We are almost at the end of our Privacy and Data Protection Knowledge Management Series. In the last few articles, we explored lawful processing, risk assessments, and privacy programmes. This week, we are shifting our focus to one of the most practical and human aspects of data protection: the rights of data subjects.
Privacy is a fundamental human right guaranteed by the Nigerian constitution and data protection is an extension of that right. At the heart of every data protection law is the idea that individuals should have control over their personal data. Data subject rights turn that idea into action. They give data subjects the ability to request access to, correction of, and even the deletion of their personal data. For organisations, honouring these rights is both a legal duty and a test of how well their privacy framework actually works.
In this article, we will discuss what these data subject rights (DSRs) are, what the law requires when they are exercised, and how organisations can handle them efficiently and confidently.
The Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025 place DSRs at the centre of accountability. It is not enough to have policies. Organisations must be able to receive, verify and fulfil requests in a way that is timely, secure and auditable.
1. Data Subject Rights
The NDPA sets out the principal rights of data subjects in sections 34 to 38. The GAID 2025 provides practical direction on how those rights should be exercised in articles 36 to 39. It also introduces the Data Subject’s Standard Notice to Address Grievance (SNAG) procedure in article 40, allowing data subjects to lodge a standard notice to seek remediation.
Below is a short summary of the main rights, with the legal references:
| Right | What it means | Reference |
| Right to be informed | Data subjects must know in adequate detail all that the data controller intends to do with their data. The right to be informed is relevant before processing, and is related to the principle of transparency of processing. | NDPA s. 34 (1)(a) |
| Right of access | Data subjects must be able to request information about how a data controller has processed their data. This right is relevant during or after processing. | NDPA s. 34(1)(b) |
| Right to rectification | Data subjects can request correction of inaccurate or incomplete personal data. This is related to the principle of accuracy of processing. | NDPA s. 34(1)(c); GAID art. 36 |
| Right to erasure (or right to be forgotten) | Data subjects can request deletion of their data, in certain circumstances. For example where processing is unlawful or consent is withdrawn. | NDPA s. 34(1)(d) and 34(2); GAID art. 38 |
| Right to restriction of processing | Data subjects can request that processing be limited in certain situations while issues are resolved. | NDPA s. 34(1)(e) |
| Right to data portability | Data subjects can request their data in a structured machine readable format to transfer to another controller. | NDPA s. 38; GAID Art. 37 |
| Right to withdraw consent | Data subjects may at any point during processing, withdraw their consent to the processing of their personal data, where the legal basis of that processing was consent. Withdrawal of consent must be as easy as giving consent. | NDPA s. 35 |
| Right to object | Data subjects may object to the processing of their personal data based on legitimate interests or for direct marketing. | NDPA s. 36 |
| Right not to be subject to automated decision making | Data subjects have the right to not be subject to fully automated decision-making, including profiling, especially where processing carries legal implications. They can request human intervention for this kind of decision-making. | NDPA s. 37 |
| Right to lodge a complaint with the NDPC | Data subjects have the right to report non-compliant processing of their personal data to the Nigeria Data Protection Commission (NDPC). This has been made easy by the newly introduced SNAG Procedure | NDPA s. 46, GAID art. 39 & 40 |
Data controllers and processors can refer to the above table when drafting policies, notices and DSR procedures so that operational rules align with the statute and the directive.
2. How organisations should receive and manage data subject requests
Operationalising rights means building the people, process and technology elements into your privacy programme. Below are practical steps that privacy leaders should implement.
a. Set up clear intake channels
Provide multiple secure channels for DSR receipt, for example an online form, a dedicated email address and physical mail. Make the process obvious in privacy notices. The GAID 2025 expects accessible routes for exercising rights.
b. Verify identity securely and proportionately
Before disclosing data, verify the data subject’s identity. Use a risk-based approach. For low-risk requests, email verification may suffice. For more sensitive data consider two factor verification or a certified identification document. Always log the type of verification method used.
