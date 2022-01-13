Business

NDPR: NITDA certifies 1,213 firms for compliance

Posted on Author Samson Akintaro

Nigeria’s ICT regulator, National Information Technology Development Agency (NITDA), has certified a total of 1,213 companies for complying with the Nigeria Data Protection Regulation (NDPR). According to the agency, the compliant firms cut across 13 sectors of the economy, which include health, transport and logistics, public sector, industrial and extractive, ICT and media, energy and power, education, finance, commerce, and consulting.

The NDPR issued by NITDA is currently the only legal instrument for the protection of the citizens’ data in Nigeria. The agency is also enforcing compliance through evaluation and certification of organisations handling data. Among the list of companies that have so far complied with the regulation are telecom operators such as MTN Nigeria, Airtel, 9mobile, and Globacom.

The list also include financial institutions and fintechs, as well as electricity distribution companies such as Ikeja Electric and Eko distribution companies. According to NITDA, the list is an authoritative repository of organisations that have prioritised compliance with the NDPR and has become a reference point for global law firms, multinationals, investors, and compliance enthusiasts. The list indicates those organisations that have undergone the NDPR Audit process to ascertain their level of compliance and identify areas for improvement. All the listed organizations have engaged a Data Protection Compliance Organisation (DPCO) to train their staff and to implement basic data protection protocols,” it explained.

As part of the enforcement of the regulation, NITDA had, last year August, imposed a fine of N10 million on an online lending platform, Soko Lending Company Limited (Soko Loans), for privacy invasion. NITDA said the action was taken after receiving a series of complaints against the company for unauthorised disclosures, failure to protect customers’ personal data and defamation of character, as well as carrying out the necessary due diligence as enshrined in the Nigeria Data Protection Regulation (NDPR).

Under the regulation, data subjects refer to individuals in Nigeria, as well as Nigerian citizens in and outside of the country, who “can be identified, directly or indirectly, by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” Where such personal information is collected in a manner that is contrary to the NDPR, the NDPR provides that the person who collects the data (the data controller) may be liable for either or both civil and criminal penalties (if any criminal act is also committed). Civil penalties can range between N10 million and N20 million fine, or from one per cent to two per cent of an organisation’s annual gross revenue (whichever is the greater amount). The regulation, which is binding on all entities handling Nigerians’ data, “provides that personal data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the data subject.” Article of the regulation mandates the data controller to expressly inform the Data Subject of the purpose(s) of the processing for which the Personal Data is intended, as well as the legal basis for the processing. Data controllers are also expected to collect the minimum required data and avoid unnecessary surplusage. Data that is not useful for the Controller ought not to be collected. No data shall be obtained except the specific purpose of collection is made known to the data subject. This principle relates also to the principle on the purpose of the collection.

 

