Head of Nigeria’s Data Protection Commission, Vincent Olatunji, has expressed interest in creating a “blacklist” of businesses that do not comply with the country’s data privacy rules.
Companies that have refused to comply with Nigeria’s data protection legislation will be placed on a “blacklist” that will be maintained by the Nigerian Data Protection Commission (NPDC).
Its commissioner, Dr. Vincent Olatunji, stated in an exclusive interview yesterday on the sidelines of its workshop that was held in Ikeja that it will also publish a white list of companies that have complied with the provisions of the law in terms of safeguarding the data of citizens in the country on its website, and he added that “it creates confidence and trust in whoever wants to do business with you.”
According to Olatunji, all data controllers and data processors are required to register with the commission within six months of the implementation of the law in accordance with the requirements of the act.
In addition, data controllers and processors are required to submit an annual audit report to the commission between January and March of the following year. The commissioner added that in accordance with the regulatory framework for data privacy established by the African Union, Africa as a continent is attempting to build a common law for the protection of personal data.
Read also: Tinubu signs Data Protection Bill into law
Security holes in data
As a result of Nigeria’s continued march towards digital transformation and improvements in internet connectivity, data breaches have emerged as a major source of concern in the country.
In the first three months of this year, Nigeria was placed in the 32nd spot on the list of countries with the most security breaches.
Olatunji also disclosed that the commission is currently engaging in dialogue with Flutterwave on a breach that was reportedly committed in March. Flutterwave insists that their security was not compromised in any way.“We are currently investigating them, and we have exchanged some correspondence between the commission and Flutterwave,” Olatunji noted.
The commission stated that it also penalised Sokoloan 50 million for violating consumers’ privacy in its debt collection effort and banned the digital lender’s account until it fixed its privacy policy.
The violation occurred during the commission’s drive to collect debts from clients. “In order to verify that they go through the proper procedures to register as digital lenders, we have placed a restriction on their account. Olatunji continued by saying that the FCCPC is in the process of registering them, and one of the requirements for their registration is that they clear their privacy policy with us.
Data Protection Stakeholders to speak at ‘PrivCon Nigeria 2023’
Bringing clarity to the ambiguous provisions
Prior to this point, solicitors had voiced concerns over aspects of the act that were ambiguous, particularly in areas such as the independence of the commission.
Some people pointed out that there is a potential for there to be a conflict in the execution of section 32 of the act, which requires a data controller of considerable importance to have a Data Protection Officer (DPO), who can be an employee or someone who is hired through a service contract.
Olatunji further stated that the NDPC is autonomous, which is supported by the law (specifically section 7) in this regard. He explained that it would be difficult for the commission to function independently without the ministry for as long as it continues to enforce the requirements of its act under the jurisdiction of the federal government.
Additionally, the commissioner affirmed that there was no incompatibility with Section 32 of the act. A data protection officer (DPO) is someone who, according to him, advises a data controller on how to collect, process, store, share, and secure data in accordance with the necessary regulations both locally and globally. It is necessary for DPOS to exist in order for them to provide their organisation with sound advice. “The DPO should link the organisation and outsiders, including the NDPC. That is why as a data controller of major importance, you must have your own DPO to advise you, to create awareness, to build capacity and tell you the kind of measures to put in place,” Olatunji explained.