The National Information Technology Development Agency (NITDA) is a data protection authority in Nigeria. It issued the Nigeria Data Protection Regulation 2019 (the ‘NDPR’). The NDPR requires data controllers1 that process personal data that meet certain thresholds to submit data audits to NITDA. The first category is the data controller who processes the personal data of more than 1,000 data subjects in a period of six months. The second category is the data controller who processes the personal data of more than 2,000 data subjects in a period of 12 months. The NDPR requires that the data audit be submitted to NITDA not later than 15 March of the following year.
Apart from administering and enforcing data audits, NITDA is empowered to register and license Data Protection Compliance Organizations (DPCOs). DPCOs, on behalf of NITDA, monitor, audit, conduct training, and data-protection compliance consulting to all data controllers under the NDPR. It is by virtue of its regulatory authority that NITDA recently fined a data controller in Nigeria for data breach.
NITDA fines Electronic Settlement Limited for data breach and extends filing date.
On 16 March 2021, the National Information Technology Development Agency announced a fine of ₦5 million it imposed on Electronic Settlement Limited for personal data breach after observing several investigative protocols. The announcement would come after NITDA’s earlier notification to all DPCOs of an extended deadline for the filing of the mandatory Data Protection Audit Report by Data Controllers from its statutory 15 March of every year to 30 June 2021.
According to NITDA, before it fined the company, NITDA investigated the company’s applications and websites, visited the company’s office in Lagos, and reviewed relevant documents on data protection.2 Meanwhile, NITDA has mandated the company to submit a data protection audit report for its 2020/2021 data-protection compliance audit. This audit is required to have been conducted by a NITDA-licensed DPCO.
NITDA’s developmental approach to regulation
Since the issuance of the NDPR in 2019, NITDA has, quite commendably, focused more on education and sensitization about data protection and privacy rather than outright enforcement. Education and sensitization is critical. This will no doubt improve compliance.
Also, NITDA is noticeably one of the few regulators in Nigeria that has prioritized developmental regulation over restrictive regulation, applying its regulatory authority to help create opportunities while also minimizing risks. Especially for a developing economy such as Nigeria, this collaborative, multi-stakeholder approach may just be what the country needs to ensure safeguards without necessarily stifling innovation. As Nigeria gradually transits to a digital economy, NITDA continues to primarily focus on policy development in the information technology space.
NITDA’s developmental regulation approach does not however mean that it will not enforce compliance where there is a breach.
A Precaution to Data Controllers and Businesses on Data Breach
The fine on Electronic Settlement Limited serves as precaution for data controllers and businesses that handle and process large volumes of data of data subjects.3. It will equally serve as a deterrent to data controllers who may have been taking data audits with levity. By fining Electronic Settlement Limited, NITDA is gradually demonstrating its readiness to exercise strict compliance and enforcement of the Regulation as well as impose sanctions and fines to defaulters accordingly.
Thankfully, due to the extension, companies and businesses who control personal data up to the NDPR threshold, can now file and conduct audit reports through licensed DPCOs on or before 30 June 2021. Ensure you contact the right DPCO or its affiliate to assist with your data audit report. Should you need assistance in this area, we will be willing to help.
- “Data Controller”: “a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed”, The International Comparative Legal Guide to Data Protection, 6th edition, Global Legal Group, London, 2019: Nigeria, 321
- “NITDA slams N5m fine on Electronic Settlement over data breach“, Vanguard, 19 March 2021
- “Data Subject”: “any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”, The International Comparative Legal Guide to Data Protection, 6th edition, Global Legal Group, London, 2019: Nigeria, 321