c. Keep a Data Subject Request Log
Record every request and every action taken. A consistent log supports accountability and makes NDPC audits easier. Below is a practical template you can adopt in practice:
d. Track timelines and extensions carefully
Neither the NDPA nor the GAID 2025 provide for a specific time for data controllers to respond to DSR requests. Section 34 of the NDPA states that data controllers should honour data subject’s requests without constraint or unreasonable delay. Other privacy regimes like the General Data Protection Regulation (GDPR) require data controllers to respond within one month of receipt of the request. Complex or numerous requests can be extended by up to two months, but the data subject must be informed of the reason for the delay within one month.
e. Use a role based workflow
Designate and train first line staff to triage requests, e.g. customer service officers, a verification team to authenticate requests, a legal or privacy owner to review complex requests, and an operations team to extract or delete data. The Data Protection Officer (DPO) should have overall oversight and final sign off.
f. Prepare for common operational issues
Common operational issues in honouring data subject’s rights requests include:
– Data fragmentation. Use your data map to locate data across systems.
– Third party data. Confirm whether the data is held by a processor and coordinate fulfilment. Data Protection Agreements or clauses should require processors to assist with DSRs.
– Conflicting legal obligations. If retention obligations exist under other laws, document the legal exception and explain it to the data subject.
g. Communicate clearly and in plain language
Provide responses that are concise, intelligible, and free of technical jargon. If the request is refused, explain the legal basis for the refusal and provide details of the right to lodge a complaint, including the use of the SNAG procedure.
3. Common lawful grounds for refusing or limiting requests
The NDPA and GAID 2025 allow controllers to refuse manifestly unfounded or excessive requests. When refusing DSR requests, controllers must explain the reason and inform the data subject of the right to complain to the NDPC. Typical lawful grounds for limitation include:
– Requests that would adversely affect the rights and freedoms of others, such as revealing third party personal data.
– Requests that are manifestly unfounded or excessive. The controller may only charge a reasonable fee where allowed.
– Where legal retention obligations override erasure requests. Document the conflict and provide a partial response where possible.
Record every refusal carefully in the DSR log, stating the legal basis for the refusal and any appeal route.
4. Data portability and secure transfer
For portability requests, provide data in a structured, commonly used, machine readable format such as CSV or JSON. When transmitting the data, use secure channels and validate the receiving controller. Confirm whether the data subject wants the data sent directly to another controller and document consent for that transfer.
Portability does not require you to create new data or transform data into a proprietary format. It covers data provided by the data subject and data generated by their activity.
5. SNAG procedure and escalation
The SNAG procedure in article 40 of GAID 2025 provides a standard notice mechanism, using the praecipe form in schedule 9 of the GAID, for data subjects to lodge complaints and seek remedies. Controllers should:
– Build a process to receive SNAG notices, log them and escalate to the appropriate functional owner.
– Respond to the SNAG without undue delay (reasonably, within one month) and keep the data subject informed.
– Where internal remedy is insufficient, inform the data subject of their right to escalate to the NDPC.
– Ensure your DSR and SNAG processes are aligned so that a complaint or a rights request is handled consistently and tracked in the same governance tools.
6. Practical notes for privacy leaders
– Embed DSR request handling into the privacy programme and test it regularly through simulations.
– Keep a published contact and an easy to use request form on your website. Visibility reduces friction and shows accountability.
– Train customer facing staff to recognise suspected DSR requests and escalate them immediately.
– Maintain a playbook for complex requests with template letters, verification steps and legal references.
– Review processor agreements to ensure contractual cooperation and set response time expectations.
7. Conclusion
Data subject rights are at the centre of every privacy framework. They remind us that personal data ultimately belongs to the individual. For organisations, honouring these rights goes beyond having policies on paper. It means putting real systems in place to receive, assess and respond to requests properly.
In our next and final article, we will turn to two industries where these rights are often put to the test, fintech and health-tech. We will explore their unique challenges and how they can apply everything we have learned in this series to achieve real compliance in practice.
Short test
- Under the NDPA, within what period should a controller respond to a valid DSR request?
- Name two items that should be recorded in a Data Subject Request Log.
- Which GAID 2025 article introduces the SNAG grievance procedure?
- True or false: Portability requires controllers to convert data into a proprietary format.
- What should you do if a deletion request conflicts with a statutory retention obligation?