TheCable

Vincent Olatunji, the chief executive officer of the Nigeria Data Protection Commission (NDPC), in this interview with TheCable’s YEKEEN AKINWALE and CLAIRE MOM, says the federal government is ready to jail anyone responsible for data breach in any organisation. He said the CEOs of such organisations risk between six months to three years in prison for data breaches.

TheCable: Daily, Nigerians are putting their data out there in banks, schools, embassies, money points, and other places. They are not sure of what use the information is put to by the processors and they’re not sure how safe their data is. What is your commission doing to ensure data is not abused or stolen? 

OLATUNJI: Thank you very much. I think the law that we have in Nigeria speaks to the fact that the government is serious about protecting the rights, freedom and interests of Nigerians wherever they are in the sense that any data controller or processor that collects, processes, stores or shares your data, that data controller has a whole legal duty of care which we refer to as accountability. 

That is, they will be accountable for the data they collect from you at any point in time and that is why the law says that anything that leads to authorised access or loss or damage to your data which you have given to that data controller or processor, in that situation, that controller is liable.

Part of what we are out to do is to ensure that they put in place adequate measures in terms of technology like what kind of firewalls have they put in place to ensure there is no unauthorised access to such databases. We have what is referred to as organisational measures, that is, in terms of their data processing activities. Who are the people in charge? What knowledge or understanding of data processing or protection do they have? What kind of privacy policy are they operating? What kind of law is guiding what they are doing to ensure the safety of your data? 

Now, with the law, the awareness is increasing gradually that when you collect anybody’s data, you will hold that accountability part of it that “with this data, I must put in place measures to ensure that such data is protected” because there are consequences if there is a data breach.

 If it is reported to us, we will do a thorough evaluation. We’ll look at the number of data subjects that were interrupted, and we’ll look at the impacts.

We will find out if it has led to any financial loss. In some cases, it may even lead to issues around medical records which may lead to mis-administration of medication that may cause damage to one’s health. In some cases, it may even lead to death. So these are cases that we have to evaluate, and when we discover that you have not done enough as a data controller or processor, we will now be required to issue penalties which can range from as low as N10 million up to about two per cent of your gross earnings from the previous year as data controller if there is a data breach. 

That’s why we keep creating awareness, building capacity, and encouraging data controllers to comply with the provisions of the law by having their privacy statements, and their privacy policies, and advising their data protection officers who oversee their data processing activities.

TheCable: You recently issued guidance for the registration of data controllers and processors. These are terms that ordinary Nigerians will not understand. Are they individuals or organisations?

Olatunji: Big organisations need data protection officers

OLATUNJI: A data processor collects and processes data on behalf of the data controller while a data controller determines the way and manner in which your data will be used. I’ll give you examples. A telco agent working on behalf of MTN, Glo, and Airtel in their small shops is a data processor — they collect data on behalf of the telcos and process them.

Banking agents that work for Bank A, B, and C will collect data and process it. If you want to do your NIMC registration, they have agents; you can just walk into their offices, and they now collect your data and send it to NIMC who is the controller in this case. They determine the way and manner such data will be used. That is why it is still very important for data controllers to oversee what their data processors, that is their agents, are doing in the way they collect such data because if there is a breach on the part of the processors, it affects the controllers. 

There is supposed to be a service level agreement to ensure that they have put in place adequate measures to ensure that the data is protected. 

Now, when it comes to registration with us, we have all-time data processors, like the multinationals, the banks, the telcos —  they range in thousands, some in millions, that they process regularly. 

We have the medium which is like the MDAs and other medium-level controllers and processors. Then we have the lower ones; we call them ordinary. These are like the SMEs and law firms, for instance. Now, an individual can be a data processor, if people come to you and you collect and process data. Corporate entities can also be data processors or controllers with all the requirements. What the law requires them to do differs. For instance, if you are a data processor or controller and you are collecting and processing in high volumes, the law says you should get a DPO (data protection officer) to oversee what you’re doing. 

Unlike a one-man business, you may not need a resident DPO; but if you’re a big organisation, you need one. These are some of the differences depending on the number of data subjects you are processing, the sensitivity, and the impact of such data in case there is any breach.

