Does HR data processing require registration under data protection laws?
Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits. Nigeria’s Data Protection Regulation does not include any specific requirement to register data with the Data Protection Authority.
Companies who process the personal data of more than 1,000 data subjects in 6 months are expected to submit a soft copy of the audit summary to the National Information Technology Development Agency (NITDA). Data Controllers who process the personal data of more than 2,000 data subjects in a 12-month period are also required to submit a summary of the audit to the NITDA no later than March 15 of the year following the audit. The audit should include:
- the personally identifiable information that’s collected on employees and members of the public;
- the purpose(s) of the personally identifiable information collection;
- the notice given to individuals regarding the collection and use of personal information that relates to that individual;
- the access that individuals have to review/amend/correct/supplement/delete their personal information;
- whether consent is obtained prior to collecting/using/transferring/disclosing an individual’s personally identifiable information as well as the method(s) used to obtain consent;
- organizational security policies and practices;
- organizational policies and practices for the proper use of personally identifiable information;
- organizational policies and procedures for privacy and data protection;
- organizational policies and procedures to monitor and report privacy and data protection policy violations;
- organizational policies and procedures to assess the impact of technologies on the company’s privacy and security policies.
HR Best Practices: Build in privacy considerations and risk assessments for all employee and candidate data collection processes Commit to regular data protection audits and prepare audit summaries.