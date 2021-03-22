Mr. Tunde Balogun is the Chief Executive Officer of DSPL, one of the recently licensed Data Protection Compliance Organisations (DCPOs) in Nigeria and the Convener of the Association of Licensed Data Protection Compliance Organisations of Nigeria (ALDAPCON). In this interview with SAMSON AKINTARO, he speaks on the capacity of the country in data protection, among other issues

The Nigeria Data Protection Regulation (NDPR) came into force in 2019, and that has led to the emergence of new companies like yours playing in that field. What’s your view of data protection in Nigeria?

Data protection is data protection everywhere in the world. Yes, a lot of us always say because GDPR came into existence and is the most holistic and robust data protection regulation in the world because it takes the interest of all the members countries,

GDPR tends to be the gold standard. So, most other data protection regulations in other countries in the world tend to toe the path of GDPR. But it doesn’t mean that it’s copied, data protection is data protection anywhere in the world.

So, NDPR is a very good data protection regulation. The Piper, which is a non-governmental organisation that ranks data protection regulation of each country all over the world, gives them colour: Green is for strong regulation; Amber is for moderate, and I think Red is for weak regulation. NDPR was awarded Amber, which is moderate.

There are some advanced countries in the world that their regulation was marked Red; countries that are more advanced than us. So, if you want to look at it, NDPR in terms of comparison to other countries’ regulation is decent.

In terms of the structure of the implementation, it is unique in the world. It is unique in the sense that it creates that layer of licensed firms to help organisations for implementation. There is nowhere in the world where that is done.

That uniqueness is a masterstroke, very ingenious by the immediate past Director-General of NITDA, Dr. Isa Pantami. Though I don’t like to personalise things, I would like to mention this that he current Honourable Minister for Communications and Digital Economy and his team that came up with that demonstrated ingenuity.

That uniqueness, I can tell you as the convener of the Association of Licensed Data Protection Compliance Organisations of Nigeria, is not anywhere in the world. All other African countries are looking at our model. So, that makes NDPR unique. In terms of the content, it is moderate, but in terms of the structure and how to implement it, that makes it quite unique in the world, which is very ingenious.

Do you see data protection becoming a big industry in Nigeria?

Data protection is the foundation of digital economy. I could remember in the 90s when I used to come to Nigeria, and I used to talk about cloud and a lot of people used to think I was a mad man. And I used to tell them don’t worry, it is inevitable. It is not going to be an option; I told them everybody is going to move to cloud.

So it’s the same thing with data protection, it’s inevitable. Digital economy, especially in a country like this where you have high level of poverty and high level of illiteracy, disruptive technology is the only way out and that hinges on digital technologies, and digital technologies sit on data protection.

Data protection is the foundation in the real sense that if data protection in any jurisdiction is not well implemented and taken seriously, any digital project you put on it will collapse.

So, now going back to your question, time will tell, but the signs that I see are good. There is a few peculiarities as you know it in our country and I think those peculiarities are down to lack of capacity.

Data protection all over the world is new; more new in Nigeria and I can tell you that we’ve got only a few people that have got professional certification, but they haven’t got the hands on experience yet. So, they haven’t got the practical experience, they’ve gone for the certification exam as a data protection officer. But apart from that, the capacity in Nigeria is very, very light.

So, because of that you can see some of the people in the industry, because they don’t have an in-depth understanding of what data protection is, they want to take it from the main focus, or they’re diluting it with something else.

But the future is good. The most important thing is for all stakeholders in the data protection ecosystem in Nigeria not to make it elitist.

That’s my fear. The contents of the regulation and the data protection bill are alright; they all hinge on the United Nations Declaration on Human Rights and on article 17 and 15, which Nigeria is a signatory to. So the contents are right, but it’s always down to implementation operationalisation, which I fear that it might become elitist.

You see, one of the reasons why that fear is there is because of the uniqueness again of the framework of data protection in Nigeria that you have these licensed DPCOs and the three categories of firms that the current regulator, which is NITDA, has licensed are either you an ICT firm with experience in cybersecurity data protection, or you are a law firm, or you are an auditing firm.

That is fair enough because the principle of data protection, in my opinion, is the legal component, which probably I would like to say accounts for about 30 per cent. The remaining 70 per cent is technology, the remediation that fixes technology.

So, among the 72 licensed firms by the regulator, you have some that are law firms, you have some that are ICT firms, and you have some that are auditors.

So, the reason I’m saying it shouldn’t be elitist is, if you look at those professionals in the ecosystem in Nigeria, you have the ICT firms, which are aggressively progressive, then you have lawyers also coming to play technology and their profession is conservative.

As the convener of the association of DCPOs, I have an overall picture of what each and everyone is doing and also with our constant engagements with the regulator, you can see the operationalisation playing out among those skill sets.

Even with the recent data protection draft bill, which we were part of the review committee, when we shared among our members to review, in the comments by the law firms you could see that they were looking at it from the conservative point of view, not from technology. But that’s the beauty of it, because as I said the focal point of data protection is the citizen, which is called the data subject. That’s the person you want to protect.

So what we tell people in DSPL, especially to novice about data protection, is that the quick way to get your head around data protection is that your organisation pays us, but we are not looking after your interest. We are looking after the interests of your customers, your data subjects.

