The Nigerian Data Protection Act (NDPA) provides individuals with substantial control over their personal data, making it mandatory for organisations to recognise and adhere to these provisions. Every organisation is mandated by law to respect the rights of data subjects and provide an enabling environment for them to exercise those rights freely.
The NDPA not only builds on the foundations set by the Nigeria Data Protection Regulation (NDPR) but also introduces clearer and more comprehensive stipulations concerning data subjects’ rights, particularly the right against decisions made solely by automated processes and the right to data portability.
Data Subject Rights under the NDPA
Right of access: Data subjects have the right to contact any organisation processing their personal information to request basic information such as whether the organisation processes their data and information about the processing such as the purpose, categories of data and recipients, duration of the processing, data subjects’ rights, and appropriate safeguards in case of third country transfers. Information about processing activities is usually provided in a readily accessible and intelligible privacy notice, which should be found on the website or any other medium of the service provider.
Right to erasure: The right to erasure is by far the most commonly invoked right in our experience supporting our clients. This right entails that a data subject can ask an organisation to have data about them erased from their system. This includes data in both physical and cloud storage, and such an organisation has to honour the data subject’s request within the prescribed time under the law from receipt of the request. However, the NDPA does not provide for a specific time to respond to a data subject’s request, unlike the NDPR. The right to request the erasure or deletion of data is not absolute because the organisation can deny the request on several grounds, including legal obligation. For example, if the data is subject to a legal retention period, which is commonplace with financial service providers who have a legal obligation to retain transaction data under Anti-Money Laundering Laws for a specified period of time.
Right to rectification of data: The right to rectification means that a data subject can send a request to an organisation to have their data corrected or updated in situations where the information has changed. Accuracy could be subjective or objective. For example, if a data subject has updated their marital status or simply changed their name, they can request an update of the information that the organisation holds. This right is as important as all other rights. The NDPA provides that where correction of inaccurate, incomplete, or misleading data is not possible, such data can be deleted instead.
Right to restrict processing: The right to restrict the processing of personal data could be an alternative to the erasure of data. This means that data subjects have the right to request that an organisation stop processing their data for a particular purpose. The right to restrict processing can be exercised in certain circumstances, including when the accuracy of the data is contested, the individual does not want the data to be erased, the data is no longer needed for the original purpose but may not be deleted yet because of legal grounds, or the decision on the individual's objection to processing is pending. When processing is restricted, the organisation is permitted to store the personal data but not further process it.
Right to object to processing: The NDPA provides data subjects with the right to object to the processing of personal data. By exercising this right, when it has been confirmed that the controller processes the personal data of a data subject, you can proceed to object to any further processing. Where this is the case, the data controller shall immediately discontinue the processing of personal data. However, the right to object to processing is not an absolute right, as there are situations where the request will not be honoured. These would include instances where there is an overriding public interest or the controller is able to show a compelling legitimate interest that overrides the fundamental rights, freedom, and interests of the data subject. The NDPA also allows a data subject to object to the processing of personal data for marketing purposes at any time, and such an objection is absolute.
Right to lodge a complaint: Where a data subject is dissatisfied with the decision, action, or inaction of a data controller or data processor, they have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) for remedial action. Data subjects may also institute civil proceedings for damages against a data controller or data processor for any wrong or loss suffered by a data subject as a result of the violation of the Act. In addition, the NDPA includes the right to receive compensation for breaches of any of the rights provided by law.
Right not to be subject to automated decision-making: This right is new under the NDPA. The NDPR only provided that notice of the use of automated decision-making should be given to the data subject and also as a basis for invoking the right to data portability. The NDPA now allows data subjects to object to a decision that has been reached solely based on the automated processing of personal data, including profiling, without any human intervention, which has a legal effect on the data subject. For example, suppose an AI tool is used to screen job applications without the intervention of a human being, and the applicant is rejected based on the outcome of that screening alone. In that case, the data subject has the right to object to the decision. Automated decision-making is, however, allowed if it is part of fulfilling a contract between the data controller and the data subject, provided that there are laws or written rules that protect the data subject’s rights and interests and if the data subject has given their permission for such automated decisions. For example, when purchasing a book from an online bookstore, the platform's automated system immediately checks factors like stock availability, shipping address, and payment validity to ensure a seamless transaction. This automated decision-making may be justified because the purchaser is entering into a contract with the platform, has likely agreed to the platform's terms, which authorise such processes, and implicitly consents to these automated checks by using the service.