TheCable: How many of them have you registered so far?

OLATUNJI: As we speak, we have registered over 3000 data collectors and processors but we have not even started. We have not even scratched the surface because, by our estimates, we have over 500,000 data collectors and processors in Nigeria based on records from CAC. So, if we’re doing 3000, we have not even scratched the surface. 

TheCable:  NIMC also collects and processes data. Is NIMC also under your supervision?

OLATUNJI: Yes, every organisation, whether you’re in agric, health, education, public service, or private sector, the moment you collect and process data of every Nigerian, you are within scope. So, NIMC, immigration, customs, and MDAs, all of them are within scope; so they have to comply with the provisions of the law.

TheCable: What is the level of compliance?

OLATUNJI: Actually, when we started, the level of compliance in the public sector was very low and poor because an average boss would think “I don’t need to comply. I am a government official”. But now, there are provisions in the law that the CEO can be sent to jail for non-compliance upon a data breach. So, what we did was that we went to the office of the secretary to the government of the federation (SGF) and we were able to obtain a circular mandating all MDAs to comply with the provisions of the law.

TheCable: What is the jail term?

OLATUNJI: Between six months to three years. Now, we were able to obtain the circular from the office of the SGF on November 7, 2022, and on November 16, we obtained another set of guidelines from the office of the head of service mandating all MDAs to comply. But within three months of getting the circular and the guideline, compliance that was just four per cent in the public sector rose to nine per cent. It shows that people are beginning to embrace what we are doing.

A lot of public sector organisations, because of international collaborations and partnerships, a lot of organisations that they are dealing with outside Nigeria tell them if you do not have that provision of data protection or privacy, they are not ready to do business with you. So, a lot of them are beginning to see value in what we are doing. So it (compliance) is increasing now, it’s really getting better.

TheCable: If you look at the banking sector, for instance, it is more vulnerable to data breaches. You sit in the comfort of your room and someone calls you, mentions your name and account details, and says you are to pay a certain amount of money. Is it the fault of the bank or the customers?

OLATUNJI: To be fair to the financial sector in Nigeria, I think they are trying. The compliance level in that sector alone is about 49 per cent. So, looking at breaches, it is both ways. Some data subjects who are bank customers can be very careless with their information. Some will just give their ATM cards to their drivers or someone and say, “Please help me withdraw money; my PIN is so-so”. 

For some, it’s at drinking joints and you don’t know who has overheard you. Before you know it, they find a way of stealing your card and taking money from your account. On the part of the bank, some of them are not diligent enough to put in place measures, and these, sometimes happen to be some of the staff that are in charge of data processing activities.

Some are very careless and few of them give out information to fraudsters. For instance, I go to open an account, and the next day, someone calls me to complete the pending process when they send me a code. How did they know, if not for the bank? That’s why we keep telling banks to properly train their staff so that when they open accounts for people and collect data, they have to do it in such a way that is safe and secure.

In some cases, you go to a bank, maybe to collect an ATM card or a bank draft, and next thing they are giving you those long books to fill in your name, account number, telephone number, and signature. Anybody can go there and snap it and start calling you. Even in conferences and workshops, when you fill in those details, anybody can start calling you from there. So, all of us must take caution, and make sure we don’t give out our data anyhow. Data controllers must make sure they collect the data safely and securely. That is the only way.

TheCable: Closely related to that is the problem of telcos giving people’s information out. In times past, you could just sit down and receive unsolicited messages for campaigns, and events and you begin to wonder how they got your number. How did this happen and are you making efforts to address this?

Olatunji: A privacy law creates trust and confidence

OLATUNJI: It is part of what we are trying to discourage now. Recently, NCC has been issuing notices to the telcos not to allow such to happen on their networks and they will face strict penalties if any telco is reported that they are using their platform to send unsolicited messages. So, NCC is already taking care of that and I’m sure it has already reduced. 

TheCable: You talked about the data protection strategic plan 2023 – 2027 recently. Can you speak more on the pillars of the strategic plan?

