Nigerian Data Protection Regulation: Practical Guide for the Construction

Nigerian Data Protection Regulation is to regulate organizations that collect and process personal data

On 25 January 2019, the National Information Technology Development Agency (the “NITDA”) issued the Nigerian Data Protection Regulation (the “NDPR”) to regulate organizations that collect and process personal data (“Data Controllers”). The NDPR requires Data Controllers to conduct a mandatory data protection audit of their organizations and file an audit report with the NITDA through a Data Protection Compliance Organization (“DPCO”) within six months from the issuance of the NDPR. Nigeria Data Protection Regulation affects construction projects. The ‘Data Controller’ is defined as a person who, either alone or in collaboration with other persons or statutory bodies, determines the purpose for and the way personal data is processed.

Nigerian data protection

Non-compliance with the data privacy rights, under the Nigerian data protection regulation, is a criminal offense that, upon conviction, attracts the imposition of sanction/ fine. If the Data Controller is dealing with more than 10,000 Data Subjects, the fine imposed is the payment of 2% of the Annual Gross Revenue of the preceding year or the sum of N10,000,000.00 (Ten Million Naira), whichever is greater. If the Data Controller deals with less than 10,000 Data Subjects, the fine imposed is 1% of the Annual Gross Revenue of the preceding year or the sum of N2,000,000.00 (Two Million Naira), whichever is greater.

Since the Nigerian government introduced the Nigerian data protection regulation DPR, there has been a rush for businesses to comply with the NDPR. This article considers the relevance of the NDPR to the Nigerian construction industry.

Nigeria Data Protection Authority

The National Information Technology Development Agency (NITDA) is currently the main regulator where data protection is concerned in Nigeria. However, sector-specific regulatory agencies including the Nigerian Communications Commission and the Central Bank of Nigeria provide services relating to the protection of data.

NDPR was issued in January 2019 pursuant to Section 6 (a,c) of the NITDA Act 2007. The Regulation is the current national law on data protection in Nigeria, which applies to public and private sector processing of personal data within and outside Nigeria. The Regulation is aimed at protecting the right to privacy, creating the right environment for digital transactions, job creation, and improving information management practices in Nigeria.

NITDA as the Regulatory Authority for Data Protection aims at innovating data protection management in Africa through inclusive regulatory strategies, partnerships, and continuous improvement. The Agency represents Nigeria (as Deputy Chair of the Data Protection and Localisation Working Group) at the African Union Policy and Regulatory Initiative for Digital Africa (AU-PRIDA).

Key Features of NDPR

NDPR introduces new restrictions on the collection and processing of personal data and further requires such activities to be in accordance with the lawful purpose consent by the Data subject. The following are some requirements that must be complied with, since they will impact the Data Protection Governance, Information Systems & Security Configuration, and the Documented Policies & Processes:

  • Clarity of Privacy Policy. Any medium through which any Personal Data is being processed or collected is required to display a simple and conspicuous privacy policy, such that the class of Data Subject being targeted is able to understand the policy. 
  • Rights of Data Subject. The Controller is required to communicate any information on processing related to the Data Subject in an accessible and concise form. 
  • Data Security. Data controllers and processors are required to implement security measures (such as firewalls, data encryption technologies, etc.) to protect data theft, cyber attacks, manipulations, etc. 
  • International Data Transfer. Transfer of any Personal Data to a foreign country is only allowed where NITDA has decided that the foreign country has adequate data protection. Here, transfer activities are subject to the supervision of the Honourable Attorney General of the Federation. 
  • Third Party Processing. Any data processed by a third party shall be governed through a written contract between the Data Controller and the third party. 
  • Lawful Processing. Data processing is lawful, as long as one of the following is applicable: consent must be given; processing is necessary for the performance of a contract; compliance with a legal obligation; to protect the vital interests of the Data Subject or any public interests. 
  • Explicit Consent. Consent has been one of the lawful bases for obtaining and processing the personal data. Ensure that the consent is informed, freely given, and unambiguous. 
  • Prohibition of Improper Motives. No consent shall be sought, given or accepted in any circumstance that may engender the propagation of atrocities, hate, child rights violation, criminal and antisocial acts.
  • Data Integrity and Storage Limitation. Ensure that the personal data is: adequate, accurate and without any prejudice to the dignity of the human person; and it must be stored only for the period within which it is reasonably needed. 

