@tantainnovative/ndpr-toolkit/dist/chunk-7TTXS7JX.js

Nigeria Data Protection Toolkit — enterprise-grade compliance components for the Nigeria Data Protection Act (NDPA) 2023

'use strict';var m=["critical","high","medium","low"];function p(e){let i=new Date(e).getTime();if(isNaN(i))return 1/0;let t=(Date.now()-i)/(1e3*60*60*24*30.44);return Math.max(0,t)}function h(e){if(e.length===0)return 100;let i=e.filter(t=>t.pass).length;return Math.round(i/e.length*100)}function f(e){return [{key:"hasConsentMechanism",label:"Consent collection mechanism",priority:"critical",effort:"high",recommendation:"Implement a clear, affirmative consent collection mechanism before processing personal data.",ndpaSection:"Section 25",pass:e.hasConsentMechanism},{key:"hasPurposeSpecification",label:"Purpose specification at collection",priority:"critical",effort:"medium",recommendation:"Specify and communicate the purpose of data collection at the point of consent.",ndpaSection:"Section 25",pass:e.hasPurposeSpecification},{key:"hasWithdrawalMechanism",label:"Consent withdrawal mechanism",priority:"high",effort:"medium",recommendation:"Provide a simple mechanism for data subjects to withdraw consent at any time.",ndpaSection:"Section 26",pass:e.hasWithdrawalMechanism},{key:"hasMinorProtection",label:"Minor (child) data protection controls",priority:"high",effort:"high",recommendation:"Implement age-verification and parental-consent controls for processing data of minors.",ndpaSection:"Section 31",pass:e.hasMinorProtection},{key:"consentRecordsRetained",label:"Consent records retained",priority:"medium",effort:"low",recommendation:"Retain records of all consents obtained, including what was agreed to and when.",ndpaSection:"Section 25",pass:e.consentRecordsRetained}]}function g(e){let i=e.responseTimelineDays<=30;return [{key:"hasRequestMechanism",label:"DSR submission mechanism",priority:"critical",effort:"high",recommendation:"Implement a formal channel (e.g. a web form or email address) for data subjects to submit requests.",ndpaSection:"Section 34",pass:e.hasRequestMechanism},{key:"supportsAccess",label:"Right of access supported",priority:"high",effort:"medium",recommendation:"Enable data subjects to request and receive a copy of their personal data.",ndpaSection:"Section 34(1)(a)\u2013(b)",pass:e.supportsAccess},{key:"supportsRectification",label:"Right to rectification supported",priority:"high",effort:"medium",recommendation:"Allow data subjects to request correction of inaccurate or incomplete personal data.",ndpaSection:"Section 34(1)(c)",pass:e.supportsRectification},{key:"supportsErasure",label:"Right to erasure supported",priority:"high",effort:"high",recommendation:"Implement processes to delete personal data upon valid erasure requests.",ndpaSection:"Section 34(1)(d), Section 34(2)",pass:e.supportsErasure},{key:"supportsPortability",label:"Right to data portability supported",priority:"medium",effort:"high",recommendation:"Provide personal data in a structured, machine-readable format upon request.",ndpaSection:"Section 38",pass:e.supportsPortability},{key:"supportsObjection",label:"Right to object supported",priority:"medium",effort:"medium",recommendation:"Honour objections to processing where no compelling legitimate grounds override the data subject's interests.",ndpaSection:"Section 36",pass:e.supportsObjection},{key:"responseTimeline",label:"DSR response within 30 days",priority:"high",effort:"medium",recommendation:"Reduce DSR response time to 30 days or less per NDPC guidance (GAID 2025).",ndpaSection:"Section 34 (NDPC GAID 2025 timeline guidance)",pass:i}]}function y(e){return [{key:"conductedForHighRisk",label:"DPIA conducted for high-risk processing",priority:"critical",effort:"high",recommendation:"Conduct