Get Started

DATA PROTECTION IMPACT ASSESSMENT POLICY

ADNINCAP LTD

DATA PROTECTION IMPACT ASSESSMENT POLICY

MAY, 2025

1. Purpose and Scope of Policy

  1. This Data Protection Impact Assessment (“DPIA”) Policy sets forth the principles and framework adopted by AdninCap Ltd (“the Company”) to assess, mitigate, and manage potential data protection risks arising from current or future business operations. It defines the circumstances under which the Company will conduct a DPIA and specifies the required elements of the DPIA report.

  2. This Policy shall be prominently communicated and readily accessible to all employees with data privacy and security responsibilities. The Company aims to use this Policy to ensure personnel understand the importance of proactively addressing data protection risks and the appropriate response measures to mitigate such risks effectively.

  3. This Data Protection Impact Assessment (DPIA) is an analysis of the information relating to the Company’s operations which involve the processing of personal data.

 

2. Definitions

Data Subject includes employees, job candidates, customers, credit bureaus or agencies, contractors, consultants, partners, and other interested parties etc. who provide any information to the Company and who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, or social identity.

Personal Data has the meaning assigned to it in the Nigeria Data Protection Regulation Act 2023.

Regulator refers to the Nigeria Data Protection Commission (“NDPC”) and any other government regulatory agency that may be so mandated to regulate data protection subsequently in Nigeria.

 

3. Scope

  1. This DPIA policy applies to all employees, third party service providers and contractors who collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle personal data.

  2. Within the operations of the Company, where a DPIA is deemed necessary as provided in this policy, a request for DPIA shall be initiated by the head of the department that will carry out the processing activities.

  3. The Company shall carry out DPIA on all its activities quarterly. In addition to this, the Company shall carry out DPIA:

    • a. where the Company intends to embark on a project that would involve the intense use of personal data; and

    • b. when a processing activity is deemed to be of high impact on Data Subject.

  4. A processing activity will be deemed to be of high impact on Data Subject where it involves:

    • a. evaluation or scoring (profiling);

    • b. automated decision-making with legal or similar significant effect;

    • c. systematic monitoring;

    • d. when sensitive or highly Personal Data is involved;

    • e. when Personal Data processing relates to vulnerable or differently-abled Data Subjects; and

    • f. when considering the deployment of innovative processes or application of new technological or organizational solutions.

 

4. How to Conduct a DPIA

  1. When any department has determined that a DPIA is required as provided in this policy, the DPIA must address:

    • a. the description of the envisaged processing operations;

    • b. the purposes of the processing;

    • c. the legitimate interest pursued by the Company;

    • d. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;

    • e. an assessment of the risks to the rights and freedoms of Data Subject by the processing; and

    • f. the risk mitigation measures being proposed to address the risk.

  2. The prescribed form for the conduct of DPIA annexed to this policy must be completed and submitted to the DPO when a DPIA is conducted.

  3. Form A should be completed by all departments in the Company for quarterly DPIA on existing operations of the Company and Form B should be completed for the conduct of DPIA in other circumstances.

 

5. DPIA Report

  1. At the end of every DPIA, the DPO shall prepare a DPIA report and keep a record of the DPIA report after it has been approved by the management team. The DPIA report shall amongst other information contain:

    • a. a background of the DPIA;

    • b. a summary of the DPIA process and outcome;

    • c. details on the findings of the DPIA; and

    • d. solutions for the risk assessment.

  2. The DPIA report shall be submitted to the Regulator by the DPO when a request for DPIA report is made by the Regulator.

 

6. THE NEED FOR A DATA PROTECTION IMPACT ASSESSMENT (DPIA)

Under the Nigeria Data Protection Act 2023 (NDPA), DPIAs are mandatory for any new high-risk processing projects. The DPIA process allows organizations to make informed decisions about the acceptability of data protection risks and communicate effectively with the individuals affected.

NO Question Answer
1 Why have you identified the need for a DPIA? The Company plans to start operating new products.
2 Summary of process or project These products are online lending apps that shall collect users’ information to provide loans.
3 What is the primary objective of the Project or process To provide loan services to users in Nigeria and make profits.
4 Identify any documentation that is relevant to this DPIA Data retention policy, Data breach management register, Data protection training materials, procedure for obtaining consent for processing data.

 

2. DATA PROCESSING

The purpose of this data processing within the lending app is to facilitate and streamline the loan application and management process. This includes collecting and assessing user-provided data for loan approval decisions, disbursement of funds, and repayment tracking.

A. THE DATA MAP

  1. User interaction

  2. Data submission

  3. Data processing

  4. Decision communication

  5. Loan disbursement

  6. Loan repayment

  7. Data storage

  8. Customer support interaction

  9. Reporting and analytics

  10. Compliance and auditing

  11. Credit bureaus and KYC providers

  12. Data deletion

 

PURPOSE OF THE PROCESSING

NO Question Answer
1 What do you want to achieve? To provide accessible and efficient financial services to individuals in Nigeria.
2 What are the benefits of the processing? Streamlined operations, risk assessment, improved customer service, compliance.
3 Is there an expected effect on individuals? No adverse effect. Simplifies loan application and provides quick decisions.

C. NATURE OF THE PROCESSING

Personal data, financial data, location data collected through user input and third-party service providers for loan evaluation, disbursement, and support.

D. SCOPE OF THE PROCESSING

  • Geographical extent: Nigeria

  • Retention period: 5 years

  • Duration: As long as users engage with the app

E. CONTEXT OF THE PROCESSING

  • No vulnerable groups involved

  • Relationship: Creditors and debtors

  • Refusal may impact service access

F. CONSULTATION PROCESS

Involves DPO, Legal & Compliance, IT Security, Customer Support, and third-party processors.

G. NECESSITY & PROPORTIONALITY

  • Lawful basis: Consent and contract

  • Supporting legislation: Nigeria Data Protection Act 2023

  • Data quality ensured via validation checks

H. SECURITY

  • Encryption in transit and at rest

  • Firewalls and intrusion detection systems

  • Role-based access controls

  • Staff training

Risk Measures Adopted

Risk Option Adopted Effect on Risk Residual Risk Measure Approved
Data transmission attacks Technical encryption Eliminated Low Yes
Third-party processing Trusted local providers Eliminated Low Yes