Potential Consequences for Noncompliance with NDPR

  • Fines. Maximum penalty for breaches of data privacy rights on international transfers can be up to N10M or 2% of annual gross revenue of the preceding year, whichever is higher and based on the number of Data Subjects dealt with.
  • Reputational Damage. This includes negative publicity, as well as the damage to brand and reputation. 
  • Prosecution. Provisions exist for the prosecution of principal officers in the event of a severe data breach. 

Nigeria Data Protection Framework

Nigerian data protection is a constitutional right founded on Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended) (‘the Constitution’). The Nigerian Data Protection Regulation, 2019 (‘NDPR’) is the main data protection regulation in Nigeria. The NDPR was issued by the NITDA. The NDPR expounded on the concept of Nigerian data protection under the constitution. The NDPR makes provisions for the rights of data subjects, the obligations of data controllers and data processors, transfer of data to a foreign territory among others. Although other legislations, as mentioned below, made some provisions for data protection, the NDPR is the starting point for understanding Nigeria’s data protection landscape.

Data Protection Compliance Organizations (DPCOs)

Article 1(3j) of the Nigerian Data Protection Regulation provides that a Data Protection Compliance Organization (DPCO) is any entity duly licensed by NITDA for the purpose of training, auditing, consulting, and rendering services aimed at ensuring compliance with this Regulation or any foreign Data Protection law or regulation having an effect in Nigeria.

A DPCO may be one or more of the following;

  • Professional Service Consultancy firm
  • IT Service Provider
  • Audit firm
  • Law firm

DPCOs also provide data protection and privacy training, advisory services; draft regulation contracts, Data Protection Impact Assessment, etc. The list of licensed DPCOs can be accessed on the NITDA website.

Data Protection Officers(DPOs)

The Nigerian Data Protection Regulations require Data Controllers to designate a Data Protection Officer responsible for ensuring compliance with the NDPR and other applicable data protection directives. The data controller may outsource this responsibility to a verifiably competent firm or person.

Privacy Policies of NIDTA

This Privacy policy between The National Information Technology Development Agency of 28 Port Harcourt Crescent, off Gimbiya Street, Garki, Abuja (hereinafter referred to as NITDA) and you, constitutes our commitment to your privacy on our administrative records, websites, social media platforms, and premises. The tips which are important in privacy policies are:

  • Your Privacy Rights
  • Consent
  • Your Personal Information
  • What do we do with your personal information
  • Cookies
  • How we protect your personal information
  • How We Share your information within NITDA and other users
  • Security
  • Data Confidentiality Rights
  • Links to Other Websites and Premises

Data Protection Impact Assessment(DPIA)

Under the NDPR 2019, one of the governance mechanisms recommended by the NITDA as part of being accountable in data processing operations is the Data Protection Impact Assessment or DPIA, a tool for identifying and minimizing data protection risks. According to NITDA only data processing operations involving the intense use of personal data should be subjected to a DPIA. On this basis, I argue that online profiling including Online Behavioral Advertising, or OBA is an intensive data processing operation and is thus eligible for a DPIA.

What Are the Implications for Businesses?

The NDPR governs the use of ‘personal data by businesses. It applies to all transactions for the processing of personal data, notwithstanding the means by which the data is processed. Personal data is defined in a broad sense and essentially translates as any information relating to an identified or identifiable natural person, otherwise referred to as the “Data Subject.”

It can be anything from a name, address, a photo, an e-mail address, bank details, posts on social networking websites, medical information, and another unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others. However, in a work context, particularly a construction context, this could be information about employees, their salary, performance, and qualifications; just a reference to their employee number is enough to constitute personal data.

The NDPR sets out a set of governing principles that Companies must comply with within the processing of data. The governing principles require that data must be:

  • collected for specific and legitimate purposes;
  • processed lawfully;
  • kept for no longer than is necessary;
  • accurate, whereby companies must take reasonable steps to rectify data that is inaccurate;
  • adequate and kept up to date;
  • kept secure.