a Data Protection Impact Assessment before undertaking high-risk processing activities.",ndpaSection:"Section 28",pass:e.conductedForHighRisk},{key:"documentedRisks",label:"Risks documented in DPIA",priority:"high",effort:"medium",recommendation:"Document identified risks to data subjects' rights and freedoms within the DPIA.",ndpaSection:"Section 28",pass:e.documentedRisks},{key:"mitigationMeasures",label:"Mitigation measures documented",priority:"high",effort:"medium",recommendation:"Document mitigation measures and residual risk acceptance within the DPIA.",ndpaSection:"Section 28",pass:e.mitigationMeasures}]}function b(e){return [{key:"hasNotificationProcess",label:"Breach notification process in place",priority:"critical",effort:"high",recommendation:"Establish a documented breach notification process covering detection, assessment, and reporting.",ndpaSection:"Section 40",pass:e.hasNotificationProcess},{key:"notifiesWithin72Hours",label:"NDPC notified within 72 hours",priority:"critical",effort:"medium",recommendation:"Ensure the NDPC is notified of qualifying breaches within 72 hours of discovery.",ndpaSection:"Section 40",pass:e.notifiesWithin72Hours},{key:"hasRiskAssessment",label:"Breach risk assessment performed",priority:"high",effort:"medium",recommendation:"Perform a risk assessment for every identified breach to determine notification obligations.",ndpaSection:"Section 40",pass:e.hasRiskAssessment},{key:"hasRecordKeeping",label:"Breach records maintained",priority:"medium",effort:"low",recommendation:"Maintain a breach register documenting all incidents, assessments, and actions taken.",ndpaSection:"Section 40",pass:e.hasRecordKeeping}]}function S(e){let t=p(e.lastUpdated)<=13;return [{key:"hasPrivacyPolicy",label:"Privacy policy exists",priority:"critical",effort:"high",recommendation:"Draft and publish a comprehensive privacy policy that satisfies NDPA requirements.",ndpaSection:"Section 27",pass:e.hasPrivacyPolicy},{key:"isPubliclyAccessible",label:"Privacy policy publicly accessible",priority:"high",effort:"low",recommendation:"Make the privacy policy easily accessible to data subjects on your website or app.",ndpaSection:"Section 27",pass:e.isPubliclyAccessible},{key:"policyUpToDate",label:"Privacy policy reviewed within 13 months",priority:"medium",effort:"medium",recommendation:"Review and update the privacy policy at least annually to reflect current practices.",ndpaSection:"Section 27",pass:t},{key:"coversAllSections",label:"Privacy policy covers all required sections",priority:"high",effort:"medium",recommendation:"Ensure the privacy policy addresses all NDPA-mandated disclosures including lawful basis, retention, and subject rights.",ndpaSection:"Section 27",pass:e.coversAllSections}]}function R(e){return [{key:"documentedForAllProcessing",label:"Lawful basis documented for all processing",priority:"critical",effort:"high",recommendation:"Identify and document a valid lawful basis for every processing activity before it begins.",ndpaSection:"Section 25(1)",pass:e.documentedForAllProcessing},{key:"hasLegitimateInterestAssessment",label:"Legitimate interest assessment completed",priority:"medium",effort:"medium",recommendation:"Complete a Legitimate Interest Assessment (LIA) where legitimate interests is the chosen lawful basis.",ndpaSection:"Section 25(1)",pass:e.hasLegitimateInterestAssessment}]}function v(e){return [{key:"hasTransferMechanisms",label:"Transfer mechanisms in place",priority:"critical",effort:"high",recommendation:"Implement appropriate transfer mechanisms (SCCs, BCRs, adequacy decisions, or Section 43 derogations) for all cross-border transfers.",ndpaSection:"Section 41",pass:e.hasTransferMechanisms},{key:"adequacyAssessed",label:"Adequacy of destination