The Nigeria Data Protection Commission (NDPC) has said that it will now hold chief executives of government Ministries, Agencies, and Departments (MDAs) responsible for any data breach that occurs under their watch.
Speaking in a chat with Nairametrics on the implementation of the Nigeria Data Protection Act, the National Commissioner of the NDPC, Dr. Vincent Olatunji, said the individuals heading the MDAs will be sanctioned because the government cannot be made to pay fine into its coffers. This is even as he disclosed that the level of compliance with data protection law by MDAs has just increased to 9% from 4% last year.
While the Commission has been sanctioning private companies under the Nigeria Data Protection Regulation (NDPR), no government agency has been fined even while there are concerns that they are the most culpable when it comes to data breaches.
However, Olatunji said that era is now over with the signing of the Data Protection Bill into law.
49% compliance by the private sector
Apparently, due to the enforcement of sanctions, Olatunji said the level of compliance by private sector organizations now stands at 49%, far ahead of the 9% by the public sector.
To improve compliance by both public and private organizations, the data protection boss said the is embarking on capacity building across the country to train more data protection officers.
- “There are provisions in the law that even the CEO of an MDA could be jailed if there is a data breach with impact on the data subject. We have also issued a circular to the effect that all MDAs must appoint a resident Data Protection Officer (DPO) and ensure that they train all their staff to understand what data protection is and also to make appropriate budget provisions for data protection.
- “So, we are expecting the level of compliance by MDAs to increase from now. We are also creating awareness to ensure that all MDAs comply with the provisions of the law. But if there is any breach, yes, we can’t find government to pay the government, but there is somebody responsible for that, and that is the CEO. And that is why the DPOs should report to the CEO of any organization they work with so that there are no ambiguities in whatever they are supposed to be doing. So, whatever happens, the CEO will be held responsible,” he said.
Government agencies such as the National Identity Management Commission (NIMC), Nigeria Immigration Service (NIS), and Federal Road Safety Corp (FRSC) are some of the largest processors of Nigerians’ data currently and are required to also comply with the data protection law, which was recently signed into law by President Bola Tinubu.
Possible sanctions
According to Olatunji, in the case of a Data Controller dealing with more than 10,000 Data Subjects, the NDPR stipulates the payment of a fine of 2% of the organization’s annual gross revenue of the preceding year or the payment of the sum of N10 million, whichever is greater.
In the case of a Data Controller dealing with less than 10,000 Data Subjects, the sanction involves the payment of a fine representing 1% of the organization’s annual gross revenue of the preceding year or payment of the sum of N2,000,000.00 (two million Naira) (approx. EUR 2,000), whichever is greater.