April 9, 2021
On 16th March 2021, the National Information Technology Development Agency (NITDA or “the Agency”) announced that it has imposed a fine of ₦5 million on Electronic Settlement Limited for personal data breach following a 16-month investigative process.
This announcement came after the Agency had earlier notified all Data Protection Compliance Organisations (DPCOs) that it had extended the deadline for filing the 2021 mandatory Data Protection Audit Report by Data Controllers from 15th March 2021 to 30th June 2021.
NITDA is the agency of the Federal Government of Nigeria responsible for fostering the development and growth of the information technology (IT) in Nigeria. NITDA regulates, monitors, evaluates and verifies developments on information technology under the supervision and coordination of the Federal Ministry of Communication and Digital Economy.
In 2019, NITDA issued the Nigeria Data Protection Regulation (NDPR) which seeks to safeguard the rights of natural persons to data privacy as well as introduces compliance obligations for organisations that collect and process personal data. Following the issuance of the NDPR in 2019, NITDA has created awareness and steadily driven compliance while delaying the imposition of penalties/enforcement mechanisms for non-compliance.
NITDA has, however, begun strict enforcement of the provisions of the NDPR with the recent issuance of a ₦5 million fine to a Nigerian company Electronic Settlement Limited (ESL) for data breach. According to NITDA, the fine was issued after an investigative process that involved an analysis of the company’s applications and websites; a visit to the company’s office in Lagos, a review of its technical documents as submitted to the Agency and interrogation of its officials. ESL has also been mandated to submit a Data Protection Audit Report for its 2020/2021 data protection compliance audit conducted by a NITDA-licensed DPCO.
With respect to the 2021 data protection audits, Paragraphs 4.1.5 and 4.1.7 of the NDPR require Data Controllers (i.e. public and private sector organisations that collect, process, control or determine how personal data that is collected is processed) to conduct a data protection audit and file an audit report with the Agency not later than the 15th of March of every year and the audit and filing of the audit report must be conducted through a licensed DPCO. However, given the continued effect of the COVID-19 pandemic, NITDA extended the deadline for the 2021 data protection audit to 30th June 2021. In granting the extension, NITDA considered the continued the renewed interest in compliance by companies and the aggregated request of DPCOs.
The recent fine on ESL reiterates NITDA’s powers to impose sanctions and the relevant fines under the NDPR, which could be up to 2% of the defaulting organisation’s gross revenue for the preceding year along with other civil or criminal action against the organisation. Therefore, as NITDA begins strict enforcement of the provisions of the NDPR, it is important that organisations that are yet to comply take advantage of this extension window and engage suitable DPCOs to support them in complying with the provisions of the NDPR, to avoid potential penalty/sanctions for breach or non-compliance with the provisions of the NDPR. Additionally, organisations that have complied with the audit and filing obligations should ensure that they constantly review their compliance status to avoid any inadvertent breach of their obligations.