Right to data portability: The right to data portability comprises three separate requests. First, the data subject has the right to request that their data be given to them in a structured, commonly used, and machine-readable format without undue delay. Second, the data subject can transmit the data obtained in a readable format to another organisation without any hindrance. Lastly, the data subject can request for the data to be transmitted directly to another organisation where it is technically possible to do so. The format here could include data exchange file formats such as Portable Document Format (PDF), Comma Separated Values (CSV), and Microsoft Excel (XLS), among others. This right is already being incorporated into the practices of most big tech companies, which afford data subjects the option to request their data in a particular format or simply download it. The Nigeria Data Protection Commission (NDPC) is empowered under the Act to prescribe conditions and circumstances under which the right to data portability may be exercised and obligations to be imposed on data controllers or data processors in relation to costs and timing.
Right to withdraw consent: Where consent is the legal basis for processing personal data, the NDPA empowers the data subject to withdraw such consent at any time. The Act also requires an organisation to make the withdrawal of consent as easy as when it is obtained. In other words, where the data subject has given consent in a simple format, the data controller must ensure the withdrawal of consent is equally easy without additional barriers. It is important to note that withdrawal of consent does not affect the lawfulness of processing by a data controller undertaken on the basis of consent before the data subject withdrew his consent.
There exists a critical relationship between data subjects' rights and the lawful bases for processing personal data that every organisation must understand. Thus, the exercise of rights has to conform to the lawful basis for processing data. For example, the right to erasure will not be honoured where the data controller has a legal obligation to retain the data for a particular period of time. The image below from the Irish Data Protection Commission illustrates this relationship.
Operationalising: Building an Effective Data Subject Rights Request Procedure
Although knowledge and communication of data subjects' rights are important for every organisation, it is even more important to establish an effective data subject rights management system. This means that there should be a process for handling data subjects' rights. This process clearly establishes the procedure for receiving data subjects' requests and responding to them. It also defines the time frame for such responses and the manner of the response. Building a sustainable data subject's rights request routine implies that an organisation will need to train staff who interface with data subjects on how to identify, harmonise, and respond to requests, among other things. To implement an effective data subject rights request procedure in an organisation, follow these important steps:
Establish a clear procedure: Create a documented procedure that outlines the steps to be followed when handling data subject requests in the organisation. This will serve as a reference point for employees of the organisation and also form the basis of role-based training within the organisation. Thus, the procedure should be easily accessible to all employees involved in processing requests. The procedure should contain a script for responding to different situations. For example, where the right can be complied with or where it can be refused.
Train employees: Provide training to employees who will be responsible for handling data subject requests. Ensure they understand the requirements of data subject rights under the NDPA and NDPR. This training should cover topics like verifying the identity of the requester, understanding the scope of the request, and handling personal data securely.
Designate a point of contact: Assign a specific individual or team to handle requests within the organisation. This point of contact should be responsible for receiving, reviewing, and responding to all requests in a timely manner. The designated contact should be easily accessible to all data subjects and should be specific to the purpose. Organisations can use emails, forms, phone numbers, or social media channels to receive requests from data subjects.
Harmonise the intake process: To effectively manage and promptly address data subjects' rights requests, it is essential to unify and standardise the process of receiving such requests. These requests might originate from various sources – a tag on social media, a direct message across media platforms, from a third-party proxy, an email sent to the designated privacy address, or even embedded within a complaint. Hence, it is vital to equip relevant staff with the necessary training to swiftly recognise these specific requests and promptly escalate them to the appropriate team for action.
