CHAPTER 3:
3.0 IMPLEMENTATION MECHANISMS
3.1 All public and private organizations in Nigeria that control data of natural persons
shall within 3 months after the date of the issuance of this Regulation make available to
the general public their respective data protection Policies; which Policies shall be
inconformity with this Regulation
3.1.2 Every Data Controller shall designate a Data Protection Officer for the purpose of
ensuring adherence to this Regulation, relevant data privacy instruments and data
protection directives of the data controller; provided that A data controller may
outsource data protection to a verifiably competent firm or person.
3.1.3 A Data Controller or Processor shall ensure continuous capacity building for her
Data Protection Officers and the generality of her personnel involved in any form data
processing.
3.1.4 The Agency shall by this Regulation register and license Data Protection
Compliance Organisations (DPCOs) who shall on behalf of the Agency monitor, audit,
conduct training and data protection compliance consulting to all Data Controllers under
this Regulation. The DPCOs shall be subject to Regulations and Directives of NITDA
issued from time to time.
3.1.5 Within 6 months after the date of issuance of this Regulations, each organization
shall conduct a detailed audit of its privacy and data protection practices with at least
each audit stating:
a) the personally identifiable information the organization collects on employees
of the organization and members of the public;
b) any purpose for which the personally identifiable information is collected;
c) any notice given to individuals regarding the collection and use of personal
information relating to that individual;
d) any access given to individuals to review, amend, correct, supplement, or
delete personal information relating to that individual;
e) whether or not consent is obtained from an individual before personally
identifiable information is collected, used, transferred, or disclosed and any
method used to obtain consent;
f)
the policies and practices of the organization for the security of personally
identifiable information;
18