The National Information Technology Development Agency (NITDA) has fined a fintech company, Electronic Settlement Limited, the sum of N5 million ($13,123) for Data Protection Breach.
NITDA is a public service institution established by NITDA Act 2007 as the ICT policy implementing arm of the Federal Ministry of Communication of the Federal Republic of Nigeria. It has sole responsibility of developing programs that caters for the running of ICT related activities in the country.
NITDA is also statutorily mandated to develop regulations for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions as an alternative to paper-based methods in government, commerce, education, the private and public sectors, labour and other fields, where the use of electronic communication may improve the exchange of data and information.
In a statement released by the institution, National Information Technology Development Agency (NITDA) carried out an investigation on the personal data breach by Electronic Settlement Limited in comparison with the Nigeria Data Protection Regulation (NDPR) issued in 2019.
The objectives of this Regulation are as follows:
- to safeguard the rights of natural persons to data privacy;
- to foster safe conduct for transactions involving the exchange of Personal Data;
- to prevent manipulation of Personal Data; and
- to ensure that Nigerian businesses remain competitive in international trade through the safe-guards afforded by a just and equitable legal regulatory framework on data protection and which is in tune with best practice.
Electronic Settlement Limited is a fintech company behind products like Paypad, a mobile Point of Sale (mPoS) service, and CashEnvoy, a web payment gateway.
The investigative process involved an analysis of the company’s applications and websites; visit to the company’s office in Lagos, review of its technical documents as submitted to the Agency and interrogation of its officials by NITDA investigation team in Abuja.
At the end of the process, it established that there was a data breach involving the company.
In compliance with the Nigeria Data Protection Regulation (NDPR) and the need to prevent a repeat of this unfortunate breach, NITDA has directed as follows:
- Electronic Settlement Limited shall be under a six-month information technology oversight by NITDA. The oversight shall involve oversight of implementation of prescribed security controls and processes.
- That a clear data security and governance document is drawn up between the Electronic Settlement Limited and all its Information Technology services vendors identifying roles, responsibilities and processes involved in securing and protecting personal data.
- That the company conduct regular NDPR training for all staff, publish and implement appropriate policies as required by the NDPR.
- Submit 2020/2021 regulatory audit as required by Article 4.1.6 of the NDPR, conducted by a Data Protection Compliance Organization (DPCO) as licensed by NITDA.
- Conduct Data Protection Impact Assessment on some data intensive applications and products.
- Payment of the sum of Five million Naira only (5, 000, 000. 00) as fine in line with the requirements of the NDPR.