By John Osadolor, Onyinye Nwachukwu, and Ladi Patrick-Okwoli
In June 2023, the Nigeria Data Protection Bill was signed into law by President Bola Tinubu, after it was proposed by his immediate predecessor, Muhammadu Buhari. The law provided the much-needed legal structure to protect citizens’ personal information and the entire data processing process in Nigeria. The law also created the Nigeria Data Protection Commission (NDPC), headed by Vincent Olatunji, the pioneering national commissioner and CEO. A certified public-private partnership specialist and Professional Evaluation and Certification Board (PECB)-certified data protection officer, Olatunji has demonstrated the ability to deliver impactful results, build strong relationships across sectors, and achieve tangible outcomes. So far in his extensive career in the public sector, he has led teams, conducted extensive research, developed policies, and implemented strategic initiatives in government. Olatunji, who excels in driving human growth and process transformation, assures Nigerians of the Commission’s commitment to end data breaches in the country. In this interview with BusinessDay, he spoke to John Osadolor, Onyinye Nwachukwu, and Ladi Patrick-Okwoli about how data protection can drive global competitiveness and ease of doing business for Nigeria.
Read also: Vincent Olatunji joins Forbes Technology Council 2023
In the first quarter of last year, a study by a cyber-security firm, Surfshark, ranked Nigeria as the 32nd most breached country globally. In light of this, talk to us about what you do, the impact on the economy, security, and efforts to reverse this trend.
As you already know, everything is now being digitised. There is hardly anything you can do without going online, and by doing so, we are leaving behind digital footprints that include our names, phone numbers, email addresses, bank account details, home addresses, biometrics, and even our health records, which are our personal and private sensitive information that can be used against us at a crime scene. By the way, those who collect data and process it are known as data processors, while those who determine how this data is used are known as data controllers. Now, global attention is increasingly focusing on the need to protect such information by putting in place adequate measures to secure our information and/or process it within the provisions of the law. In Nigeria, we have the Nigeria Data Protection Act, signed by President Bola Tinubu on June 12, 2023. This law is mainly to ensure that the rights and interests of data subjects who are Nigerians—we are talking about over two hundred million of us, wherever they are—are protected whenever they share their data online or with data controllers. With the law, Nigerians now know that they have rights as data subjects. They have the right to know why their data is being collected and for what purposes; they have the right to ask that their data be erased if they are no longer doing business with you; and they have the right to portability, which is very common in Nigeria. For instance, a data subject can move his or her data to another organisation if he does not feel protected. This is what most data subjects did not know before, but with the law, awareness, and education, they now know that they have such rights. Nigerians have the right to know how their data is processed and for what purposes. That’s at the centre of our job at the Data Protection Commission.
How is this beneficial to data subjects?
It is beneficial to Nigerians in so many ways. First, individuals who are data subjects have the right to receive notifications; they have the right to say no if an organisation wants to collect their data. They now know about their rights—what works, what doesn’t, and their expectations. Like I mentioned earlier, they can demand to know why their data is being collected and for what purpose. They have the right to notification, which is very common in Nigeria. They also have the right to portability; that is, they have the right to move their data from one data organisation to another whenever they feel it’s necessary. For us as a country, it is very beneficial to the economy because most foreign investors will not invest in a country that does not have an independent data protection law. Investors want to have an authority where they can run whenever there is a breach in their personal data; they fear that there’s no law to protect them when there’s a problem. They want to have such trust and confidence, and that is for businesses.
