The Nigerian Data Protection Bureau (“NDPB” or “Bureau”) has issued a notice for compliance to its Whitelist for the National Data Protection Adequacy Programme (“NaDPAP”). The Whitelist which was established pursuant to section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as amended) and the Nigerian Data Protection Regulation (“NDPR”) 2019, will be published on NDPB website, in major newspapers, and will be shared with local and international establishments, and will serve as a reference for data privacy compliance in relevant transactions and proceedings.

Therefore, the Compliance Notice mandates organisations to:

a. Read and understand the NDPR – as it applies to various situations and persons involved in data processing;

b. Develop and implement a Privacy Policy that is consistent with the NDPR;

c. Notify their employees, customers, and online visitors of their Privacy Policy; and

d. Designate at least one or two members of staff as Data Protection Contacts (DPCs). These officers may, after training, become Data Protection Officers (DPOs) for the organization.

e. Mandate their service providers (agents, licensees, contactors or howsoever called) to comply with the NDPR. This is on the basis that if such service providers do not comply as required of them, they will be the weak link in data privacy and protection architecture, and as such, will create liability for the organisations.

Very importantly, organisations are required to forward the names of their DPCs (not more than 3) to the Bureau for a free Induction Course in Data Protection Regulation Compliance for Nigeria and Economic Community of West African States (ECOWAS).

The Bureau notes that any organization or establishment that fails to take the above steps and duly notify the Bureau (of the technical and organizational measures it is taking for data privacy and protection) on or before the 25th day of November 2022 will not be listed on the NaDPAP Whitelist.