Following a decision by the Nigeria Data Protection Commission (NDPC) to launch a data breach investigation on TikTok, the social media platform has replied that it is open to working with the commission to prove its commitment to data protection.
The social media company disclosed this in an exclusive chat with Technext. According to Head of Communications for Sub-Saharan Africa, Keagile Makgoba, the video content platform remains committed to protecting users’ data.
“Protecting the privacy and security of our community’s data is among our top priorities. We look forward to cooperating with the Nigeria Data Protection Commission (NDPC),” she said.
Recall that the NDPC on Thursday released a notice that it is currently investigating TikTok and Truecaller over alleged data breaches. The investigations are only a part of its mandate for the enforcement of the Nigeria Data Protection Act (NDPA).
The National Commissioner and Chief Executive Officer of the NDPC, Dr. Vincent Olatunji pointed out that NDPC would scrutinize the companies’ compliance with data protection laws.
“As we speak, we have even gone to the extent of investigating multinationals. We are currently investigating TikTok and Truecaller in the area of data privacy,” Olatunji said.
Depending on its findings, the NDPC said it would be open to working with the companies if they could go through remediation and correct their lapses.
The commission also noted that organizations’ compliance with data protection regulations has increased to over 55 per cent. The adherence level was 4 per cent when the commission kick-started its compliance monitoring duty in 2022.
Olatunji highlighted that NDPC does not impose immediate sanctions on organizations found in breach of data protection laws. He said the commission adopts a correctional approach that evaluates data breaches based on severity, the number of affected individuals, and the potential impact on the Nigerian economy.
As against tagging an organization as non-compliant, the NDPC boss noted that the commission provides companies with specific corrective measures to address their data shortcomings. Once a company is found guilty of a data breach, it must maintain detailed records of its data processing activities and rectify identified failures.
To implement the corrective measures, the commission then monitors these organizations for a period of six months to a year to ensure full compliance.
In line with its prioritization of remediation and other measures to protect the data of Nigerians, Olatunji said the commission would not hesitate to take stronger enforcement actions where necessary.
Similar Read: Why Nigeria’s new Data Protection law may yet benefit its digital economy.
Data breach: implementation of Nigeria’s Data Protection Act
In its efforts to alleviate data breaches, the NDPC also unveiled the Nigeria Data Protection Act – General Application and Implementation Directive (NDP Act-GAID). The directive is aimed at protecting data and providing critical guidelines that help data controllers comply with the law.
The commission pointed out that the directive is a huge development to Nigeria’s data privacy efforts, and more significant as emerging technologies continue to reshape digital interactions.
After President Bola Tinubu passed the Nigeria Data Protection Bill on 12 June 2023, the NDPC began developing a framework to ensure its full implementation.
According to the NDPC boss, the directive will be available on the NDPC portal. It covers critical areas such as data protection principles, lawful bases for data processing, data subjects’ rights, cross-border data transfers, compliance audit returns, and standardized grievance redress mechanisms.
NDPC’s National Commissioner and Chief Executive Officer, Dr. Vincent Olatunji during the commission’s Nigeria Data Protection Act – General Application and Implementation Directive (NDP Act-GAID) unveiling.
On its implementation, NDPC noted that the full implementation of the directive would commence in September 2025, with a six-month transition period for organizations. After this all provisions relating to fees will take effect from January 2026.
In addition, the commission introduced the Standard Notice to Address Grievance (SNAG). This is a mechanism that allows individuals to demand remedial action directly from data controllers and processors without first going through the commission. This seeks to position over 230 million Nigerians in playing an active role in enforcing data protection laws and reducing data breaches.
The commission also reinstated its commitment to providing guidance notices and advisories to clarify legal requirements. Capacity-building programmes would be made available to deepen the culture of data privacy and protection in Nigeria.
The NDPC was created by the Nigeria Data Protection Bureau (NDPB) in February 2022, as a mandate to oversee the implementation of the Nigeria Data Protection Regulation (NDPR) which was issued by the National Information Technology Development Agency (NITDA) in 2019 as a subsidiary legislation of NITDA Act.
The NDPC is in charge of ensuring that personal data about Nigerians is protected within its borders and that information shared with institutions or businesses—both public and private—that operate to attract Nigerians remains private and secure based on legitimate interest rather than just consent.
Technext Newsletter
Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!
