Section 28 Nigeria Data Protection Act 2023

Section 28 of the Nigeria Data Protection Act 2023 is about Data privacy impact assessment. It is under Part V (Principles and Lawful Basis Governing Processing of Personal Data) of the Act.

(1) Where the processing of personal data may likely result in high risk to the rights and freedoms of a data subject by virtue of its nature, scope, context, and purposes, a data controller shall, prior to the processing, carry out a data privacy impact assessment.

(2) The data controller shall consult the Commission prior to the processing if, notwithstanding the measures envisaged under this section, the data protection impact assessment indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject.

(3) The Commission may make regulations or issue directives with regards to this section, including the categories of processing and persons subject to the requirement for the conduct of a data privacy impact assessment.

(4) For purposes of this section, a “data privacy impact assessment” is a process designed to identify the risks and impact of the envisaged processing of personal data, and it comprises —
(a) a systematic description of the envisaged processing and its purpose, including the legitimate interest pursued by the data controller, data processor, or third party ;

(b) an assessment of the necessity and proportionality of the processing in relation to the purposes for which the personal data would be processed ;
(c) an assessment of the risks to the rights and freedoms of a data subject ; and

(d) the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data, taking into account the rights and legitimate interests of a data subject and other persons concerned.