Data Privacy 101: Startup Compliance under the NDPA
In today’s digital world, entire industries survive on data. From collecting personal data during user signup to utilizing location and behavioural information for personalization features, the purposes to which data can be put (and the means of collecting said data) remain endless. With data’s increased importance has come increased scrutiny from regulators around the world on how companies (known as Data Controllers) collect and process the personal data of individuals (referred to as Data Subjects). Nigeria is not any different. The FCCPC’s recent decision to fine Meta $220million due to concerns regarding its lax data protection practices is instructive.
Data privacy and protection as a legal discipline is built on the recognition of four basic concepts: personal data, the Data Subject, the Data Controller, and finally, the Data Processor. These will be examined below.
Personal data
Personal data, as the name implies, is data that is directly attributable to a person who can be identified or is identifiable via reference to the data in question. Section 65 of the NDPA puts it thus:
“Personal data” means any information relating to an individual, who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual
Thus, while a person’s name, email address, profile picture and even Twitter posts would all constitute personal data since an individual can be identified via reference to them, generic data like stock market prices or even fully anonymized surveys would not.
Within the broader classification of personal data, there also exists a smaller subset of personal data that is afforded even more elevated protection — sensitive personal data. Sensitive personal data includes data considered most personal to an individual. Genetic and biometric information, race, political opinions/affiliations, and even health records all fall within this smaller bucket and enjoy the highest standards of protection under law.
The Data Subject
The Data Subject is simply the person to whom personal data relates and who can be specifically identified by reference to the data in question. Under Part IV of the NDPA, the Data Subject is afforded certain rights including:
Confirmation as to whether a data controller is storing or otherwise processing personal data relating to the data subject;
Right to obtain a copy of the personal data being processed;
Right to correction of their personal data;
Right to erasure of personal data concerning them;
Right to withdraw consent to the processing of their personal data.
The Data Controller
Per Section 65 of the NDPA, a Data Controller refers to:
An individual, private entity, public Commission, agency or any other body who, alone or jointly with others, determines the purposes and means of processing of personal data.
In other words, a Data Controller is simply any entity that collects personal data from Data Subjects and ultimately decides how and for what reasons such data should be processed. Companies like Spotify, Google, and Meta all fall under the Data Controller classification within the context of the NDPA.
The Data Processor
The Data Processor refers to the entity that processes personal data at the behest of a Data Controller. Thus, while Data Controllers generally determine how data is to be processed and for what purpose, Data Processors are the entities that perform the actual processing. In a given data processing context, one entity can serve as both the Data Controller AND Data Processor while in other cases, the roles may be split between two or more entities.
Where Spotify collects and processes personal data in-house for instance, they would be both Data Controller and Data Processor. However, in a situation where a government agency contracts a tech company to aid it in—say—digitalizing tax records, while the Agency would remain the Data Controller (since it retains the authority to direct why, how and when data processing should be carried out), the tech company would be the Data Processor in this context.
The Nigeria Data Protection Act, 2023
The NDPA is the foremost statute regulating data privacy and protection in Nigeria. It is modeled after the EU’s General Data Protection Regulation (GDPR) and replaced the Nigeria Data Protection Regulation (NDPR) issued by NITDA in 2019. It establishes the Nigeria Data Protection Commission as the regulatory body in charge of overseeing the enforcement of the NDPA’s provisions. While the provisions of the NDPA are extensive in scope, for startups, staying compliant under the NDPA simply involves an understanding of two basic concepts:
When companies can collect and process personal data; and
How such processing can be carried out.
Legal bases under the NDPA: when companies can process data
Under the NDPA, for a Data Controller to validly collect and process the personal data of data subjects, such processing must be done pursuant to any of 6 lawful bases provided for under the Act. These bases are:
Consent of the data subject;
Performance of a contract to which the data subject is a party;
Compliance with a legal obligation;
Protection of the vital interest of the data subject;
Processing done under official authority or in public interest; and
Legitimate interest of the Data Controller.
Consent (Section 25(1)(a))
Consent is the primary legal basis on which a Data Controller can rely for the processing of the personal data of a Data Subject. Consent refers to permission given by an individual to a Data Controller for the purpose of collecting and processing the personal data of that individual. For consent to be valid, it must be given for an explicitly communicated purpose. Processing done pursuant to such consent must also not be for any purpose outside that expressly permitted by the Data Subject. Furthermore, consent is not permanent and can be revoked at any time by the Data Subject. The NDPA mandates that Data Controllers make the process of revoking consent as seamless as the process for granting one.