OLATUNJI: Yes, it is one thing to have a regulation or a law; it is a completely different thing for you to implement it. With the law that President Bola Ahmed Tinubu signed, a lot has happened in terms of the reputation of this country in the international community as a country that is ready for digital business. When you have your privacy law and an independent data protection authority, you are trying to create trust and confidence. 

So, when you have this, the next thing is how do you implement the law? That was why we came about developing the blueprint, the strategic broad plan which is made up of five major pillars. Now, apart from the pillars, we have 67 specific initiatives that will drive these five pillars. 

Of the five pillars, the first one is governance. What kind of governance structure do we have for data privacy and protection in Nigeria? As a country, we have the Nigeria Data Protection Act of 2023 which speaks to the kind of laws, regulations, rights, principles, objectives, even establishing the commission, securities put in place, data processing activities. The law is made up of 12 major parts.

Now that we have the governance pillar, we now expect individual organisations to develop their privacy statement such that anybody who hits your portal, the first thing they see is your privacy statement; then that will take me to your privacy policy speaking to the policy guiding your data processing activities, then the structure. This is like the framework and regulations. 

Two, awareness and human capital development. You hear that this is just an ecosystem that is coming up gradually in Nigeria and what kind of capacity do we even need to effectively improve the ecosystem on the part of the commission and for all data processors and controllers? What is the knowledge of data processing? 

We need to build capacity because it is still very low. As I said before, we have about 500,000 data collectors and processors, and experts in this field are not even up to 10,000.

So, there is a gap of about 480,000 that we are trying to bridge. That is why it is a major pillar. What do we need to put in place so that you can work in Nigeria and anywhere in the world as a data protection expert?

The third part of the pillar is the ecosystem and technology. What kind of data protection ecosystem do we have in Nigeria? What kind of local technologies can we develop to drive the law in terms of awareness, registration, breaches, investigation, evaluation, and so many things? We do not want to keep importing foreign technologies. We want to develop indigenous solutions that we will use to drive the ecosystem.

The fourth one is funding and sustainability. It is a new ecosystem that is just coming up. A lot of people may not even understand what you are doing. So, the thing is “Why do you need money? Why should you be funded?’ That is why we have developed a way of funding the work of the commission to be able to make an impact. We do not want to rely absolutely on the government.

The last one is cooperation and collaboration. How do we collaborate with data controllers, data processors, regulators, NGOs, and civil society groups, to be able to drive this, in terms of awareness creation, capacity building, creating a compliance culture in Nigeria, and for us to be globally competitive?

If you don’t have your privacy law, a lot of organisations will not want to do business with you. We are working with SMEDAN. We are working with industry commissions and a lot of organisations that we are collaborating with for us to be able to enact effective compliance in their sectors. We have cooperation with international development organisations, the likes of the World Bank, European Investment Bank, European Union, Smart Africa, African Union, and even DPAs all over the world, like Kenya Data Protection Authority, Ghana Data Protection Authority, in the UK, US.

We have worked with them to exchange ideas, review knowledge exchange, look at what they are doing in their climes and share information about what we are doing too to see how we can learn and unlearn and develop skills that will help us do our work effectively. We are also a member of the network of Africa Data Protection Authorities. Also, the global privacy assembly is made up of over 130 countries. These are platforms where we exchange information and learn.

TheCable: Since the law was signed by the president and in terms of complaints and investigations, how many have you recorded?

OLATUNJI: We received over 3,000 complaints. It is not all these complaints that we can look into. We looked into over 900 and concluded about 17 from different sectors — gaming, financial, insurance, schools, consulting. 

We have issued penalties. Now we call it a remediation fee to some of the organisations because we do not want the kind of penalties that will also affect their business where people will have to leave their jobs. Bear in mind the ease of doing business is an initiative of the federal government to create an enabling environment for businesses to thrive.

But in terms of data breaches, that also depends on the impact. If the impact is huge and the data controller is not ready to cooperate, we can go all out to issue heavy fines. But if it is not major and they are ready to go through a remediation, we tell them to go through that. Between when we started and now, we have made over N400 million for government in less than two years. That is because we have not fully come out to enforce. So you can imagine what will happen when we come out to do it.