How to Draft a Compliant Data Processing Agreement in Nigeria (NDPA 2023 Guide)

THE COMPLIANCE LANDCAPE FOR DATA PROCESSING AGREEMENTS

Introduction

Data Processing Agreements (DPAs) are increasingly common in today’s digital world. As a matter of law and sound information management practices, DPAs are required when organizations as data controllers/processors share personal information in their custody with third parties for further processing. This practice is typically undertaken to achieve business or operational objectives. Examples include sharing employee files with an accounting firm for payroll, employee health information with healthcare providers or insurers, or personnel files with HR consulting firms. Another common scenario involves incidental sharing of personal information with third parties during the use of IT software. This often occurs when organisations utilize cloud-based platforms for data processing and storage, such as Dropbox, Google Cloud, SharePoint, AWS, etc. In these cases, the terms of use of the cloud-based platform often serve as a functional equivalent to a DPA.

However, high net-worth organizations engaged in large scale data processing may opt to negotiate independent and stand-alone DPAs, even when utilizing standard form contracts from cloud-based IT service providers. Whether parties are negotiating an independent DPA or relying on the standard form contract of a cloud-based platform, it is essential to ensure compliance with legal requirements. To align with global best practices and the Nigerian Data Protection Act 2023 (NDPA) the following clauses should be carefully considered during DPA negotiation or drafting.

1. Definition of Roles & Responsibilities

It is crucial that the DPA or the standard form contract clearly spells out the roles of the parties. Primarily, the agreement should describe the status of parties either as data controller or data processor. The importance of this classification lies in the different level of responsibilities that attach to them. While clarifications of status is important, whether a party is a data controller or data processor is often determined by what is done with the personal information as opposed to what is contained in the agreement. Nonetheless, the agreement is a good starting point to ascertain the roles and responsibilities of parties.

2. Concerns for Exercise of Data Subject Rights

DPAs must prioritize the exercise of data subject rights, aligning with the goals of relevant privacy legislation(s). To facilitate this, DPAs should incorporate provisions that streamline the fulfillment of data subject rights, encompassing access, rectification, erasure, and, where applicable, portability. For instance, when an organization outsources payroll processing to a third-party accounting firm, the DPA should ensure straightforward retrieval of information provided by the organization upon request from an employee. Furthermore, in scenarios where an employee transitions employment, the DPA should include provisions enabling the seamless transfer of personal data from one healthcare service provider to another. It will amount to a breach of data subject rights for an organisation to refuse to provide requested personal information on the pretext that the information is in the custody of a third party. It is important to note that this requirement is explicitly provided for under section29 of the NDPA 2023.

3. Security Considerations

This is an essential provision that must be included in a DPA. Organisations have primary responsibilities to protect and safeguard data under their control against unauthorised access and use. Through the DPA, the primary entity must ensure that the third-party processor is able to implement appropriate technical and organizational measures such as encryption, access controls, pseudonymization) to protect transferred personal information from misuse. By extension, this ensures that the organisation providing the information can continue to fulfil its obligations as data controller. The contract for example may provide that the third-party processor complies with industry standards such as ISO 27001, SOC 2, etc.

4. Use of Sub Processors & Third-Party Transfers

The DPA should explicitly address the third party's capacity to engage sub-processors, outlining the process for obtaining approval, including the required format and necessary details. Furthermore, the agreement must comprehensively address the transfer of personal information to sub-processors located in other countries, ensuring compliance with relevant data protection regulations and international data transfer frameworks. This point is important, considering that the NDPA 2023 mandates that every transfer of personal information outside of Nigeria must be to a country with commensurate level of privacy protection under Nigerian law¹. Alternatively, transfers to countries that do not meet the standard of protection under Nigerian law must be under circumstances that include contractual clauses that provide adequate safeguards for personal information.

Thus, the incorporation of sub-processing or third country transfer clauses will ensure that the organisation with primary responsibility does not incur secondary liability through the non-compliance by the recipient data processor.

5. Data Breach Notification

Data breaches are inevitable in data processing activities. A data breach may occur through unauthorized access to physical files, or through acts of cybercriminals. The DPA must ensure that the recipient data processor notifies the data controller when any breach occurs. This requirement is crucial as the organisation with the primary responsibility for personal information may have an obligation to notify data subjects of breach. Notification is mandatory where a breach presents the risk of significant harm to data subjects. By incorporating robust notification clauses, the primary data controller can effectively fulfil its legal obligations under the relevant data protection laws.

6. Data Retention & Deletion

The DPA should explicitly outline the process for deleting or returning data that is no longer required under the agreement. This may be when the purpose for which the personal information is shared has been accomplished, or the DPA itself expires. The DPA should ensure that the third party's data retention policies align with the data controller's existing policies, which were likely communicated to data subjects during data collection.

7. Audit & Compliance Monitoring

The DPA must contain audit and monitoring provisions that make it easy for the primary organisation providing personal information to assess the compliance practices of the recipient organisation. One of the ways by which organisations may achieve this purpose is to require that the recipient data processor obtain annual certification from recognised certifying organisations, for example, ISO27001.

8. Record-Keeping & Documentation

The agreement should outline the record keeping obligations of the parties. This will include instruction records, records of processing activities, details of engaged sub-processors, records of breach incidents, records of access requests, security policies, information about staff vetting, etc. One important benefit of comprehensive record keeping is that it makes auditing easier. Additionally, it serves as evidence of compliance with the terms of the DPA.

9. Liability & Indemnification

The DPA should define parties with responsibilities for breaches and other non-compliance issues. It is to be noted that regardless of the terms of the DPA, a data subject may sue the primary organisation as the data controller that collected its information. Additionally, parties may always be held to account by the Nigerian Data Protection Commission (the “Commission”) for non-compliance regardless of how responsibilities are shared in the DPA. Nonetheless, where the liability clause in the DPA is binding among the parties, and where it includes an indemnity clause, this will enable the data controller recover for costs incurred through the fault of the recipient data processor.

10. Governing Law and Dispute Resolution

This provision is important in a DPA especially where the parties involved operate from different countries. The governing law clause will provide certainty to interpretive principles in the event of a dispute. As many DPAs are negotiated by entities in different countries, governing law provisions is crucial considering the discrepancies that exists in the data protection laws of countries. Further, the agreement should provide how disputes that arise between the parties would be settled. For efficiency purposes, it is preferrable to settle disputes through ADR such as mediation and arbitration as opposed to using the traditional court system.

11. Mandatory Clauses under the NDPA-GAID

The Commission in fulfilling its mandate under the NDPA 2023 issued the General Application and Implementation Directive (GAID) 2025 to provide additional guidance on the operations of the NDPA 2023.Article 34 of the GAID contains mandatory provisions which must be incorporated in a DPA. It is thus important that parties negotiating a DPA familiarise themselves with these provisions to ensure compliance with relevant laws.

Conclusion

While no DPA is truly one size-fits-all, each agreement should be carefully crafted to address the specific needs and nuances of the parties involved, taking into account the nature of the data processing activity. By incorporating the aforementioned clauses, the agreement not only fulfills legal obligations under data protection laws but also establishes a robust framework for safeguarding data subject rights. This approach ensures that the DPA effectively balances the interests of both parties while upholding the fundamental principles of data protection. It is important to bear in mind that a DPA is not a mere legal document; it isa vital tool for fostering trust and transparency between data controllers and processors, ultimately contributing to a more secure and ethical data ecosystem.