Data Privacy Impact Assessment (Nigeria)

A Data Privacy Impact Assessment in Nigeria documents the data privacy impact assessment in a form the parties and authorities can rely on.

The NDPA 2023, enacted on 14 June 2023, established the Nigeria Data Protection Commission (NDPC) as the supervisory authority for data protection in Nigeria. Section 29 of the NDPA requires data controllers to conduct a DPIA before commencing processing operations that are likely to result in high risk to data subjects' rights, having regard to the nature, scope, context, and purpose of the processing. Where the DPIA indicates that the processing would result in a high risk that cannot be mitigated by appropriate measures, the data controller must consult the NDPC before proceeding with the processing under NDPA Section 31.

The NDPA's DPIA requirements are closely modelled on the European Union's General Data Protection Regulation (GDPR) Article 35 approach, which Nigeria's legislative drafters consulted during the drafting of the NDPA. Nigerian organisations operating in global markets or working with EU-based partners will recognise the DPIA framework as substantially similar to GDPR requirements, enabling multinational compliance.

Processing activities that typically require a DPIA under NDPA Section 29 guidance include: large-scale processing of sensitive personal data (health, biometric, financial, religious, ethnic); systematic monitoring of individuals in public spaces using CCTV, facial recognition, or tracking technologies; processing involving automated decision-making with legal or similarly significant effects on individuals (credit scoring, insurance underwriting, employment decisions made by algorithm); large-scale profiling of individuals; processing involving children's personal data; and novel processing technologies or approaches where the privacy impact is uncertain.

The NDPC has indicated that it will publish guidance on categories of processing that automatically require a DPIA (the 'blacklist' approach used by EU supervisory authorities), but pending such guidance, organisations should apply the high-risk criteria set out in NDPA Section 29 and international standard practices including the EDPB's DPIA Guidelines.

The legal framework governing the Data Privacy Impact Assessment (Nigeria) in Nigeria draws on several key statutes and regulatory bodies. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Parties executing a Data Privacy Impact Assessment (Nigeria) in Nigeria should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Companies and Allied Matters Act (CAMA) 2020 sets the foundational requirements.

A Nigeria Data Privacy Impact Assessment is required before commencing any processing activity likely to result in high risk to data subjects under NDPA 2023 Section 29, and is best practice for any significant new processing activity.

Financial institutions developing new credit scoring, loan underwriting, or fraud detection systems that use algorithmic automated decision-making based on individuals' personal and financial data must conduct a DPIA before deploying the system. Automated credit decisions have legal or significantly similar effects on individuals and are a high-risk processing activity.

Healthtech companies, hospitals, and health insurance providers implementing new digital health platforms, patient data analytics, telemedicine services, or health wearable integrations — processing health data (a sensitive personal data category under NDPA 2023) at scale — must conduct a DPIA before launching the system.

Employers implementing biometric attendance tracking, workplace monitoring software, productivity tracking tools, or systematic location tracking of employees must conduct a DPIA, as biometric data is a sensitive personal data category and systematic employee monitoring raises significant privacy risks.

Government agencies and regulatory bodies implementing new national ID databases, social welfare beneficiary registries, tax identification systems, or public health surveillance platforms — processing personal data of large numbers of Nigerian residents — must conduct a DPIA under NDPA 2023 and, where high risk is identified, consult the NDPC before proceeding.

E-commerce platforms, social media companies, and digital advertising networks operating in Nigeria that engage in large-scale profiling of Nigerian users for targeted advertising, content personalisation, or behavioural analytics must conduct a DPIA, as large-scale profiling is a high-risk processing category.

Organisations that transfer personal data of Nigerian residents to countries outside Nigeria under NDPA 2023 Section 43 — particularly where the transfer involves sensitive personal data or large volumes of data — should conduct a DPIA or transfer impact assessment to document the adequacy of safeguards.

Parties in Nigeria should prepare a Data Privacy Impact Assessment (Nigeria) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

A Nigeria Data Privacy Impact Assessment document must address the following components to comply with NDPA 2023 requirements and NDPC expectations.

Description of the processing activity: a systematic description of the nature, scope, context, and purpose of the proposed processing — what data will be collected, from whom, how, for what purpose, for how long, who will have access, and how it will be shared. This description provides the factual baseline for the risk assessment.

Necessity and proportionality assessment: an analysis of whether the processing is necessary to achieve the stated purpose and whether the privacy intrusion is proportionate to the benefit. For each data element collected, the data controller should justify its necessity — data minimisation is a core NDPA principle.

Identification of risks to data subjects' rights and freedoms: a structured analysis of the risks the processing poses — risks of unauthorised access, breach, discrimination, financial harm, reputational harm, loss of control over personal data, and risks to special categories of data subjects including children (under the Child Rights Act 2003). Each risk should be characterised by likelihood and severity.

Existing controls and mitigation measures: identification of technical and organisational controls already in place to address identified risks — encryption, access controls, pseudonymisation, staff training, audit logs — and assessment of whether these controls adequately reduce the risk to an acceptable level consistent with NDPA 2023 requirements.

Residual risk assessment: after considering mitigation measures, assessment of whether any unacceptable residual risk remains. Where unacceptable residual risk exists, the data controller must either implement additional measures or consult the NDPC under NDPA 2023 Section 31 before proceeding.

NDPC consultation record: where prior NDPC consultation was required (unacceptable residual risk after mitigation), documentation of the consultation request, the NDPC's response, and any conditions or recommendations imposed by the NDPC.

Data subject consultation: where appropriate, evidence of consultation with affected data subjects or their representatives, which the NDPA 2023 identifies as a factor in demonstrating accountability.

Sign-off and review schedule: formal approval of the DPIA by the Data Protection Officer (DPO), senior management, and relevant business owners; and a schedule for reviewing and updating the DPIA if the processing activity changes materially.

Additional compliance elements for a Data Privacy Impact Assessment (Nigeria) used in Nigeria include: Under Nigerian law, the Companies and Allied Matters Act 2020 (CAMA) regulates corporate entities through the Corporate Affairs Commission (CAC). The Labour Act (Cap L1 LFN 2004) and the National Industrial Court of Nigeria (NICN) govern employment disputes. The Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Commission (NDPC) protect personal data. The Federal Inland Revenue Service (FIRS) administers tax obligations under the Companies Income Tax Act. The Federal High Court and state High Courts have jurisdiction over civil matters. Forms-legal.com provides this template as a starting point for Nigeria-compliant documentation.