(1) All public and private organizations in Nigeria that control data of natural persons
shall, within three (3) months after the date of the issuance of this Regulation,
make available to the general public their respective data protection Policies;
these Policies shall be inconformity with this Regulation.
(2) Every Data Controller shall designate a Data Protection Officer for the purpose of
ensuring adherence to this Regulation, relevant data privacy instruments and
data protection directives of the Data Controller; provided that a Data Controller
may outsource data protection to a verifiably competent firm or person.
(3) A Data Controller or Processor shall ensure continuous capacity building for Data
Protection Officers and the generality of her personnel involved in any form of
data processing.
(4) The Agency shall by this Regulation register and license Data Protection
Compliance Organisations (DPCOs) who shall on behalf of the Agency monitor,
audit, conduct training and data protection compliance consulting to all Data
Controllers under this Regulation. The DPCOs shall be subject to Regulations
and Directives of NITDA issued from time to time.
(5) Within six (6) months after the date of issuance of this Regulations, each
organization shall conduct a detailed audit of its privacy and data protection
practices with at least each audit stating:
a. personally identifiable information the organization collects on employees
of the organization and members of the public;
b. any purpose for which the personally identifiable information is collected;
c. any notice given to individuals regarding the collection and use of personal
information relating to that individual;
d. any access given to individuals to review, amend, correct, supplement, or
delete personal information relating to that individual;
e. whether or not consent is obtained from an individual before personally
identifiable information is collected, used, transferred, or disclosed and
any method used to obtain consent;
f. the policies and practices of the organization for the security of personally
identifiable information;
18
NIGERIA DATA PROTECTION REGULATION