Establish a verification process: Develop a process to verify the identity of the data subject making the request to avoid disclosing data wrongfully. This is also important if the right is invoked by a third-party on behalf of a data subject, which may, in addition, require the verification of the authorisation. This may involve requesting additional information or documentation to ensure the requester's identity is legitimate or the use of security measures such as two-factor authentication. In verifying, you cannot over-verify or under-verify. For context, it is recommended to verify existing information held about the data subject rather than ask for unnecessary additional information. For example, if all you have is the email address of the data subject, it is overreaching to ask for a government-issued ID.
Review and locate relevant data: Review the request and identify the relevant data that needs to be provided, corrected, restricted, or deleted. This may involve searching various systems and databases to locate the requested information. The staff training should also include understanding the kinds of data held by an organisation and its location. For this exercise, having a Record of Processing Activities (RoPA) will be useful. It is an implied legal requirement under the NDPA to have a RoPA.
Ensure data accuracy and completeness: For access requests, before providing the data to the data subject, verify that it is accurate, complete, and up-to-date. If any inaccuracies are identified, take steps to rectify them before sharing the information.
“Package” and deliver the data: Where a data subject seeks to exercise the right to data portability, "package" the requested data in a machine-readable format and deliver it securely to the other organisation as requested by the data subject. Consider using secure file transfer methods or encrypted email to protect the privacy of the data.
Inform the data subject of their rights: Along with honouring a data subject's request, inform the data subject of their rights under the NDPA, as highlighted above. This is common when the request is for access to data.
Maintain documentation: Keep a record of all requests received, the actions taken, the responses provided, and the timeframe for the responses. This documentation is important for demonstrating compliance with the NDPA. For this, organisations are advised to maintain a DSR register that monitors the requests received and the response time. Organisations should ensure that the response time is not later than one month, as prescribed by the NDPR.
Regularly review and update the procedure: Data protection laws may change over time, so it is important to regularly review and update the DSRR procedure to ensure ongoing compliance and to serve clients better.
Review and address all requests: A rising number of third-party intermediaries and service providers are aiding data subjects in sending rights requests, particularly for those aiming to minimise their digital footprints. Regardless of the perceived inconvenience these requests may present, addressing each with consistent priority and promptness is essential.
Use metrics to evaluate the process: Managing data subject rights requests efficiently requires a systematic and consistent approach that includes measuring, analysing, and refining based on identified trends. By closely monitoring key metrics such as the volume of requests, the average resolution time, the request's source, the geographic distribution for multinationals, the nature of the request, the rate of successful resolutions, and feedback from data subjects, organisations can gain valuable insights. These metrics aid in ensuring compliance and act as a testament to the organisation's commitment to the rights of its data subjects.
Handling excessive requests: Situations are likely to arise where an organisation will receive excessive or repeated DSRs from the same data subject. To deal with excessive requests, organisations may consider imposing a limit on the number of requests a single person may make within a given time period. In addition, data subjects should be made to bear additional costs incurred by an organisation in order to meet their excessive requests. For example, the NDPA allows a data subject to bear extra costs that may be incurred by an organisation when the right to data portability is exercised. Thus, when providing information in a commonly used electronic format would incur extra costs for the data controller, the data subject may bear all or some of the cost.
Conclusion
Responding to data subject rights requests is a legal requirement, and it is crucial for all organisations to establish, maintain, and implement an effective procedure for handling these requests. Specific role training for staff of all organisations processing data is essential to this process as they are the first point of contact for data subjects. Pending when the Commission develops and publishes an implementation framework for the NDPA, which should provide guidance and clarity around issues like the timeline to respond to requests from data subjects, following the steps discussed in this article will be beneficial to your organisation. Constant practice and experience will also assist in building an effective system that will work for your organisation.
Navigating the intricacies of data subject rights requests can be complex. If ever in doubt or if you are keen on enhancing your current processes, it is always wise to seek guidance from professionals in the field. Their expertise can offer clarity, efficiency, and compliance assurance, ensuring that your practices align with the highest standards in data protection.
Tech Hive Advisory is a licensed data protection compliance organisation (DPCO) renowned for our top-tier consulting services, with a presence in Africa and Europe. Our expertise and commitment to excellence have made us a trusted choice for global businesses seeking robust data protection solutions in the markets in which we operate.