For the government, it has to do with the reputation and image of the country. For any country that does not have a data privacy law, foreign investors and other countries will not want to do business with you or have a bilateral relationship with you. As we speak, we have what is called the Global Privacy Assembly, where all countries, numbering about 130, that have data production laws meet on a regular basis as an association. At those meetings, we regularly review progress and chat about the way forward for member countries. So apart from protecting the interests of data subjects, it also promotes the reputation and image of the country. It also makes a country respected all over the globe as it enhances digital and global competitiveness. This means that any country that has a data production law is safer to do business with than one that doesn’t have such a law. We talk of cross-data transfer, whereby, for instance, you sit in your room and buy goods or products from Amazon and other online marketplaces from any part of the world. As you do this, you are entering your data on their site; you don’t know where it is going or what kind of adequate protection measures they have to protect the personal information you are divulging. All these are concerns that one should consider before leaving his or her digital footprint online because it could lead to a breach of data privacy. And that is where the law and institutions like the Nigeria Data Protection Commission come in.
In terms of financial laws, some people discover that money disappears from their accounts. It’s also applicable in health; for instance, if someone goes to the hospital and is diagnosed with HIV due to wrong data or someone shares information about the HIV status of an individual and it goes viral and the image and reputation of the person are damaged, this can lead to death. Someone can even be given the wrong prescription or medication due to wrong data or information. Such a person can write to us to seek redress. So, we are here to ensure that all these things do not happen. We are here to protect the interests of data subjects and to enhance our global competitiveness. These are the things we do as a commission.
In Nigeria, there are several organisations involved in data collection. What kind of relationship do you have with them?
All organisations that collect data, like the Federal Road Safety Corps (FRSC), the Immigration Service, the National Identity Management Commission (NIMC), telecommunications companies, and even banks, are all data controllers. The Nigeria Data Protection Commission determines the way and manner in which your data is managed by these organisations. What the law says is for them to put in place adequate measures to guide and protect their database. They must ensure that their databases are protected. What we do is coordinate all of them and ensure that they comply with the law by involving their data subjects whenever necessary. We ensure that they keep such data in a safe place, and they should inform data subjects whenever they are sharing their data with a third party, so that when there is a breach, we can come after them.
The law also mandates them to inform data subjects before collecting their information and to preserve it. The good thing now is that there is what is called the Data Harmonisation Committee, which is working to ensure that the government brings all these databases together under one single information system, like the Social Security Number in the USA or the National Identification Number in the UK. It was important for the government to set up that committee and bring together all data collection agencies into a central unit or a single point of information, which is what the National Identification Number (NIN) is supposed to serve. What this means is that when you have your NIN, all these other means of identification are just irrelevant. NIN is unique; it identifies a person as a Nigerian and stores a lot of information. Therefore, for most of these other agencies involved in data capture, all they will need is your NIN to access your information, depending on the level of authorization for what they need such information for. For instance, when somebody wants to get a driver’s licence, the person’s blood group is saved in a database. In case there’s an accident and blood transfusion is required in an emergency situation, authorities should be able to get that information from his or her driver’s licence.
Read also: Meet Vincent Olatunji: Nigeria’s ‘Data Security Officer (DSO)’
But in a situation where a data controller does not need such information, they don’t need to collect it. That is why I said that the level of authorization determines the access a data controller can have on the information of a data subject; if it’s just to know your home address, they should limit it to your name and home address. By the time the data harmonisation is completed, we will no longer need multiple means of identification like they are today, and we will achieve a central unit of information for all Nigerians. Agencies like FRSC or banks that need information about any citizen will have to write for authorization to access such information, depending on what the information is intended for.
You have spoken about the relationship with data controllers; how does NDPC monitor them to ensure there is no breach?
What the law says is that they should register with the commission and ensure that they file their compliance report on an annual basis. They must write and tell us that they have complied in clear terms. We then issue confirmation that we have received their annual report in terms of the parameters. This means that when data controllers send in their annual report, the commission must respond by checking the parameters they have covered in terms of compliance. We have about 67 parameters; we also check who heads the Data Protection Office in the unit, and we look at your documentation. What kind of documents do they have in place to guide their data subjects? These are things they submit to us on an annual basis that enable us to monitor them. If there is any digital breach, Nigerians can report it to us, and we will follow up, investigate, and if they are found guilty, the law will take its course.
