Section 40 Nigeria Data Protection Act 2023

Section 40 of the Nigeria Data Protection Act 2023 is about Personal data breaches. It is under Part VII (Data Security) of the Act.

(1) Where a personal data breach has occurred with respect to personal data being stored or processed by a data processor, the data processor shall, on becoming aware of the breach —

(a) notify the data controller or data processor that engaged it, describing the nature of the personal data breach including, where possible, the categories and approximate numbers of data subjects and personal data records concerned ; and

(b) respond to all information requests from the data controller or data processor that engaged it, as they may require to comply with their obligations under this section.

(2) A data controller shall, within 72 hours of becoming aware of a breach which is likely to result in a risk to the rights and freedoms of individuals, notify the Commission of the breach and, where feasible, describe the nature
of the personal data breach including the categories and approximate numbers of data subjects and personal data records concerned.

(3) Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject the data controller shall immediately communicate the personal data breach to the data subject in plain and clear
language, including advice about measures the data subject could take to mitigate effectively the possible adverse effects of the data breach and if a direct communication to the data subject would involve disproportionate effort or expense, or is otherwise not feasible, the data controller may instead make a public communication in one or more widely used media sources such that the data subject is likely to be informed.

(4) The notifications and communications referred to in subsections (1), (2) and (3) shall, in addition to the requirements of those subsections —
(a) communicate the name and contact details of a point of contact of the data controller, where more information can be obtained ;
(b) describe the likely consequences of the personal data breach ; and
(c) describe the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(5) The Commission may, at any time, make a public communication about a personal data breach notified to it under subsection (2), where it considers the steps of the data controller to inform data subjects inadequate.

(6) The Commission shall issue and publish regulations on the steps to be taken by a data controller to adequately inform data subjects of a personal data breach for purposes of subsection (3).

(7) In evaluating whether a personal data breach is likely to result in a risk to the rights and freedoms of a data subject under subsection (3), a data controller and the Commission may take into account —
(a) the likely effectiveness of any technical and administrative measures implemented to mitigate the likely harm resulting from the personal data breach, including any encryption or de-identification of the data ;
(b) any subsequent measures taken by the data controller to mitigate such risk ; and
(c) the nature, scope and sensitivity of the personal data involved.

(8) A data controller and data processor shall keep a record of all personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken in a manner that enables the Commission to verify compliance with this section.

(9) Where it is not possible to provide information under this section at the same time, the information may be provided in phases without undue delay.