A Quick Guide to Compliance with the New Data Protection Act for Background Screening Companies

Overview of the Data Protection Act 

The new Data Protection Act, introduced in Nigeria, builds upon and replaces the Nigeria Data Protection Regulation (NDPR) of 2019. It provides an updated legal framework for the protection of personal data in Nigeria, emphasizing lawful, fair, and transparent data handling practices, with a focus on data minimization, accuracy, purpose limitation, and secure processing.

Key Principles

1. Lawfulness, Fairness, Transparency: Data must be processed legally and openly.
2. Purpose Limitation: Data should only be used for specific, legitimate purposes.
3. Data Minimization: Only collect necessary information.
4. Accuracy: Keep data accurate and updated.
5. Storage Limitation: Retain data only for as long as needed.
6. Integrity & Confidentiality: Protect data against unauthorized access and breaches.
7. Accountability: Organizations must demonstrate compliance with data protection principles.

Compliance Requirements for Background Screening Companies

1. Consent & Data Subject Rights

• Obtain explicit consent before data collection.
• Respect data subjects' rights, including access, rectification, erasure, restriction of processing, objection to processing, and data portability.

2. Data Protection Impact Assessments (DPIAs)

• Conduct DPIAs to assess and mitigate risks, especially for high-risk data activities.

3. Data Breach Notification

• Report breaches to the relevant Data Protection Authority within 72 hours. Notify affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms.

4. Data Protection Officer (DPO)

• Appoint a DPO to oversee compliance and serve as the point of contact for regulatory authorities and data subjects.

5. Third-Party Agreements

• Ensure data processing agreements with third parties meet the new Data Protection Act standards.

6. Security Measures & Record Keeping

• Implement strong data security controls, including encryption, pseudonymization, and regular vulnerability assessments.
• Keep detailed records of processing activities, including data categories, processing purposes, and retention periods, for review by regulatory authorities.

Best Practices for Compliance

1. Training & Awareness: Train employees regularly on data protection principles and compliance requirements under the new Act. Foster a privacy-conscious culture.
2. Data Minimization: Collect only essential data and review data collection practices periodically to ensure compliance.
3. Transparency: Provide clear privacy notices outlining how data will be collected, used, stored, and protected. Make it easy for data subjects to understand and control their data.
4. Regular Audits: Conduct frequent audits to identify and address compliance gaps promptly.
5. Privacy by Design and Default: Incorporate data protection principles into the development of business processes and systems, ensuring that data privacy is maintained by default.

This guide aims to help background screening companies stay compliant with the new Data Protection Act, ensuring that individuals' personal data is safeguarded effectively.