So, we are making sure you’re the one paying us for the services but it’s your customers that we want to make sure you do not abuse. And if you abuse your customer, we will report you to the regulator, even though you’re the ones paying for the service.

That’s how data protection works all over the world. I remember what happened during one of our seminars at the International Association of privacy professional, which is the biggest association of privacy professionals in the world. I’ve been a member for about nine, seven years.

At the seminar which held about four or five years ago, the data protection officer for Facebook, Stephen Bowman, was saying that Mark Zuckerberg is his boss who pays his salary,

but he said his loyalty is to Facebook users, not to Mike Zuckerberg. To make sure that Mike Zuckerberg is not abusing the rights of Facebook, even though it’s Zuckerberg that is paying his salary. So that’s what I tell companies that yes, you’re paying us but the loyalty is to your customers.

As a DCPO, you must have noticed how organisations in Nigeria are complying with the NDPR, what is your assessment of the level of compliance?

Thank you very much for that question. I remember having this discussion with some of the stakeholders on the government side when we were not invited to a stakeholders meeting. When I said “we” I mean the association, and I told them, we are the experts, we are the practitioners for data protection in Nigeria.

NITDA, which is the regulator doesn’t have access to personal information of the organisations, we are the ones that are going round because of our licence. We are the ones that can go to any company, and that company would allow us to access their database. So, if we call ourselves experts, I don’t think we’re wrong. And what I told the stakeholders is the question you are asking me now.

And that is the fact that in Nigeria, if anybody wants to ask about how are our organisations handling personal data, the only group of people that can answer that question rightly are the DPCOs, not the government, not NITDA, not NIMC nor the Minister of Communications and Digital Economy.

So, thank you for that question. It shows that you understand the structure of our data protection system in Nigeria.

Yes, our observation is that most organisations, both public and private, tend to use foreign firms for their processing. And that’s expected because of lack of capacity in the country. Most organisations host their data in foreign countries, especially in Europe. So that is one of our big observations.

Most of them host in European countries, which NDPR allows. One of the strong points of NDPR is that we have the adequacy list were it lists countries in the world that if Nigerian organisations are hosting their data there, then that means they are compliance with data protection law because those countries have strong regulatory framework.

So, to answer your question, the observation is that data localisation is very thin, most government and private sector use foreign firms. So, the good thing about it is that, as I said, most of them tend to be in America and Europe, and because of that, most of the data centres and data processors tend to have good compliance with information security system.

So that’s the good thing. But now, if we could turbocharge into the future of data protection, where one of the things that government is trying to do is data localisation, the story may be different.

Even though data localisation was intended to go into the NDPR, I think it was removed when they looked at the infrastructure in the country. I think they tried to put it again into the Data Protection Bill 2020 but it was also pulled out because of the reality of what we have in the country, especially with the situation of power, and data centres consume huge amounts of power. So power is a big problem in this country.

Is the government itself hosting data locally?

Definitely not; however, the national identity database is being hosted locally as NIMC has a massive data centre, and that makes sense because of national security.

Things like the data from the National Population Commission are also domiciled in the country. But I can tell you that international passport from the Nigerian Immigration Service, drivers licence and many others like that are not being hosted in Nigeria.

So, how can government enforce localisation when its data are also being hosted outside the country?

Well, that’s why it’s not been mentioned in any of the statutory documents, but it’s just something that is being pandered round in the industry, and which would be a good thing to do.

But as infrastructure gets better, broadband is getting better we can all see, the next thing is power. As soon as power becomes stable, then data localisation should be should be included in the industry’s statutory documents.

Earlier, you talked about limited data protection expertise in Nigeria, how do we address that challenge as a country?

One of the goals of our association, and also that of other stakeholders as well, is to have a data protection institute. So, that institute will develop curriculum because when the Federal Government was thinking of implementing NDPR, I’m not too sure the consultancy firm they contracted to look at the prospects of data protection.

But so far, within the last one year, we’ve employed over 2000 people in the industry; we’ve created over 2000 new jobs.

And I think the projection is to create close to about half a million jobs in the industry.

So, how do we develop that capacity is twopronged: Having an institute, developing our curriculum and creating certification programmes, so that people can come in acquire knowledge about the discipline, and then go into the industry to provide their services.

Another thing is that our association would collaborate with higher institutions, maybe universities or polytechnics to see how they can start data protection as a course of study. It could be a postgraduate course because it is quite robust on its own and it’s a specialist area. So that’s the strategies we are going to deploy in developing local capacity.

As a key stakeholder in the data protection industry, what is your view of the Data Protection Bill 2020 currently under review?

The DCPOs were not involved in the development of the bill; the only time we were brought in was to help review the bill. Mind you, it’s an executive bill, it’s going to go through the National Assembly, which means the content might change. I personally have been involved in data protection since 2003.

I came in from UK with a few of my colleagues even before GDPR and we managed to get the audience of the Senate Committee on ICT at that time. And we did a presentation to them on the need for Nigeria to have a data protection law in 2003.

And believe me those Senators were looking at us as if we were aliens. So, just to let you know how far people like us have been trying to push data protection in Nigeria. So, then we saw the 2018 Bill that was passed by the 8th Assembly.

Then we also saw another data protection draft a bill that originated from NIMC, that the content was different from the one that w the Presidency assented to, then we saw

