VINCENT OLATUNJI is the national commissioner/chief executive officer of the newly created Nigeria Data Protection Bureau (NDPB). In this interview with Bashir Ibrahim Hassan, GM, Northern Operations of BusinessDay, Olatunji explains the constitutional mandate of the agency, shares his vision, objectives and how the Bureau under his leadership would create millions of jobs, generate revenue for government and advance the digital economy of Nigeria.
As the pioneer Chief Executive Officer of the Nigeria Data Protection Bureau (NDPB), please explain its mandate and what Nigerians should expect from this organisation.
We all know that this is the era of global digital economy and Nigeria is already working assiduously towards establishing the infrastructure to achieve a viable digital economy. In 2019, the Ministry of Communications was re-designated as Ministry of Communications and Digital Economy to reflect the global trend, which was recommended by the Honourable Minister, Professor Isa Ali Ibrahim Pantami.
The first thing he did was to craft a National Digital Economy Policy and Strategy for the country, to drive Nigeria towards achieving a National Digital Economy. Looking at Nigeria, with a population of over 200 million people, over 104 million Nigerians go on the Internet out of this population. They have one thing or the other to do on various social media platforms.
There is so much you can do online — banking transactions, even company registration, and international passport processing. And when doing this, you put every information that can be used to identify you — your name, date of birth, state of origin, religious background, sexual orientation and anything that can be used to identify you as a data.
When you put these out, we need to, as the global practice, ensure that we put in place, appropriate measures to ensure that the data you put there are safeguarded, adequately protected and regulated by a Data Controller or a Data Processor, to ensure that your rights and freedom is not infringed on because there are some basic rights you’re entitled to when sharing your data.
We want to ensure that for all 200 million Nigerians, whenever their data are being processed or being used, that these data are adequately safeguarded and protected
One of them is on how your data are being collected and for what purpose. How legal is collecting the data and how transparent is the process? The purpose of collecting your data needs to be clear.
How and where are the data being stored? How secured are the data? Also, what are the data being used for? Will they be shared with a third party? In case the person is no longer interested in sharing the data, can the person move them to another service provider? Answers to all these questions are your rights.
To ensure that nobody can steal the data and use them for another purpose or use them to profile you for marketing, or other issues; these are the things we have set out to do. We want to ensure that for all 200 million Nigerians, whenever their data are being processed or being used, that these data are adequately safeguarded and protected. We are putting in place all necessary regulatory measures to guide the way data are being processed and used. That is our constitutional mandate.
For the ordinary Nigerians, what type of data will the Bureau protect, and how?
Now, if you want to get your driver’s licence, there are some basic data they ask of you — your name, sex, address, even your online presence such as email address. All these things are your personal data through which one can identify you, and people can also use against you. So, these are the things we want to protect — your name, your identity, either in the cyber space or physical space.
What if, for instance, you send an email about a product and then get a Facebook link talking about that product, what do you say about this? How do you protect us from this?
For any company that you are providing your data to, they must have a Data Privacy Policy, which must be clear, simple, straightforward, and easily understandable. It should be clearly stated what the data will be used for.
The problem is that most people don’t read these privacy policies — some are too long and ambiguous. So we keep telling them that it must be straightforward and straight to the point; the purpose of collecting the data, how long it would be stored, security measures put in place, whether or not the data will be shared with a third party. All these provisions will be there.
And this is why Data audit now matters, because, any organisation that is processing data, if less than 1,000, is supposed to have an annual data audit report.
We can ask for it at anytime, just in case there is any breach. If the data you’re processing is over 2,000, you’re supposed to employ a Data Processor or Controller to assist you.
The Data processor will go through about 63 parameters to ensure compliance to privacy policy. The Data Processor will ensure that all organisational and technical measures have been put in place to protect data that is being collected. They will file audit report with us every year. In fact, the provision on the NDPR is that, on the 15th of March every year, you’ll file your data audit report for the previous year.
Is there any penalty?
Yes, there are penalties. We are looking at it from two perspectives; we are not really after sanctions until there is a serious need for it. It’s still new in Nigeria, so what we are trying to do is to encourage people, and create awareness. To let compliance become a culture such that organisations comply naturally. And that will now take you to data compliance audit by default and by design. By the time you are designing your system, you already built in data protection provisions, it becomes part of your culture. All you need to do is to file with us.
Now that this Bureau has journeyed from being a department to an independent agency, how will it impact on the economy of the nation, and when will we begin to feel that?
In so many ways. For instance, I mentioned the issue of job creation. We know that unemployment is a major issue in Nigeria and within three years, under NITDA, we were able to create 8,000 jobs.
You can now imagine what will happen when you have a Bureau mainly in charge of that. Our target in the next three years is to have about 350,000 certified Data Protection Officers (DPOs). We have about 3.1 million companies registered with CAC.
We have almost 800 MDAs, and we have so many multinationals in Nigeria. The start-up ecosystem is about 27.1 million, and all these organisations process data in one way or the other, though some may not be up to 1,000, but, a lot of them process more than 2,000.
By so doing, they are supposed to file audit report with us. Now, imagine if each of these organisations employs one DPO, let’s assume that 1 million of the 3.1 million registered companies, in addition to other multinationals, employ one DPO; that’s one million jobs.
Now, Imagine that one million organisations file their audit report, and pay an amount when they do, even if it’s N20,000 for instance, that can amount to N20 billion generated to the purse of government.
This is apart from the cost of licensing, and certification, because, we will have a data Certification authority, to certify DPOs. It will create jobs, it will generate revenue, it will also assist in the ease of doing business.
Read also: Senate Committee to engage Datasixth on capacity building for cybersecurity
What major challenges do you foresee and how do you plan to deal with them?
The challenges we envisage are what an average new organisation, either in the public or private sector will experience. For instance, we are still operating from NITDA. We appreciate the Minister and the DG of NITDA, who have made provisions for us to have a proper office of our own . Hopefully, by the end of the month, we are going to have an office of our own, where we will settle in.
Then, there is the issue of staffing. We need people that are qualified or knowledgeable in the subject matter. We need experts, because if you bring in political staff, you won’t be able to achieve anything.
We have not employed a single person, but have moved NDPR team from NITDA to the Bureau for now. So, a lot of pressure will come naturally. But, with my experience, and by the grace of God, we will be able to handle that.
Then, funding is key. For instance, we were created February this year, and budget has already been passed. So no budget for now. But we are relying on the goodwill of partners to get a lot of things done.
For example, what you’re doing for us now is a major boost to awareness creation. So we need a lot of partners within Nigeria and internationally to work with us and create awareness.
Between when we were created, and now, we have had two major training programmes free of charge by some multinationals, and some are already in the pipeline to build the capacity of our staff. We are relying on goodwill for now, in the area of funding, pending when we will be able to generate enough funding for our operations.
