Nigeria’s data protection agency will blacklist erring firms

Nigeria’s Data Protection Commission chief, Vincent Olatunji, wants to blacklist noncompliant firms that are not adhering to the data privacy laws

Nigeria’s Data Protection Commission (NPDC) will blacklist companies that have refused to comply with its data protection regulations. Its commissioner, Dr. Vincent Olatunji, in an exclusive interview on the sidelines of its workshop held in Ikeja yesterday, said it will also publish a white list of companies that have complied with the provisions of the law in terms of safeguarding the data of citizens in the country on its website, adding that, “it creates confidence and trust in whoever wants to do business with you.”

According to Olatunji, all data controllers and data processors should be registered within six months of the enactment of the law, in line with the act’s provisions, and file an annual audit report with the commission, submitted between January and March next year. The commissioner explained that as a continent, Africa is trying to fashion out a common law for data protection under the African Union regulatory framework for data privacy.

Data breaches

Data breaches have become a cause for concern in Nigeria as Nigeria inches closer to digital transformation and improved internet connectivity. In the first quarter of this year, Nigeria was ranked as the 32nd most breached country in the world. Olatunji also shared that the commission is in talks with Flutterwave over a reported breach in March. Flutterwave maintains that it wasn’t breached. “We are currently investigating them, and we have exchanged some correspondence between the commission and Flutterwave,” Olatunji said. The commission said it also fined Sokoloan ₦50 million for violating customers’ privacy in its debt recovery drive and restricted the digital lender’s account until it fixes its privacy policy. “We put a restriction on their account to ensure they go through registration as digital lenders. FCCPC is currently registering them, and part of the criteria for their registration is to clear their privacy policy with us,” Olatunji added.

Clarifying the unclear provisions

Before now, lawyers had raised concerns about unclear provisions of the act, especially in areas like the commission’s independence. Some noted that there might be a possible conflict in the discharge of section 32 of the act, which provides for a data controller of significant importance— to have a Data Protection Officer (DPO) who can either be an employee or engaged by a service contract.

Olatunji told TechCabal that the NDPC is independent; section 7 of the law speaks to that. He explained that it would be difficult for the commission to stand alone without the ministry as long as it continues to enforce the provisions of its act under the federal government.

The commissioner also said there was no conflict with Section 32 of the act. According to him, a DPO advises a data controller on collecting, processing, storing, sharing, and securing data in line with the requisite laws locally and globally. DPOS must exist to be able to advise their organisation appropriately. “The DPO should link the organisation and outsiders, including the NDPC. That is why as a data controller of major importance, you must have your own DPO to advise you, to create awareness, to build capacity and tell you the kind of measures to put in place,” Olatunji explained.