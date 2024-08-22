Oghenevwede Ohwovoriole in Abuja





The Nigeria Data Protection Commission (NDPC), has fined Fidelity Bank Plc N555.8 million, which was 0.1 percent of the financial institution’s annual gross earnings for the year 2023, for alleged breach of the nation’s data Act.

The National Commissioner of NDPC, Dr. Vincent Olatunji, disclosed this at the Nigeria Data Protection (NDP) Act General Application and Implementation Directive (GAID) validation workshop in Abuja, yesterday.

He recalled that President Bola Tinubu signed the NDP Act into law on June 12, 2023, which empowered the commission to enforce compliance on organisations for data protection by way of fine and other means.

According to Olatunji, they commenced an investigation into Fidelity Bank in April 2023, which was later concluded and found the bank culpable.

“The penalty is huge. If you don’t comply, penalties can range from N10 million, even up to two percent of the organisation’s annual gross income for the previous year.

“Most of the breaches we have treated, we look at the level of the breach, the impact, and the number of data subjects affected and the level of cooperation that is involved.

“Since we started, the only time we issued a major penalty was on Fidelity Bank, a fine of N555,800,000.

“We observed some breaches; we have been working with them (the bank) since April 2023 on the investigation and by the time we finalised, they became arrogant so we decided to issue a full penalty on them, which is about 0.1 percent of the gross earnings of the bank for 2023,” he said.

Olatunji, also noted that the agency was engaging stakeholders across board, collating their input which would form the final guide document.

“We want to ensure everyone is involved in what we are doing and by the time the document is out, we all see that we have been able to make our own input to what we are doing. It is just an extension of the law.

“We will look at the relevance of the input and use them to develop a standard document that can be of global standard,” he said.

He added that the agency was deploying a public- private partnership model to ensure compliance on data protection and that they had licenced about 194 professionals on data protection.

“The licenced data protection professionals go around organisations, to take them through compliance in terms of crafting their privacy policy, creating awareness within the organisations, letting them know their obligations under the law and carrying out data protection impact assessments.

“They train their staff, register with us and submit their annual report to the commission. With this, we will know the level of compliance.

“The successful implication of the NDP Act GAID required a collaborative effort between all relevant stakeholders, organisations, businesses and data protection professionals,” he said.

He called for constant dialogue and communication with the commission in implementing the NDP Act.

A collaborative effort, he stated, would foster a data ecosystem that respects privacy and protects personal data subjects.

In his presentation, the Head of Legal and Enforcement Department, NDPC, Babatunde Bamigboye, stated that the Act empowered the Commission to make guidelines that would make enforcement more flexible.

“The guide makes provisions and explains the privacy process and personal data of an individual,” he said.

He said how penalties are decided, “depends on the law recognising that if you are a data controller of major importance, you may pay two percent of your gross annual revenue of the preceding year. And it could be N10 million, whichever is higher.

“But thankfully, we understand the terrain, and the commission has not gone after anybody and asked them to pay as high as two percent. I think the highest we have done so far is 0.1 percent that we have ordered Fidelity Bank to pay for the violation of the Data Protection Act.

“We must be thankful to this administration for signing into law the most progressive legislation on data privacy and protection in the whole world. It’s a very democratic law and it empowers the commission to as well issue regulations to be able to intervene quickly as possible.”