Provides guidance on Nigeria NDPR and NDPA 2023 compliance including lawful processing bases, data subject rights, cross-border transfers, DPCO registration, DPIA filing, and breach notifications.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
Nigeria's data protection framework comprises the Nigeria Data Protection Regulation (NDPR) issued by NITDA in January 2019, and the Nigeria Data Protection Act (NDPA) signed into law on June 12, 2023. The NDPA established the Nigeria Data Protection Commission (NDPC) as an independent regulatory body, replacing NITDA's oversight role. The NDPA applies to the processing of personal data by any ...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
Nigeria's data protection framework comprises the Nigeria Data Protection Regulation (NDPR) issued by NITDA in January 2019, and the Nigeria Data Protection Act (NDPA) signed into law on June 12, 2023. The NDPA established the Nigeria Data Protection Commission (NDPC) as an independent regulatory body, replacing NITDA's oversight role. The NDPA applies to the processing of personal data by any data controller or processor that is domiciled, resident, or operating in Nigeria, or that processes personal data of data subjects in Nigeria.
| Lawful Basis | Description |
|---|---|
| Consent | Data subject has given consent to the processing for one or more specific purposes. Must be freely given, specific, informed, and unambiguous. |
| Contract | Processing necessary for the performance of a contract to which the data subject is party. |
| Legal obligation | Processing necessary for compliance with a legal obligation of the controller. |
| Vital interests | Processing necessary to protect the vital interests of the data subject or another natural person. |
| Public interest | Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority. |
| Legitimate interests | Processing necessary for legitimate interests of the controller or third party, provided the interests are not overridden by the data subject's rights. |
| Right | Description | Response Period |
|---|---|---|
| Right to be informed | Receive information about data processing at the point of collection | At collection |
| Right of access | Obtain confirmation of processing and a copy of personal data | 30 days |
| Right to rectification | Correct inaccurate personal data | 30 days |
| Right to erasure | Request deletion of personal data where no lawful basis for continued processing | 30 days |
| Right to restrict processing | Request limitation of processing in certain circumstances | 30 days |
| Right to data portability | Receive personal data in a structured, commonly used, machine-readable format | 30 days |
| Right to object | Object to processing based on legitimate interests or public interest | 30 days |
| Right related to automated decision-making | Not be subject to decisions based solely on automated processing that produce legal or significant effects | 30 days |
The NDPA defines sensitive personal data as data relating to:
Processing of sensitive personal data requires explicit consent or is permitted under specific derogations (substantial public interest, employment obligations, vital interests, legal claims, health or social care purposes).
Personal data may be transferred outside Nigeria where:
The NDPC maintains a whitelist of countries with adequate protection. Controllers must conduct a transfer impact assessment and maintain records of all cross-border transfers.
Under the NDPR framework, organisations processing personal data of more than 2,000 data subjects in a 12-month period must engage a licensed Data Protection Compliance Organisation (DPCO) to conduct an annual data protection audit. The DPCO:
Controllers must conduct a DPIA prior to processing that is likely to result in a high risk to data subjects' rights and freedoms, particularly:
DPIA results must be filed with the NDPC.
| Requirement | Detail |
|---|---|
| Notification to NDPC | Within 72 hours of becoming aware of a personal data breach |
| Notification to data subjects | Without undue delay where the breach is likely to result in a high risk to rights and freedoms |
| Content of notification | Nature of breach, categories and approximate number of data subjects affected, name and contact of DPO, likely consequences, measures taken or proposed |
| Record keeping | Document all breaches regardless of notification obligation |
Data controllers and processors must register with the NDPC. The registration includes: