The Nigeria Data Protection Regulation was created by The National Information Technology Development Agency to monitor the use of electronic data.
The scope of the regulation is to protect personal data of Nigerians both in Nigeria and Outside Nigeria. This regulation applies only to individuals and not companies.
“Data” means characters, symbols and binary on which operations are performed by a computer. Which may be stored or transmitted in the form of electronic signals is stored in any format or any device;

“Data Controller” means a person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed;
“Data Subject means an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
Personal data shall be collected and processed lawfully provided that it is done in accordance with public policy and human dignity. Persons entrusted with personal data has a duty of care and is not be transferred to a third party. Such person is also accountable for any acts or omission done by him. Personal data is also to be stored for a reasonable period.
For processing of personal data to be lawful, the person must have given his consent to the processing of his data or when it is necessary for performance of a contract, or when there is a legal obligation, or protect the interest of the data subject or a third party, or performance of tasks in public interest.
No data can be processed without the consent of the data subject. Such consent must not be obtained by fraud, coercion or undue influence. Where consent is required the data controller must show that consent was sought and obtained in a clear and plain language. The data controller must inform the data subject before giving his consent that he can withdraw such consent at any time but the withdrawal does not affect any transactions done before consent is withdrawn. Consent is not to be sought or given in circumstances that encourages atrocities, hate, child right violation.
Any medium which personal data is being collected shall display a privacy policy in a conspicuous place. Security measures should be developed by persons involved in data processing to protect data. There shall also be a written contract between a third party and the data controller.
A data subject has the right to object to the processing of his personal data by the controller for the purposes of marketing.
Any person in breach of data privacy of any data subject will be liable to fine or criminal liability. The fine payable is stated as follows:
a) in the case of a Data Controller dealing with more than 10,000 Data Subjects, payment of the fine of 2% of Annual Gross Revenue of the preceding year or payment of the sum of 10 million naira whichever is greater;
b) in the case of a Data Controller dealing with less than 10,000 Data Subjects, payment of a fine of 1% of the Annual Gross Revenue of the preceding year or payment of the sum of 2 million naira whichever is greater.
Any personal data transferred to a foreign country which is undergoing processing or is to be processed after such transfer will be subject to the NITAB Regulations and the supervision of the Attorney General of the Federation (AGF). The agency has to show that the foreign country has an adequate level of protection. The AGF will take into consideration the legal system of the foreign country in relation to personal data. When there is absence of any decision by the AGF regarding the safeguards in the foreign country, transfer of personal data will only take place when the following conditions are met:
1. The data subject consented to the transfer of the personal data having been informed of the possible risk due to the absence of an adequate decision.
2. The transfer is important for the performance of a contract between the data subject and the controller
3. The transfer is important for reasons of public interest
4. The transfer is necessary to establish legal claim
5. The transfer is important in order to protect the data subject’s interest
The controller must provide information in writing or by any other means relating to data processing in a clear and plain language, especially when the information is addressed to a child.
Information provided to the data subject shall be provided free of charge but when the request is unfounded or excessive the controller can either charge a reasonable fee or write a letter to the Data Subject stating refusal act on the request and copy the Agency. The controller has the responsibility of demonstrating the excessive character. The controller can also request for additional information when he is in doubts as to the identity of the natural person making the request.
Before collecting personal data from the data subject, the controller is to provide the data subject with certain information such as the details of the controller, details of the data protection officer, the purposes of processing the data e.t.c.
Data subject is entitled to be informed of the appropriate safeguards for data transfer to foreign countries. He also has the right to tell the controller to delete personal data without any delay and the controller shall delete such data on the following grounds:
1. the personal data are no longer necessary in relation to the purposes for which they were collected or processed;
2. the Data Subject withdraws consent on which the processing is based;
3. the Data Subject objects to the processing and there are no overriding legitimate grounds for the processing;
4. the personal data have been unlawfully processed; and
5. the personal data have to be erased for compliance with a legal obligation in Nigeria.
The controller has to inform the controller processing the personal data of the request of the data subject. Where personal data is restricted except for storage the consent of the data subject shall be sought before processing.
The data controller has the right to be informed of personal data concerning him or her that he has provided to the controller, he also has the right to transmit such data to another controller. The controller can also transmit those data to another controller without any restrictions when it is based on consent, contract or carried out by automated means.
Both public and private organisations are to make available their data protection policies within 3 months of the issuance of the regulation and it must be in compliance with the regulation. Controllers have the duty to assign a data protection officer for the purpose of adherence to the regulation. The Agency should by this Regulation register and license Data Protection Compliance Organisation (DPCOs). Every organisation is to conduct detailed audit of its privacy and data protection within 6 months of issuance of the regulation.
The agency is to set up an Administrative Redress Panel to look into allegations of breach of the regulation. This does not however stop data subject from seeking redress in a court of competent jurisdiction. Any breach of this regulation will be seen as a breach of the National Information Technology Development Agency (NITDA) Act of 2007.
The agency and other authorities are to take appropriate steps to develop international mechanisms to facilitate effective enforcement of legislation to protect personal data.