country assessed",priority:"high",effort:"medium",recommendation:"Assess whether the destination country provides an adequate level of data protection before transferring.",ndpaSection:"Section 42",pass:e.adequacyAssessed},{key:"ndpcApprovalObtained",label:"NDPC approval obtained where required",priority:"high",effort:"high",recommendation:"Obtain NDPC approval (e.g. for binding corporate rules, codes of conduct, or certification mechanisms) for transfers to countries without adequacy decisions where required.",ndpaSection:"Section 42(5)",pass:e.ndpcApprovalObtained}]}function w(e){let t=p(e.lastReviewed)<=6;return [{key:"maintained",label:"Record of Processing Activities maintained",priority:"critical",effort:"high",recommendation:"Create and maintain a comprehensive Record of Processing Activities (ROPA) as required by the NDPA.",ndpaSection:"Section 29",pass:e.maintained},{key:"includesAllProcessing",label:"ROPA includes all processing activities",priority:"high",effort:"medium",recommendation:"Ensure the ROPA captures every processing activity across all departments and systems.",ndpaSection:"Section 29",pass:e.includesAllProcessing},{key:"ropaUpToDate",label:"ROPA reviewed within 6 months",priority:"medium",effort:"low",recommendation:"Review and update the ROPA at least every six months to reflect changes in processing activities.",ndpaSection:"Section 29",pass:t}]}var k=[{name:"consent",weight:.2,ndpaSections:["Section 25","Section 26"],evaluate:e=>f(e.consent)},{name:"dsr",weight:.15,ndpaSections:["Section 34","Section 35","Section 36","Section 37","Section 38"],evaluate:e=>g(e.dsr)},{name:"breach",weight:.15,ndpaSections:["Section 40"],evaluate:e=>b(e.breach)},{name:"policy",weight:.12,ndpaSections:["Section 27"],evaluate:e=>S(e.policy)},{name:"dpia",weight:.12,ndpaSections:["Section 28"],evaluate:e=>y(e.dpia)},{name:"lawfulBasis",weight:.1,ndpaSections:["Section 25(1)"],evaluate:e=>R(e.lawfulBasis)},{name:"crossBorder",weight:.08,ndpaSections:["Section 41","Section 42","Section 43"],evaluate:e=>v(e.crossBorder)},{name:"ropa",weight:.08,ndpaSections:["Section 29"],evaluate:e=>w(e.ropa)}];function P(e){return e>=90?"excellent":e>=70?"good":e>=40?"needs-work":"critical"}function C(e){let i={},t=[],s=0;for(let o of k){let a=o.evaluate(e),c=h(a),l=c*o.weight;s+=l;let d=[];for(let n of a)n.pass||(d.push(n.label),t.push({module:o.name,key:n.key,label:n.label,priority:n.priority,effort:n.effort,recommendation:n.recommendation,ndpaSection:n.ndpaSection}));i[o.name]={name:o.name,score:c,maxScore:100,weightedScore:Math.round(l*100)/100,ndpaSections:o.ndpaSections,gaps:d};}t.sort((o,a)=>m.indexOf(o.priority)-m.indexOf(a.priority));let r=Math.round(s),u=[{section:"Section 25",title:"Consent and lawful basis for processing"},{section:"Section 26",title:"Consent"},{section:"Section 27",title:"Privacy notice requirements"},{section:"Section 28",title:"Data Protection Impact Assessment (including Section 28(2) NDPC consultation)"},{section:"Section 29",title:"Records of processing activities"},{section:"Section 34",title:"Data subject rights (access, rectification, erasure, restriction)"},{section:"Section 35",title:"Right to withdraw consent"},{section:"Section 36",title:"Right to object"},{section:"Section 37",title:"Rights related to automated decision-making"},{section:"Section 38",title:"Right to data portability"},{section:"Section 40",title:"Data breach notification"},{section:"Section 41",title:"Cross-border transfer mechanisms (SCCs / BCRs)"},{section:"Section 42",title:"Cross-border adequacy decisions"},{section:"Section 43",title:"Cross-border transfer derogations"}];return {score:r,rating:P(r),modules:i,recommendations:t,regulatoryReferences:u,generatedAt:new Date().toISOString()}}exports.a=C;