. These fees are subject to change at the discretion of the NDPC and do not include the costs associated with engaging a DPCO for compliance purposes. (Section 45 of the NDPA Sub-paragraph 3(1) (a, c& e) of the Guidance Notice)
11. Does the NDPA apply to foreign companies?
The NDPA governs any data controller, regardless of location, that processes personal data of data subjects in Nigeria, as well as any processing of personal data of data subjects that occurs within Nigeria. Specifically, the NDPA applies to foreign companies in two key situations: (y) if the company processes personal data of individuals residing in Nigeria, even if the company has no physical presence in Nigeria; and (z) if the company is offering goods or services to Nigerian residents or monitoring their behaviour (e.g., through online tracking). This means that any foreign company processing the personal data of Nigerian individuals must comply with the provisions of the NDPA, including data protection audits, appointing a data protection officer, and ensuring data security practices. (Section 2 of the NDPA)
12. How does the NDPA affect the transfer of personal data to a foreign country?
The transfer of personal data to a foreign country shall only take place if the receiving country has adequate data protection laws or has appropriate safeguards in place to secure personal data. Section 41 – 43 of the NDPA)
13. Why does my business need to comply with data protection laws?
It is a regulatory requirement that a data controller implement appropriate measures to ensure the security of personal data in its possession. When you comply with the regulatory requirements, you safeguard the fundamental rights of data subjects, fulfil your responsibility to protect your customers’ information and avoid legal penalties. It also ensures that your business operates within the requirements of the law. As a DPCO, we follow the NDPA-approved guidelines to ensure that your data is handled securely and in compliance with the law. (Section 1of the NDPA)
14. Are there consequences of non-compliance with NDPA?
Non-compliance with the NDPA can result in penalties, including up to 2% percentage of the organisation’s annual revenue or 10 million naira (whichever is greater), in addition to any civil liability action that may be brought by any individual whose personal data the company processes. Non-compliance may also lead to criminal liability. Additionally, non-compliance can damage an organisation’s reputation and lead to loss of customer trust. (Section 48 of the NDPA)
15. Will my company be fined if a data protection audit identifies gaps in compliance?
If the result of a data protection audit shows gaps in compliance, you will not be fined immediately just for identifying the gaps. Instead, the NDPC will expect you to work with your DPCO to develop and implement corrective action plans to address any identified gaps or risks and ensure full compliance. The purpose of the audit is to highlight areas for improvement. However, if the gaps are significant and pose risks to data subjects, or if the organisation fails to take corrective action after the audit, then penalties and fines may be imposed. The NDPC gives organisations the opportunity to correct issues before applying enforcement actions, such as fines. The fines and penalties come into play when (x) non-compliance persists, and no steps are taken to resolve the issues; (y) data breaches occur due to negligence, and no preventive measures have been implemented; and (z) intentional non-compliance is discovered, or there is a refusal to engage with the auditing or regulatory process. (Section 48 of the NDPA)
16. What are the consequences for failing to appoint a DPCO?
As a DPCO, we are licensed to ensure that your organisation’s data protection audits, compliance, training, and policy development are handled with expertise. Non-compliance with this is a violation of the data protection regulations. (Section 47 of the NDPA)
17. What if after receiving personal data the owner of the personal data withdraws consent?
Every data subject has their rights protected (a data subject is an individual whose personal data is being processed). These rights include the right to withdraw consent at any time and object to processing and deletion of personal data, which the data processor and controller must obey and comply with. (Section 24 of the NDPA)
18. How do I handle third-party data processors?
If your organisation engages third-party processors to handle personal data, you are required to submit a systematic description of the proposed process and its purpose to show that interests in personal data is of legitimate interest as outlined in Section 27(2) of the Act. (Section 28 of the NDPA)
19. How can my organisation register with the NDPC or prepare for an NDPC audit?
To satisfy the provisions of the NDPA and prepare for an NPDC audit, organisations should consult a DPCO like Credence to register and review their data protection polices and ensure all data protection activities comply with the data protection laws. (Section 32 of the NDPA)
20. How can I get started with your data protection services?
Organisations interested in our data protection services can contact us directly through lawyers@credence-law.com to schedule a consultation. We will assess your data protection needs and provide custom solutions to ensure you satisfy all data compliance regulatory requirements.
Thank you for your continued trust in Credence LP as your partner in data protection compliance. We remain fully committed to providing and representing our clients in ensuring that they are fully compliant with the applicable data protection laws and regulations.