Inventory Processing of Activities

Nigeria has remained at the forefront of responding to its obligations to the United Nations Framework Convention on Climate Change (UNFCCC) since the ratification of the Convention. The UNFCCC stipulates that NonAnnex 1 countries are required to submit inventory reports every two years as part of their Biennial Update Report (BUR) or as a component in their National Communication (NC) report. With a National GHG Inventory Management System (NGHGIMS) established in 2018, an institutional arrangement made up of Sectorial Working Groups – Data Compilers, and providers from relevant Ministries, Departments, and Agencies of Government was put in place.

What Are the Implications for the Construction Sector?

Since the introduction of the NDPR, there have been questions about the relevance of the NDPR to the construction industry. The construction industry feels it is somewhat removed from the data-heavy, consumer-facing sectors, and as such, the NDPR will have no effect on its operations.

However, this statement is not entirely correct, as the security threat posed by a data breach is just as real as in other data-heavy sectors, and the impact could be just as damaging due to the construction industry’s unique proximity to and collaboration with, other businesses and sectors.

Its proximity to other businesses makes it a target for security breaches being a gateway to the personal details of its client and other businesses with which it regularly engages with. Also, if the company is involved in critical and sensitive infrastructure projects, it could be a target for security breaches.

Therefore, it is important to consider how the Nigerian data protection regulation is likely to impact operations within the construction industry both in a general sense and on a project-specific basis.

In the general sense, Companies that employ labor would need to comply with the NDPR. Even though it is common in the construction industry not to engage labor directly but as contract staff through a third-party, construction companies are likely to deal with the personal data of individuals even where the labor is procured by third parties.

Also, construction companies do engage labor directly and may maintain buildings where personal data may be collected through site access cards and CCTV. In the general sense, construction companies must ensure that personal data collected are processed in compliance with the NDPR provisions.

On a project-specific basis, it is important to ensure that the project is NDPR compliant where applicable. A typical construction project which involves project being undertaken by execution of the contract will usually involve the frequent exchange of sensitive data with multiple third-party project partners, such as the architect, civil, mechanical, and structural engineers, planning consultants, project managers, contractors, insurers, and financiers. For example, a Design-Built Contract is a kind of construction contract.

The data exchanged may include personal data relating to the contractor, sub-contractor, supply chain, or individuals forming part of the project team. It may also involve sensitive personal data relating to accidents or health issues that need to be noted while an individual is on-site or personal data required to be provided to regulatory authorities with respect to on-site operations.

Another aspect of a construction project that must be considered is smart asset management which involves the implementation of digital processes in the design, construction, operation, and management of the built asset. The use of digital processes in the construction and management of an asset usually facilitates an increase in data collection, including personal data.

The use of technology ensures increased data collection and enhanced data analysis, thereby improving the asset life and the overall performance of the asset. If the design of the asset involves the use of technologies such as Building Information Modelling (“BIM”), the passing of developed models for purposes of managing the asset must comply with the NDPR requirement.

The NDPR will play a critical role in smartly built assets, and project owners must ensure that such projects are NDPR compliant.

Practical Guide Towards Implementing the Nigerian Data Protection Regulations Provisions

It is important that parties to a construction contract always consider whether Nigerian Data Protection Regulations may apply in some way. This will involve carrying out an audit exercise across the organization to determine aspects of the company’s operations requiring the collection and use of personal data. The audit will detail the nature of the data, how it is used, to whom is it shared, how it is accessed, and by what means it is transferred.

In circumstances where personal data is used by the company, and a third party is engaged to process such data on its behalf, the relevant contract, be it a construction contract, consultancy agreement, operation, and maintenance contract, or supply agreement, should contain robust provisions requiring compliance with the Nigerian Data Protection Regulations provisions.

The NDPR makes it mandatory for contractual agreements with third-party to incorporate obligatory clauses requiring compliance with the NDPR. The Nigerian Data Protection Regulations also impose an obligation on parties to such a contract to carry out proper due diligence to ensure that the co-contracting party does not have a record of violating the NDPR and is otherwise accountable under the NDPR.

Therefore, it is no longer enough to deploy standard forms of a construction contract, but deliberate consideration should be given to the implementation of the project and how it interacts with the NDPR provisions in negotiating and drafting construction contract clauses. Engaging construction law expert with a good understanding of the construction process and operations during the negotiation and implementation of the contract clauses is therefore important to ensure full regulatory compliance, including the NDPR.

