What are the penalties for non-compliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Employers and other data controllers subject to the Nigeria Data Protection Regulation (2019, 2.10) are subject to liability for breaching an individuals’ data privacy rights. Employers who handle the personal data of more than 10,000 data subjects may be subject to the larger fine of 2% of annual gross revenue from the previous year or 10 million Naira. Employers handling the personal data of less than 10,000 data subjects, may be subject to the larger fine of 1% of annual gross revenue from the previous year or 2 million Naira.
Additionally, breaches of the Regulation can also be a breach of the NITDA Act. Corporate bodies and individuals who commit an offence under the NITDA Act can be separately liable for a fine of 200,000 Naira and/or 1 year imprisonment for first offences. Subsequent offences can result in a fine of 500,000 Naira and/or 3 years imprisonment.
HR Best Practices: Employers must meet the general duty of care requirement outlined in the Regulation. This includes being liable for the actions or inactions of third parties. Before processing personal data, make sure to be in line with the security measures necessary to protect data within your organization and held by third parties.