NDPC investigates 40 banks, others for customers’ data breaches

Raises licence fees to N2m
The Nigeria Data Protection Commission (NDPC) is investigating 40 banks, insurance companies, stockbrokers and other operators in the financial sector over customers’ data breaches.

National Commissioner and CEO, Dr Vincent Olatunji, disclosed this at a breakfast meeting with data protection compliance organisations (DPCOs) in Lagos. He said the commission would sanction erring financial sector operators if found guilty.

“We have beamed our searchlight on 40 players in the financial sector. We have written to them to explain why they have not been complying with data regulations and we may sanction them if they are found guilty,” Olatunji said.

The NDPC boss said erring companies had been given 21 days to answer why they should not be sanctioned.

Further, Olatunji disclosed that NDPC has increased the licence fee for DPCOs to N2 million from N50,000 to ensure that only serious organisations can apply for the licence from now on.

DPCOs are companies licensed as data protection professionals to guide organizations handling Nigerians’ data, otherwise referred to as data processors and controllers, to comply with the Nigeria Data Protection Act (NDPA).

According to the Commission, there are over 500,000 data controllers and processors in Nigeria.

The NDPC Commissioner further disclosed that many of the DPCOs that acquired the licence at N50,000 have not been functioning as they should, hence there has been low registration of data controllers.

He said this led to the revocation of 19 licences last year, noting that more licences may still be revoked this year as the Commission is continually evaluating the performance of the licensees. According to him, there are currently 291 licensed DPCOs.

“Last year, we revoked 19 licences and we may revoke more this year as we evaluate their performance.

“With the increment in licence fee, what we are saying is that if you don’t have any business coming to register as a DPCO, you don’t have to come because you are paying just N50,000.

“Increasing the licence fee to N2 million is a way of screening those who are willing to do business in this sector. It means that those who will apply for the licence are ready for business,” Olatunji said.

Noting that the level of compliance with the data protection law in Nigeria is still low, the NDPC boss said there has been an improvement. According to him, in the first year, only 622 audit reports were received from data controllers.

“Now, we are doing over 3,000, which is commendable, but the number of data controllers that we are expecting to register should not be less than 100,000 and that is even about 20 per cent compliance because we have over 500,000 data controllers in Nigeria.

“So, the level of compliance is still very low, we need to bring more controllers on board. Our mission is to build a culture of data protection compliance in Nigeria, where we do not have to run after you before you comply,” he said.

Also speaking during the meeting, the President of the Institute of Information Management (IIM), Dr Oyedokun Oyewole, said that the data protection industry is still emerging.

The IIM was recently licensed by the NDPC to conduct examinations and certify data protection professionals in Nigeria.

He said part of the challenges faced by DPCOs had to do with a lack of adequate awareness, adding that a good number of stakeholders in the ecosystem were yet to understand the importance of deepening data protection.

He added that the NDPC also needs to intensify efforts to create more awareness so that citizens can also understand the importance of data privacy in the increasingly digitised world.