Besides incorporating data protection clauses in relevant contracts, practical measures must be put in place. These measures include ensuring that appropriate practices and protocols are in place and well known so that if there are requests for access to or transfers of personal data, they are undertaken with the necessary consideration and have put in place appropriate protections.

These measures involve automating the data protection protocols using appropriate software, establishing a data protection policy, designating a Data Protection Officer for the purpose of ensuring adherence to the Nigerian Data Protection Regulations, continuous capacity building for Data Protection Officers, and the generality of personnel involved in any form of data processing, and engaging a Data Protection Compliance Organization (“DPCO”) to assist in auditing the operations.

Nigerian data protection

5 Steps to comply with NDPR

Determine if your organization is a Data Controller or Data Processor

The difference between the two is that a Data Controller decides on how the data is collected, used, and disclosed according to data protection compliance, and it is the duty of the data controller to ensure that the personal data is obtained with the explicit user consent. On the other hand, Data Processor processes user’s personal data on behalf of the data controller. 

It becomes important to determine your type of organization because most data compliance obligations have been imposed on the data controller. Therefore, it is the data controller who would be held liable in case of any violations done by the data processor or the data controller themselves. Once you have managed to determine the nature of the organization, ensure that the data collection and storage processes are in compliance with the NDPR regulations. 

Mitigate the Issues

Once nature is determined, you then need to deal with the issues. For instance, if you find that your organization is not collecting the data properly. In such a case, the first step is to tweak the data collection processes so that you collect data only with the explicit user consent. And if your organization isn’t storing or handling personal data appropriately, you may have to opt for data encryption technologies.

Appoint a Data Privacy Officer (DPO)

Similar to GDPR, you need a DPO to comply with NDPR. A DPO can either be an individual or an entity. Some primary roles of DPO are:

  • Monitoring the Internal Compliance. DPO ensures that you have taken the appropriate organizational and technical measures to protect the personal data. 
  • Offering Guidance. DPO provides advice and guidance for data protection matters. This includes ensuring that the employees are aware about the obligations under the data protection laws and they provide the requisite training on data protection topics. 
  • Serving as a Contact Point. A DPO acts as a contact person between the organization and the NITDA on data protection matters. 
  • Conducting the Data Protection Impact Assessment. They help in identifying and dealing with any potential risks linked with the processing of personal data. 

Submit Reports to NITDA

The data controllers who process the personal data of over 1000 subjects in 6 months must submit a soft copy of the audit to the NITDA through their appointed DPOs. Further, data controllers who process the personal data of over 2000 individuals in 12 months need to submit a copy of the audit every year. The following are some of the requirements that need to be included in the audit:

  • Detailed description of data processing activities, including the type of data collected, and the purpose of collection. Further, you need to reveal the parties with whom the data is shared. 
  • Detailed information on the data protection procedures and the requisite policies that the organization has in place. 
  • Proof of compliance with NDPR. This can be done through the attachment of a data protection assessment record, evidence of obtaining the consent of the users before the collection of data, etc. 
  • Results of risk assessments, compliance reviews, and the internal audits that your organization has conducted.

Explicitly train your staff

In addition to complying with the requirements of NDPR, ensure that your staff has been adequately trained. This is because only if the staff is trained, and they know the importance of NDPR, can they properly follow the regulations and stay compliant with them. You need to further ensure that you reach out to the training agencies or individuals that have been certified by the NITDA. 

Concluding Remarks about the Nigerian Data Protection Regulation

Even though the Nigerian data protection regulation affects construction companies in a general sense, whether it will apply in any given project will depend on the nature of the specific project and if the project involves the exchange of personal data.

It is, therefore, important for construction companies to consider each project on a case-by-case basis and, where applicable, ensure that the project is NDPR compliant by engaging professional advice during the contract procurement and project delivery phases.

Also, non-compliant companies and projects should take immediate steps to comply with averting regulatory enforcement and the imposition of sanctions.

Do you have legal issues or want to know more about Nigeria? Read the articles below:

Lawyers in Nigeria (I); Discovering No Man’s Land

Lawyers in Nigeria (II); Land of Opportunities, Desert of Legislations

Share this blog:


    Join LegaMart's community of exceptional lawyers

    Your global legal platform
    Personalised. Efficient. Simple.

    © 2023 LegaMart. All rights reserved. Powered by stripe