NDPC Will Sanction MDAs for Data Breaches - Dr. Vincent Olatunji

The Nigeria Data Protection Commission (NDPC) has said that it would henceforth hold top executives of government Ministries, Agencies, and Departments (MDAs) accountable for any data breach that happens while they are in charge.

In an interview on the implementation of the Nigeria Data Protection Act, Dr. Vincent Olatunji, National Commissioner of the NDPC, said that persons in charge of MDAs would be penalized since the government cannot be forced to pay fines from its funds. 

This was after he revealed that MDAs compliance has climbed to 9%, up from 4% last year.

While the Commission has sanctioned private organizations under the Nigeria Data Protection Regulation (NDPR), no government institution has been penalized, despite fears that they are the one that mostly commits data breach offenses.

However, Olatunji said that with the passage of the Data Protection Bill into law, that period has come to an end.

According to Olatunji, the rate of compliance by private sector organizations has risen to 49%, greatly above the 9% achieved by the public sector.

To increase adherence by both public and commercial organizations, Dr. Vincent Olatunji said that the organization is launching a capacity-building initiative throughout the nation to educate additional data protection officers.

• “There are provisions in the law that even the CEO of an MDA could be jailed if there is a data breach with impact on the data subject. We have also issued a circular to the effect that all MDAs must appoint a resident Data Protection Officer (DPO) and ensure that they train all their staff to understand what data protection is and also to make appropriate budget provisions for data protection.

• “So, we are expecting the level of compliance by MDAs to increase from now. We are also creating awareness to ensure that all MDAs comply with the provisions of the law. But if there is any breach, yes, we can’t find government to pay the government, but there is somebody responsible for that, and that is the CEO. And that is why the DPOs should report to the CEO of any organization they work with so that there are no ambiguities in whatever they are supposed to be doing. So, whatever happens, the CEO will be held responsible,” he said.

He also said that authorities such as the Nigeria Immigration Service (NIS), National Identity Management Commission (NIMC), and Federal Road Safety Corp (FRSC) are among the largest systems of Nigerian data and must also comply with the data protection law, which President Bola Tinubu just signed into law.

According to Olatunji, if a Data Controller deals with over ten thousand Data Subjects, the NDPR requires a fine of 2% of the organization's yearly revenue for the prior year or N10 million whichever is greater.

In the situation of a Data Controller that handles fewer than 10,000 Data Subjects, the sanction involves paying a fine equal to 1% of the preceding year's annual gross revenue or N2,000,000.00 (two million Naira) (approx. EUR 2,000), whichever is greater.