A data breach can happen to any organisation, regardless of size or sector. The Nigeria Data Protection Act 2023 (NDPA) sets out specific notification obligations that organisations must meet when a breach occurs. This article explains what those obligations are and how to prepare for them.
What Is a Personal Data Breach?
Under the NDPA, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This covers ransomware attacks that encrypt personal data, phishing attacks that result in unauthorised access to email accounts, accidental disclosure of personal data to the wrong recipient, and theft of a laptop containing unencrypted personal data.
The 72-Hour Notification Rule
The NDPA requires that a data controller notify the Nigeria Data Protection Commission (NDPC) of a personal data breach within 72 hours of becoming aware of it. The notification must include: a description of the nature of the breach, the categories and approximate number of individuals affected, the categories and approximate number of personal data records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach.
When Notification Is Not Required
Notification to the NDPC is not required if the breach is unlikely to result in a risk to the rights and freedoms of individuals. For example, if encrypted data is lost but the encryption key is secure, the risk may be low enough that notification is unnecessary. However, this exception should be applied carefully and the assessment must be documented.
Notification to Affected Individuals
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, the organisation must also notify the affected individuals without undue delay. The notification must use clear and plain language and describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
Internal Breach Response
A functional breach response plan should include: a clear definition of what constitutes a reportable breach, a designated response team with clear responsibilities, an escalation path to senior management and legal counsel, a documented process for assessing the severity of a breach, template notifications to the NDPC and to affected individuals, and a breach register for recording all breaches whether reportable or not.
Consequences of Non-Compliance
Failure to notify the NDPC within 72 hours, where notification was required, can result in administrative fines under the NDPA. Beyond fines, there is the reputational risk of a breach becoming public before the organisation has communicated with affected individuals.
Conclusion
Data breach preparedness requires regular testing of the breach response plan, training of staff, and updating of the plan as the organisation and its data processing activities evolve.
This article is for general information only. For advice on data breach response planning or NDPA compliance, contact Marturion Legal.