The National Information Technology Development Agency (NITDA) has disclosed that banks, Fintechs, Telcos and other organisations might lose up to 2% of their gross annual revenue to a data breach.
This was disclosed at an interactive session on Nigeria’s data protection regime hosted by Taxaide Technologies Ltd. (Taxtech), Nigeria’s foremost Data Protection Compliance Organisation (DPCO) and Anaje Olumide Oke Akinkugbe (AO2 Law) to assist organisations comply with the strict regimen of the newly revised Nigeria Data Protection Regulation 2019 (NDPR).
The revised regulations: Basically, a data breach is an incident that exposes confidential or protected information, and this might involve the loss or theft of customers’ bank accounts or credit card details, personal health information, passwords or email and so on.
Speaking at the event, the Keynote speaker, Olufemi Daniel, NDPR Desk Officer, NITDA, stated that there was no better time for stakeholders to get a deeper understanding of the Data Protection Regulation and best practices.
He hinted that the NDPR as it stands is not as strict as the General Data Protection Regulation (GDPR) adopted in Europe and they understand it is a relatively new regulation in Nigeria.
Specifically, the newly revised NDPR 2019 is targeted at safeguarding data privacy, foster safe conduct of transactions involving personal data and to make Nigerian institutions globally competitive and relevant.
Mr. Daniel further stressed that NITDA’s primary concern was compliance with the regulations. According to him, discussions were also ongoing concerning the overlapping functions of different data regulatory bodies in the country such as the Nigerian Communications Commission (NCC) among others to develop synergy.
The Penalty: Basically, this regulation applies to all transactions intended for the processing of personal data. According to the regulation, organisations may be fined up to 2% of Annual Gross Revenue of the preceding year or 10 million Naira (whichever is greater) for any case of a data breach. This may also require criminal prosecution under the NITDA’s act.
According to NITDA’s risk-based stratification, the regulation shows that organisations exposed to a very high risk of a data breach include banks, telcos, CBN, PFA, and big insurance companies. On the other hand, organisations exposed to high risk include big fintechs, notable hospitals, NIMC and stockbrokers.
Meanwhile, it was disclosed that the self-reporting of a data breach by the Controller is a major consideration in determining the amount of fine to be levied. To this effect, the report must be made within 72 hours from the time of knowledge of the Breach.
While commenting on this, the Managing Partner, AO2 Law, Mr. Chinedu Anaje addressed the need for organisations to seek redress if they are wrongfully fined by the regulators.
“The NITDA gives organisations an opportunity to redress in a court of law, there are numerous cases of that nature in Europe and North America. We expect there will be an increase in data breach cases in the future.”
Similarly, Mr. Olumide Bidemi, CEO of Taxaide, disclosed that Nigeria’s legal structure is ready to guide against data breach which is a common practice in the Nigerian system.
“Data protection regulation also creates enormous opportunities for every player in the value chain. The players include the regulators, lawyers, relevant professionals and we should have some confidence in the system. We cannot continue in this, organizations must be held accountable for breaches.”
Other speakers during the sessions include Professor Abiola Sanni, Chairman, Board of Directors, Taxtech, Mr. Bidemi Olumide, CEO, Taxtech, Mr. Oyeyemi Oke, Non-Executive Director Taxtech, Mr. Edward Popoola, CTO, Cowrywise, Ms. Gbeminiyi Shoda, Company Secretary VFD Group, Ms. Nkem Isiozor, Legal Manager, Intellectual Property & Technology, The Nigerian Stock Exchange and a host of other distinguished guests.