A Precaution to Businesses that Control Personal Data: NITDA’s N5million fine against Electronic Settlement Limited as a Case in Point

A Precaution to Businesses that Control Personal Data: NITDA's N5million fine against Electronic Settlement Limited as a Case in Point Infusion Lawyers

by Gabriel Eze, Associate

The National Information Technology Development Agency (NITDA) is a data protection authority in Nigeria. It issued the Nigeria Data Protection Regulation 2019 (the ‘NDPR’). The NDPR requires data controllers1 that process personal data that meet certain thresholds to submit data audits to NITDA. The first category is the data controller who processes the personal data of more than 1,000 data subjects in a period of six months. The second category is the data controller who processes the personal data of more than 2,000 data subjects in a period of 12 months. The NDPR requires that the data audit be submitted to NITDA not later than 15 March of the following year.

Apart from administering and enforcing data audits, NITDA is empowered to register and license Data Protection Compliance Organizations (DPCOs). DPCOs, on behalf of NITDA, monitor, audit, conduct training, and data-protection compliance consulting to all data controllers under the NDPR. It is by virtue of its regulatory authority that NITDA recently fined a data controller in Nigeria for data breach.


NITDA fines Electronic Settlement Limited for data breach and extends filing date.

On 16 March 2021, the National Information Technology Development Agency announced a fine of ₦5 million it imposed on Electronic Settlement Limited for personal data breach after observing several investigative protocols. The announcement would come after NITDA’s earlier notification to all DPCOs of an extended deadline for the filing of the mandatory Data Protection Audit Report by Data Controllers from its statutory 15 March of every year to 30 June 2021.

According to NITDA, before it fined the company, NITDA investigated the company’s applications and websites, visited the company’s office in Lagos, and reviewed relevant documents on data protection.2 Meanwhile, NITDA has mandated the company to submit a data protection audit report for its 2020/2021 data-protection compliance audit. This audit is required to have been conducted by a NITDA-licensed DPCO.


NITDA’s developmental approach to regulation

Since the issuance of the NDPR in 2019, NITDA has, quite commendably, focused more on education and sensitization about data protection and privacy rather than outright enforcement. Education and sensitization is critical. This will no doubt improve compliance.

Also, NITDA is noticeably one of the few regulators in Nigeria that has prioritized developmental regulation over restrictive regulation, applying its regulatory authority to help create opportunities while also minimizing risks. Especially for a developing economy such as Nigeria, this collaborative, multi-stakeholder approach may just be what the country needs to ensure safeguards without necessarily stifling innovation. As Nigeria gradually transits to a digital economy, NITDA continues to primarily focus on policy development in the information technology space.

NITDA’s developmental regulation approach does not however mean that it will not enforce compliance where there is a breach.


A Precaution to Data Controllers and Businesses on Data Breach

The fine on Electronic Settlement Limited serves as precaution for data controllers and businesses that handle and process large volumes of data of data subjects.3. It will equally serve as a deterrent to data controllers who may have been taking data audits with levity. By fining Electronic Settlement Limited, NITDA is gradually demonstrating its readiness to exercise strict compliance and enforcement of the Regulation as well as impose sanctions and fines to defaulters accordingly.

Thankfully, due to the extension, companies and businesses who control personal data up to the NDPR threshold, can now file and conduct audit reports through licensed DPCOs on or before 30 June 2021. Ensure you contact the right DPCO or its affiliate to assist with your data audit report. Should you need assistance in this area, we will be willing to help.

  1. “Data Controller”: “a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed”, The International Comparative Legal Guide to Data Protection, 6th edition, Global Legal Group, London, 2019: Nigeria, 321
  2. NITDA slams N5m fine on Electronic Settlement over data breach“, Vanguard, 19 March 2021
  3. “Data Subject”: “any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”, The International Comparative Legal Guide to Data Protection, 6th edition, Global Legal Group, London, 2019: Nigeria, 321


  • Paul Oghenekaro Afabor

    Simple And Nice, as always!

    I wondered though why the difference in the kinds of data collectors. Anyone who collects 1,000 or more data within 6 months will surely get 2,000 or more with one year. What then is the idea behind differentiating them? Doesn’t make sense to me.

    • Gabriel Eze

      Thank you for your readership and kind remarks as always, Paul. Your questions are always intriguing. Lol

      The NDPR actually did stipulate those thresholds. And I really can’t tell what the intention of the drafters were at the time of its making. Hopefully, when the substantive law on data protection in Nigeria is enacted, shady areas as this one would have been cleared. It may be worth noting though that penalties for data breach under the NDPR are based on thresholds as well, though a different threshold.

      • Paul Oghenekaro Afabor

        Okay. Thanks for this piece of information. Thankfully, it isn’t a legislation yet. I’m as hopeful as you are that coming legislations should correct this anomaly.

        It’s much needed because there’s no getting ahead without clarity.

        Thanks once again, for paying good attention to my question and giving such an enlightened answer.

  • Gabriel Eze

    You’re welcome.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top