The Nigeria Data Protection Commission (NDPC) has reported that a total of seven entities, comprising four banking institutions and three other companies, have collectively paid fines amounting to ₦400 million due to violations involving the mishandling of personal data of Nigerian citizens.
This information was disclosed by Vincent Olatunji, the National Commissioner and CEO of the NDPC, on Tuesday, June 11, 2024. The announcement was made during a press engagement in Abuja, which also served to mark the one-year anniversary of the enactment of the Nigeria Data Protection Commission Act, signed into law by President Bola Tinubu.
Olatunji highlighted that since the introduction of the Act in 2023, the commission has conducted over 1,000 investigations into data breaches, with four major inquiries spanning various sectors. These sectors include education, financial services, real estate, schools, insurance, and consulting firms.
A significant portion of these investigations, about 400 cases, pertained to digital lending companies. Olatunji elaborated on the commission’s authority under the law, stating, “We can impose fines on companies depending on the nature of the breach, its impact on the data subject, and the level of cooperation from the company involved. From these remediation fees, we have collected ₦400 million.”
Despite the NDPC having registered over 1,000 reports of data breaches since the Act’s implementation, the commission believes that the actual number of incidents could be substantially higher. This underreporting is attributed to the relatively low level of public awareness in Nigeria regarding data protection rights and the importance of reporting breaches. The NDPC continues to work on enhancing awareness to ensure better compliance and protection of individuals’ data privacy rights.
The Nigeria Data Protection Commission (NDPC) is actively working to enhance adherence to the Nigeria Data Protection Act 2023, striving to elevate compliance levels within both the private and public sectors. National Commissioner and CEO Vincent Olatunji called upon all relevant parties to commit to the protection of citizen data, aligning with international standards of data privacy and security.
Olatunji provided an update on the progress of compliance efforts, noting a marked improvement from the initial stages. “When we started, compliance within the private sector was approximately 49%, while the public sector lagged behind at 4%. However, as of now, we’ve seen the private sector compliance rise to over 55%, and the public sector has made significant strides, reaching 15%,” he reported.
The NDPC has also taken a firm stance on accountability, previously stating its intention to hold chief executives of government Ministries, Agencies, and Departments (MDAs) responsible for any data breaches that occur under their supervision.
In June 2023, the NDPC announced investigations into several high-profile entities, including Zenith Bank, Guaranty Trust Bank (GTB), Fidelity Bank, Leadway Insurance, Babcock University, and other companies, following allegations of data privacy violations.
Furthermore, in January 2024, the Commission disclosed that it was probing 17 high-priority cases of data breaches spanning a diverse range of sectors, including finance, technology, education, government, logistics, and gaming. These investigations underscore the NDPC’s commitment to enforcing the Nigeria Data Protection Act and ensuring that organizations across all sectors uphold the highest standards of data protection for Nigerian citizens.
