The Nigeria Data Protection Commission (NDPC) has mandated banks, telecom companies, insurance companies and other organisations that control the data of Nigerians to apply with the commission for data protection compliance monitoring before December 2023. This was revealed by the National Commissioner of NDPC, Dr Vincent Olatunji, during an interaction with newsmen in Lagos.
Dr Olatunji said the order was in line with the provisions of the Nigeria Data Protection Act, which requires all data controlling and processing organisations to get registered for the afore-mentioned exercise within six months of the enactment of the law establishing the commission.
According to the National Commissioner, the task of securing the data of Nigerians is a huge one, but he believes that the new Nigeria Data Protection Act 2023 was up to the task.
“To ensure adequate monitoring in this regard, banks, telecoms operators and other organisations that control Nigerians’ data must register with the Commission between now and December for data protection compliance monitoring.”
Dr Vincent Olatunji, National Commissioner of NDPC,
Dr Olatunji also revealed that since the regulation was announced, the commission has written to the Central Bank of Nigeria, which remains one of the biggest controllers of data in the country. He also revealed that the CBN has applied for data protection compliance monitoring.
The National Commissioner noted that the CBN applied because it has every reason to want to protect the financial system from data risks. He also said the commission was currently discussing with the Central Bank on the next steps and working with the apex bank on its social media know-you-customer (KYC) protocols.
“The financial sector has a huge database and we are working together to address the challenges of this regulation. We are getting results,” Dr Olatunji said.
NDPC investigating 9 organisations, fined 3 banks for data breaches
The National Commissioner also announced that since the commission began its regulatory and oversight duties in June, it has already fined three banks after investigating them for data breaches. While he didn’t reveal the names of the banks, he was, however, optimistic that they would comply and pay their fines as due.
He also revealed that the commission is currently investigating nine organisations for various data breaches. The organisations are spread among the education sector, banking and insurance sector as well as telecommunications industry. While he also didn’t reveal their names, he said the NDPC would investigate the data abuses without leaving any stone unturned.
“Since we started, the commission has not had any course to run to anyone. We have fined three major banks, and they will pay their fines. We are currently investigating about nine major organisations, an insurance firm, a school, and a consulting firm. We don’t work based on political affiliation.”
Data breaches in Nigeria
Like everywhere else in the world, Nigeria has continued to witness increasing cases of data breaches. In a recent report, Technext revealed that the country witnessed 83,000 cases of data breaches in the first quarter of 2023. This represented a 64% increase from the fourth quarter of 2022, in which the country recorded 50,000 data breaches.
That development pushed Nigeria up the ranks to 32nd on a global list of countries with the most data breaches in the first quarter of the year, This is worse than the 41st which it ranked in the fourth quarter of 2022.
An increase in data breaches in Nigeria is a cause for concern because it means that more and more people’s personal information is being exposed to potential hackers and identity thieves. This can have a devastating impact on individuals, businesses, and the economy as a whole.
To this end, the establishment of the Nigeria Data Protection Commission (NDPC) is a most welcome development coming at a most opportune time. So far, with 3 fines and many more investigations in the offing since its establishment in June 2023, one could say the commission has hit the ground running after one month.
But it remains to be seen the kind of direct impact the activities of the commission has on data protection and control in the country. This is especially so given its reluctance to name erring organisations, as well as the severity of punishment, meted out on them.