President Bola Ahmed Tinubu.

Nigeria now has a concrete legal instrument for the protection and processing of personal information.

“President Bola Ahmed Tinubu has signed the Nigeria Data Protection Bill, 2023 into law. The Nigeria Data Protection Act, 2023 provides a legalframework for the protection of personal information and the practice of dataprotection in Nigeria,” a media aide to the president tweeted.

The long-expected law enacted on 14 June repeals the Nigeria Data Protection Regulation (NDPR) and establishes the Nigeria Data Protection Commission (NDPC) — which has now replaced the Nigeria Data Protection Bureau as regulator.

Notable among provisions of the law is a section which compels data controllers or processors to ensure that personal data is processed in a fair, lawful and transparent manner, and with appropriate security, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.

Also, the law clearly outlines steps to the taken in the event of breach of a subject’s personal data which include notifying the data controller or Commission, without delay, depending on the nature of the breach.

Further, the law stipulates that impact assessment must be carried out in instances where the processing of personal data is likely to infringe on the rights and freedoms of the subject.

It also sets out criminal and financial sanctions for defaulters.

The personal data legislation holds promise of the West African country and has been well received by many players in the industry.

It is expected to boost the country’s data protection sector to 16.5 billion naira (about $21.6 million), as former Minister of Communications and Digital Economy Isa Pantami had projected that the then market value of 5.5 billion naira (circa $7.1 million) could triple when the Bill is passed.

Last week, the National Commissioner of NDPC, Vincent Olatunji, said there are plans to generate 500 000 jobs (of President Tinubu’s announced 1 million tech jobs) within the data protection ecosystem.

“The essence of the NDPC is rooted in respect – respect for our citizens’ personal data, respect for privacy and respect for digital rights. This respect is now firmly established in the NDPA. The change in legislation is not a mere addition to our law books; it is a transformative step towards fostering a culture where the protection of personal data is a cherished principle and an inviolable obligation,” Olatunji.

The Association of Licensed Data Protection Compliance Organisations of Nigeria (ALDAPCON) commended the president for the move, and said it was now time for better and deeper collaboration between actors in the industry and the regulator.

Chairman of ALDAPCON, Anya, said the Act will give Nigerians a sense of enhanced data privacy and confidentiality, guarantee data sovereignty and facilitate the effective flow of data. He noted that the move will propel the country’s burgeoning data protection industry – fast-tracking the need for new skillsets and jobs that will significantly boost Nigeria’s GDP.

“The new law will ensure better clarity in the roles of data processors and data controllers,” Anya said, adding that this will be for the better of the overall health of the industry.

Legal experts at Lagos-based law firm Lexworth Legal Partners said the intentions of the law are good but expressed concerns over some provisions which they say need clarifications.

“Firstly, the interpretation section of Act defines data processors or data controllers of major importance but fails to prescribe the volume of data that will be processed by a data processor before they qualify for this category. Secondly, the Act does not stipulate a clear timeline for responding to data subject to request by a data controller or data processor and as such, it may be difficult to determine what amounts to an unreasonable delay in responding to such requests,” the team argued in statement.