Data Protection – Frequently Asked Questions 

June, 2021 - Ifeoluwa Ebiseni

The National Information Technology Development Agency (NITDA) had set a revised deadline (June 30 2021) for filing of data protection audit by data controllers.

With the deadline fast approaching, we share somefrequently asked questions (FAQ) on Data Protection in our publication, accessiblehere,which may aid in undersanding what companies need to do in order to comply with NITDA’s directives.


  1. Does the NDPR apply to our organisation?

The NDPR applies to all transactions “intended for the processing” or the “actual processing” of the personal data of Nigerians and non-Nigerians residing in Nigeria.

Where your organisation collects, records, organises, structures, stores, adapts, alters, retrieves, consults, uses, discloses by transmission, disseminates or otherwise makes available, aligns or combines, restricts, erases or destroys personal data, your organisation will be seen as processing personal data. Consequently, the NDPR and its compliance obligations will apply to you.

  1. What is personal data?

This is information that relates to natural persons. It can be used to directly or indirectly identify an individual. It can be anything from a name, address, photograph, email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC addresses, IP addresses, IMEI numbers, IMSI numbers, SIMs and others”.

  1. Who is a data subject?

A data dubject is defined under the NDPR as “an identifiable person; one who can be identified directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

In simple terms, a data subject is any person whose personal data is being processed.

  1. Are all organisations data controllers?

A data controller is an individual (including an entity) that processes personal data. The NDPR defines a data controller as “a person who either alone, jointly with other persons or in common with other persons or as a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed”.

Any organisation that collects personal data of data subjects and determines the purpose for which the data is processed is a data controller. Some organisations may be data controllers while some may be data processors, depending on the role of each party.

Nonetheless, organisations would be regarded as data controllers where they collect data of their employees, and others, and determine how their data is to be processed.

  1. Why is a privacy policy necessary?

A privacy policy is one of the most important documents on any website or other digital platform of the data controller. A privacy policy is necessary in order to notify data subjects on the policies regarding the collection, use and disclosure of their personal information.

  1. Who is a data protection officer?

A data protection officer is responsible for overseeing a company’s data protection strategy and to ensure compliance with NDPR requirements.

  1. Must my organisation have a data protection officer?

Yes. Every data controller shall designate a data protection officer for the purpose of ensuring adherence to the NDPR, relevant data privacy instruments and data protection directives of the data controller; provided that a data controller may outsource data protection to a verifiably competent firm or person.

  1. What is the fuss about the March 15 annual deadline?

One of the obligations of any organisation that processes personal data of up to 1000 data subjects in a six- month period, and 2000 data subjects in a twelve-month period, is the filing of a data audit report with the National Information Technology Development Agency (NITDA).

Data audits are investigations or examinations of records, process and procedure of Data controllers and processors to ensure they are in compliance with the requirements of the NDPR. Data Audits are carried out by Data Protection Compliance Organizations (DPCOs). DPCOs, such as AELEX on behalf of NITDA, monitor, audit and conduct training on data protection compliance to all organizations.

The deadline for the annual data protection audit is March 15. However, please note that for the year 2021, NITDA has extended the deadline to June 30, 2021.

  1. What role does a DPCO perform? Is AELEX a DPCO?

Yes, AELEX is a DPCO. The roles we perform include:

  1. Conducting trainings for data controllers and data administrators on data protection/privacy practices;
  2. Providing data protection and privacy advisory services;
  3. Conducting data privacy breach impact assessment;
  4. Drafting Data Regulations Contracts;
  5. Providing data protection and privacy breach remediation planning and support services;
  6. Conducting information privacy audits;

Carrying out data protection and privacy due diligence investigation.


Link to article


WSG Member: Please login to add your comment.