Who reports to you in case of any breach—the individual or the data controller?
What the law says is that if there is any breach within the database of an organisation, a data controller or processor must report to us within 72 hours. The data subject, too, can report to us if they want to press charges against the data controller. The onus is on the data controller to report to the commission within 72 hours. A data subject who feels his or her rights have been breached as a result of data misrepresentation should write to the commission, and they will get justice.
How can a data subject know when his or her data rights have been breached?
You will simply know about the breach if it has any effect on you. For instance, if you wake up one morning and discover that 5 million Naira have disappeared from your account without any authorization from you, you will be bothered because that is a huge sum of money and your right has been breached. If you went to the hospital and were given the wrong result, or if some of those online lending shacks will give you money and, when you default, they will start circulating your information, report it to us as a commission. Again, when there is misplaced data, for example, when they put male instead of female, in a situation like this, the data subject can write the commission, and we will ensure that you are adequately compensated.
Can you explain the relationship between data privacy, protection, and insecurity?
Security is key to everything that we do as a commission. For instance, if you go to a business centre to make a photocopy of your national ID card and discover that it is not clear and ask for another copy without asking them to destroy the previous one, and another person finds it and uses it to register a SIM card for the purpose of committing crime, and eventually he or she is caught with a means of identification carrying your information, you will be arrested and jailed for a crime you didn’t commit. That is why we tell individuals to also protect their personal data. Nigerians should always ensure that their data is secured. To answer your question, the link between privacy and security is that any data that is secured cannot be used for crime without being traced. To some extent, security agencies are beginning to use registered SIM cards to trace the owners of phone numbers that are used to commit crimes. Some people are also being arrested using their BVN. The security agencies are able to trace where calls emanate from through available data; therefore, we all must protect our data.
How is the Commission partnering with law enforcement agencies to deliver on its mandate?
We are partnering with all the law enforcement agencies. We have trained police, the Nigerian Army, the DSS, and others. What we are trying to do is bring them on board. After the training, we developed guidelines and compliance booklets that are specific to them. We have 67 parastatals, and we have different guidelines for each of them.
We are also working with regulators like the Nigerian Communication Commission (NCC), the Central Bank of Nigeria (CBN), and others to deepen data privacy in Nigeria.
The Nigeria Data Protection Commission is not a revenue-generating agency; how do you fund your operations?
Our main objective is not to make money but to protect Nigerian citizens from being maliciously used in terms of their data. That said, the challenge for data protection authorities all over the world is funding. We have the law and a commission, yet allocating money is a problem unless and until we start complying with the law. That said, when you register with us as a data controller, you pay a token. When you file your annual report, you also pay something; that is how we generate funding—from the registration and filing of annual compliance reports, just like in the UK. This is so that we don’t put an undue burden on the government. In the UK, for instance, you must register with the DICO office, which is the same as the commission here. There, a company pays between 40 and 60 pounds, while multinationals pay 2,900 pounds. Funny enough, if you fail to comply, it will attract the sum of 4,000 pounds. The UK government makes like 40 million pounds every year from the registration of data controllers alone, and 95 percent of their operations come from that money. That is a country of about 67 million people, and Nigeria has over 200 million people. You can do the Math to see how much Nigeria can generate from the data protection law annually. We are saying they should just pay a token, and we will ensure that they are protected. That is all we are asking for. They should comply with the law by paying a token while we ensure that they do their business in an atmosphere that is protected. It’s a win-win for the commission, data controllers, and data subjects.
Bear in mind that there are four stakeholders in the whole process: data subjects, data processors, data controllers, and the regulator. So all of us are going to win. There are so many opportunities in data protection. For instance, if each of the licensed DPOs attends to say 5–10 people, those are jobs being created. Also, what the law says is that each data controller must designate a data protection officer, yet we don’t have enough of them in the country. We have less than 10,000 qualified data processors in Nigeria, which is why human capacity building is top on our agenda to create jobs and also protect citizens. Currently, we have just about 165 licensed firms for data protection in Nigeria. Anyone who’s interested can go to our portal and check out our requirements; everything is done online. You pay online and obtain your certificate if you qualify; there is no human interference.
