The just-appointed commissioner for Nigeria’s new data protection fee, Vincent Olatunji, tells TechCabal how he plans to finish data breaches within the nation.
Earlier this month, Nigeria’s president, Bola Tinubu, signed the Nigeria Data Protection Bill 2023 into legislation. The new legislation, which went into impact instantly, was proposed by the immediate-past authorities of Muhammadu Buhari, and supplies a authorized framework for the protection of non-public data and the follow of data protection in Nigeria. The legislation additionally creates a brand new nationwide physique for the enforcement of the provisions contained within the act.
The new physique—the Nigeria Data Protection Commission (NDPC)—can be headed by Vincent Olatunji. An authorized public-private partnership specialist (IP3 Specialist) and a PECB-certified data protection officer, Olatunji joined the National Information Technology Development Agency (NITDA) in 2002, rose to the place of director in 2014, and grew to become performing director-general in 2016. In February 2022, he was appointed the NDPB’s first nationwide commissioner, and he has been tasked with defending Nigerians and their data.
How the Nigeria Data Protection Commission was created
On a name with TechCabal, Olatunji mentioned that the instant former minister of the digital financial system, Isa Pantami, was answerable for the creation of the Nigeria Data Protection Commission (NDPC). The NDPC was initially a physique beneath the National Information Technology Development Agency (NITDA), however for Nigeria to be in keeping with the ECOWAS Act on Personal Data Protection [pdf], there wanted to be an impartial supervisory authority for data protection.
“We explained to the minister that it would be difficult to get results if we did not have a body specifically in charge of implementing data protection laws. He then sent a memo to the president, which was approved,” Olatunji mentioned. The creation of the legislation and fee can be in keeping with the correct to privateness enshrined in Section 37 of the Nigerian Constitution.
According to Olatunji, a part of the president’s approval mandates that the NDPC be funded by NITDA and the Nigerian Communications Commission (NCC) for 3 years. “After that period, the commission should be self-sustaining. We should be able to generate money to fund our activities and even create revenue for the government,” he mentioned.
The powers of the Nigeria Data Protection Commission
When requested how the fee would have the ability to implement fines in opposition to worldwide corporations, Olatunji referenced Nigeria’s massive market. “They know the market is here; they cannot afford not to obey our laws. We have already fined some financial institutions that did not comply with the laws, and they paid. Between the time we started and now, we have generated over ₦200 million for the government. However, we use a balanced approach so businesses can grow in Nigeria.”
In an interview with Arise TV, Olatunji mentioned that the fee has the ability to create rules for rising know-how and impose fines on corporations that have dedicated a breach of data protection. “Going to the legislature to amend our laws before we can regulate emerging technologies would be too cumbersome. That’s why we made our laws flexible. The law empowers the commission to issue regulations, which would be as powerful as the act itself,” he defined to TechCabal.
Data protection in Nigeria remains to be in a dire state. In the primary quarter of this 12 months, Nigeria was ranked because the thirty second most breached nation on the earth. This coincided with a 64% improve in breaches from the earlier quarter. When requested if the fee will examine breaches even with no public criticism, Olatunji mentioned, “That is one of the principal functions of the commission. We can independently conduct investigations in any sector that has to do with personal data protection. If there is a data breach anywhere, we have the power to investigate, and whatever decision we make is binding. However, companies have the right to appeal, and the Supreme Court has the final say.”
A corollary impact of the dire state of Nigeria’s data protection has been the unethical use of Nigerians private data by corporations. Last month, TechCabal wrote concerning the unethical debt assortment strategies employed by some mortgage apps. Although several mortgage apps have denied utilizing buyer data unethically, it’s one thing that is on Olatunji’s radar. “From my experience with Soko Loan, I know that a lot of Nigerians have been damaged psychologically by the messages they send out to people. We started investigating them [loan apps] under NITDA, and now that we are independent, it’s one of the things we will focus on.”
Olatunji added that due to the complexity of those mortgage functions, a multi-pronged method by totally different regulators, such because the central financial institution, the Economic and Financial Crimes Commission (EFCC) and NITDA, could be employed to create rules that would govern them.
The fee can license, accredit, and register our bodies to present data protection compliance companies. However, in accordance to Olatunji, as a result of the “expertise in data protection services in Nigeria is low”, the fee has had to make use of a public-private partnership mannequin. “For instance, we have over 500,000 data controllers and processors, and each of these organisations should have a data protection officer, but there are not up to 10,000 certified data protection officers in the country.”
To tackle this deficit, the fee began licensing data protection compliance organisations. “They are companies that have expertise in data privacy and protection, who can go to companies, talk to them, create awareness, and assist with data privacy and protection policies. As of last count, these organisations are now offering about 17 different services that we did not even think about when we started this process. One good thing that has come out of this is that over 9,000 jobs were created within three years. We started by experimenting with about 17 [organisations], and now there are 168 [organisations],” he mentioned. Olatunji additionally added that the fee repeatedly conducts “quality checks” on the organisations and that 18 of those organisations have since had their licences revoked.
Although there has been a clamour for data to be hosted domestically in Nigerian data centres (Nigeria has solely 11), Olatunji believes that a hybrid mannequin could be greatest suited to Nigeria’s data. “It is not realistic for you to say that all your data must be hosted locally, so what we have done is create standards for cross-border data transfer in the Act [Sections 41, 42, and 43].”
Criticisms of the Data Protection Act
One criticism of the act has been that “legitimate interest” was added as a authorized foundation for processing private data, however the act doesn’t clearly outline what “legitimate interest” means. Olatunji instructed TechCabal that “legitimate interest” was added to cater for a situation the place a data processor wants to course of data however doesn’t fall beneath the bases of consent, contractual obligation, authorized obligation, important curiosity, and public curiosity. He added that “legitimate interest” would solely suffice if it was not in battle with the opposite bases.
Another criticism of the National Data Protection Act is that it doesn’t specify the quantum of data processed by a data controller or data processor to qualify as a data controller or processor of main significance. Olatunji clarified that solely the fee can specify this and that the exemption is deliberate as a result of the requirement would consistently change as new developments occurred.
What does Olatunji need to obtain in workplace?
When requested what he would really like his legacy to be after his tenure, Olatunji instructed TechCabal that he wants to change how Nigerians take into consideration data. “I want us to get to a level whereby every Nigerian will know their rights in terms of how their personal data is collected, processed, shared, and stored. I also want to leave a legacy where data processors and controllers know their obligations in the area of accountability. I want a place where personal data protection is a culture.”
…. to be continued
Read the Original Article
Copyright for syndicated content material belongs to the linked Source : TechCabal – https://techcabal.com/2023/06/30/nigeria-data-protection-commissioner/