As consent is often the safest and most reliable basis for the processing of personal data, it is widely employed on the web today. Privacy policies and cookie trackers are good examples of how the concept of consent is deployed in practice. Under Section 26(1), the burden of proving consent rests on the Data Controller.
Performance of a contract to which the Data Subject is a party (Section 25(1)(b)(i))
Where a contract exists between a Data Subject and a Data Controller, processing carried out by the Data Controller for purposes of fulfilling their obligations under the contact would be lawful. For instance, if Fati, an influencer, enters into a contract with a social media management company to boost her social media engagement, any processing done in pursuit of that objective would be legal. The same logic would apply to the contractual relationship between an employer and employee, or between Chowdeck and a customer trying to order food. The employer would possess legal basis to collect and process any personal data relevant to the contractual relationship between parties while Chowdeck would have legal basis to process any data necessary for the fulfillment of a customer’s order.
Compliance with a legal obligation to which the Data Controller or Data Processor is subject (Section 25(1)(b)(ii))
This basis is straightforward. Where the Data Controller or Data Processor is subject to any obligation under law requiring the collecting, processing, storing, or disclosure of any data, anything done in fulfillment of that obligation would be lawful. Thus activities like bank KYCs and transaction monitoring would be deemed lawful under this basis.
Protection of the vital interest of the Data Subject or another person (Section 25(1)(b)(iii))
In certain emergency circumstances, processing may be lawful, even without the consent of the Data Subject, when it is done to protect their vital interest. Thus, where an individual gets in a car accident and is rushed to the hospital, processing of personal data done in order to admit and offer them life-saving treatment would have legitimate basis.
Processing done under official authority or in public interest (Section 25(1)(b)(iv))
Where a government agency is empowered by law to carry out certain functions or to exercise certain authority, any processing reasonably done in the performance of such function or the exercise of such authority would have lawful basis. Consequently, law enforcement can analyze traffic camera footage, document arrests, etc. without going afoul of the NDPA.
Legitimate interest of the Data Controller (Section 25(1)(b)(v))
Legitimate interest, the sixth and final basis, allows Data Controllers collect and process personal data where same is done in pursuit of a legitimate interest. Legitimate interest can be anything from improving their product offerings to just offering better personalized content. However, for processing done pursuant to this basis to be lawful, it must fulfil three strict criteria as contained in Section 25(2):
Must not override the fundamental rights, freedoms, and interests of the Data Subject;
Must not be incompatible with any other lawful basis of processing;
The Data Subject should have reasonably expected that his data would be processed in the manner envisaged.
With the question of legal basis (when processing would be lawful) out of the way, the question of data processing principles (how processing must be carried out to be lawful) will now be examined.
Principles of data processing: how companies can process data
Section 24 of the NDPA delineates the bulk of the principles Data Controllers and Processors must follow to ensure processing does not violate the rights of Data Subjects. They include that:
Data must be processed in a fair, lawful and transparent manner;
Data must be collected for specified, explicit, and legitimate purposes;
Data should not be retained for longer than is necessary to achieve the lawful basis for which the data is being processed;
Data must be handled securely.
A Data Controller owes a statutory duty of care to Data Subjects to ensure that these principles are adhered to. A failure to do same would likely open the Data Controller up to severe legal liability.
What does the NDPA mean for Startups and Businesses?
As the Nigerian tech ecosystem continues to grow at unprecedented rates, the NDPA is a crucial piece of legislation ensuring that companies’ increasing need for data is balanced with users’ fundamental need to protect their privacy. For startups, a solid understanding of the NDPA’s provisions is essential to staying on the right side of data privacy law and in the process avoiding large, unnecessary fines. Before processing personal data, companies should ensure:
They have lawful basis to process said data;
Data is used strictly for the purpose specified;
Data is handled securely and transparently;
Data subjects are given ample opportunity to request amendment or deletion of their personal data.
Processing must always be done pursuant to a clearly defined lawful basis, be collected via fair and transparent means, and respect the rights of Data Subjects at all times. Businesses should also consider the employment of a dedicated Data Protection Officer to ensure comprehensive NDPA compliance.