Recently, the Commission issued a code of conduct to licensed firms in Nigeria. What is it about, and what are the penalties for non-compliance?
We actually started with 17 licensed companies as data protection organisations while we were with NITDA (National Information Technology Development Agency). We increased to 27, then 40, 70, 103, and then 160, out of which we revoked about 19 licences due to noncompliance with laid-down rules. The quality of work that they do and the quality of the report that they send to us, among other issues, were the reasons we revoked those 19 licences in the first year. Yes, there are penalties for non-compliance. According to the law, the penalties range from N10 million minimum to 2 percent of your gross income. If the company made $100 billion last year, the penalty can be as high as $2 billion depending on the number of breaches, the number of digital subjects affected, the sensitivity of such data, and the impact on data subjects. For instance, if the breach leads to death, the CEO can even go to jail for about three months, and it may be up to two years if it is a verifiable offence like negligence, unless he or she can prove otherwise that he was not aware of the violation. So far, we have investigated about 17 organisations, and some have paid the fine. We have made over N400 million in revenue from penalising cases of data breaches in less than two years. We have issued penalties to some organisations, but we are mindful because it can also affect their business. Keeping in mind the ease of doing business is an important initiative of the federal government to create a very comfortable environment for businesses to thrive.
The commission received over 3000 complaints and has fined persons and institutions found to have defaulted on data protection.
Nigeria has a deficit of over 500,000 data protection officers. What is the commission doing to bridge the gap?
Data Production is very new in Nigeria; we actually started effectively as a bureau in 2022 and as a commission last year in June 2023, when President Bola Tinubu signed the Data Production Act, so we are relatively new and have a low level of awesomeness. But we are creating a lot of awareness through interviews like this, and we also engage in sectoral training and capacity building for ministries and agencies. We are well aware of the deficit of manpower in these areas, and in an area like data protection, we need a minimum of 500,000 data protection officers. The certified ones in the country are not more than 10,000, hence the dire need for experts in the area to bridge the skills gap. The commission is doing everything possible to boost the figure through training and certification. The commission is working on an initiative that would enable private instructors, universities, and polytechnics to train data protection officers.
What does it take to become a data protection officer?
There are two ways to become a data protection officer in Nigeria. Either you possess a bachelor’s degree in a related field such as information technology, computer science, cybersecurity, or data protection, or you are trained in the required skills. You can gain experience in the field of data protection by working with organisations involved in data compliance or privacy roles, such as data analysts, IT auditors, or security analysts. Practical experience is crucial for understanding the complexities of data protection. Remember, being a DPO requires both technical expertise and good communication skills because you will be responsible for ensuring compliance with data protection regulations and communicating privacy policies to stakeholders. We are trying to have a national certification in Nigeria. We want to produce a poll of globally certified data protection officers who will be able to compete with their counterparts abroad.
Artificial intelligence is fast becoming the in-thing now. How has your commission positioned itself to embrace it?
The commission has the power to create regulations for emerging technology and impose fines on companies that have committed a breach of data protection. Artificial intelligence (AI) is just one of those emerging technologies that are always ahead, but one good thing about our law, like I said, is that it’s the most progressive law in the whole world. It has provisions for us to make regulations on or against emerging technologies, unlike laws that were made about ten or twenty years ago and did not envisage things like AI. We have also incorporated data privacy by design and by default.
What’s your focus as the federal commissioner of the NDPC, and where do you see the Commission in the near future?
My focus is to have a Nigeria where data protection or privacy is a culture and a data protection environment that enhances job creation in line with the president’s vision of creating two million jobs in the digital economy.
