Months ago, President Muhammadu Buhari approved the establishment of the Nigeria Data Protection Bureau (NDPB) and the appointment of Dr. Vincent Olatunji as the pioneer National Commissioner/Chief Executive Officer of the Bureau. The privacy watchdog has since set to build a data protected Nigeria under the leading of the Ministry of Communications and Digital Economy, its supervisory ministry headed by Minister of Communications and Digital Economy, Prof Isa Ali Ibrahim Pantami. The NDPB is faced with regulating a nascent market grappling with awareness, challenges and struggling to come to terms with a mix of regulatory and technology frameworks benchmarked on best global practice for which all economic actors in Nigeria are expected to imbibe a new culture of compliance. In this interview with IT Edge News, Olatunji expresses conviction that accelerated datafication of our society has increased the importance of having an institution that focuses on regulating data protection and privacy. He says Nigeria’s data economy offers new social and business opportunities and imposes certain obligations on all actors. He says it is the mandate of the NDPB to ensure that, in terms of data protection, everybody is safe and there is confidence in the entire data protection sector. The Bureau is fostering a “culture of compliance to issues of data privacy” across all sectors and among all stakeholders, the data protection ombudsman tells Olusegun Oruame, Christabel Ume and Lovebanks Omale Ruh’Allah.
The Bureau recently announced it was investigating two major data controllers, Wema Bank PLC and KC Gaming Networks (Bet Naija) over possible breaches. Should organisations fear or should they look up to the Bureau for advice or guidance?
I think it’s both. People feel or say at times that regulating the digital economy sector is not necessary. They see it from the perspective of creating unnecessary roadblocks to development. But everything is geared at achieving the National Digital Economy Policy and Strategy (NDEPS). What we have is developmental regulation. We are regulating to enhance development, to stimulate the ecosystem and make it yield to socioeconomic development and that is why even the issue of data protection regulation itself has helped to generate a lot of jobs, wealth, international recognition and even having its ecosystem recognised internationally in a way that has enhanced the reputation of the country.
We are not regulating to create unnecessary roadblocks or to stiffen development in the sector. We regulate by both advisory and sanctions. But we are more focused not on sanction but advisory in the sense that we want to create a culture of compliance; that nobody is forcing you to comply, you see compliance as what you need to do. Our focus is regulation or compliance by design or by default. Right from the time you’re developing your data base, how you want to manage it when you’re at the planning stage, you would have incorporated the idea of data privacy, data protection by number one: putting in place appropriate technological measures, in terms of the appropriate software; in terms of even the physical infrastructure that you have. Also, you put in place appropriate regulatory measures, that is, what are the available regulations within the country and outside the country that are in the area of guiding data protection or data privacy.
That’s why the idea of having a data protection officer (DPO) comes into being. He must be sound, he must be knowledgeable enough about the laws of data privacy and protection inside and outside the country to be able to guide the organisation, to advise the organisation on the area of awareness, capacity building, the measures put in place, and ensure that all these measures are in compliance with the provision of the law. So that is why we are saying, “comply by culture, by design, by default.” If that is the case, by the time you make your checks, do your data audit from time to time, and do your data protection impact assessment; you would have achieved a self-review of your entire system to ensure compliance to every segment of regulation.
More importantly, if you are a processor in charge of huge volume of data, your DPO is very important to ensure you do these things from time to time, allowing you to know the areas of non-conformity, and ensuring you put in place measures that will move the organisation from non-conformity to conformity. Any data within your domain must conform to set guidelines whether concerning the issue of confidentiality, the issue of integrity of the data, the issue of availability. These are very fundamental. How you collect data, store data, the content of the data, how you process the data, how long do you want to process or store the data, how you are protecting the data – all these are issues you need to address by law.
“Data protection regulation itself has helped to generate a lot of jobs, wealth, international recognition and even having its ecosystem recognised internationally in a way that has enhanced the reputation of the country.”
By introducing what we call Data Protection Compliance Organization (DPCOs), we brought an advisory innovation to bear on the industry. DPCOs offer compliance as a service. They help data controllers to move from non-conformity to conformity status. They go there to take you through 63 parameters that are divided into four that include governance and accountability, or if you so wish, accuracy, storage limitation, integrity and confidentiality (security) – all of these within the entire framework of ensuring conformity to the existing regulations.
The DPOs and DPCOs take you through all these parameters out of sixty three you may not be able to score 100%, if you’re doing very well they score you great , if you’re in between they give you average, if it is really bad ,they give you Red. They then help you to put in place measures to move you from Red to average; by the time they are coming back, they expect you to have put in place measures to ensure that you move from non-conformity to conformity. That’s the advisory in nature that we are focused on here at the Bureau.
Organisations are under obligations to report data breaches?
Now, if there are breaches, they must be investigated. There are different types of breaches; some are unintentional, you are not aware of them; they might be through a staff or through a system upgrade, etc. These are unintentional breaches and what you need to do as a data processor is to commence immediate remediation and officially report to us at the Bureau between 8-72 hours. You must report to the Bureau within 72 hours. If you cannot give a full report you must write to inform us why you cannot give a full report within that time frame. In the absence of that we can come and by the time we are coming, we are not coming with sanction. The first thing to do is to write to you; to make you aware that have learnt that there was a breach on your data base, what happened, when did the breach occur, the nature of the breach, etc. How many data subjects are affected by the breach, what is the cost or implication to the data subject, what is the cost to your own regulation, what remedial actions have you taken, Have you done any audit filing, Have you done DPIA? These are questions that we will ask you. By the time you answer the questions; and the responses are satisfactory, then we just warn you to put in place this or that measure.
We are not really after sanctions or imposing fines, but when we find out that the breach is deeper than it is being portrayed, we go further to do forensic audit. We audit your entire system, your database and if you are found wanting, there are penalties stipulated and these are not peculiar to Nigeria alone as it is the same approach all over the world. The regulator’s role begins with advisory. There are structures in place to advice all stakeholders and applying the Data Protection Regulations (DPRs) and there are DPOs and DPCOs to take you through compliance. And should there be a breach, you are under obligations to report to us as we must also ask questions before it actually gets to the level of sanction. Imposing sanctions go through a lot of processes.
Nigeria Data Protection Regulation (NDPR), the country’s principal law for data privacy came into effect in 2019 but your Bureau was only created this year 2022. Part of the debate by some organisations including thousands of banks and other corporate entities is that there is still little or no awareness on the NDPR. What is the Bureau doing so everybody gets that awareness to ensure compliance?
Some people came by this afternoon and part of the argument was that we didn’t involve them when we licensed the DPCOs, and that the issue of data privacy is not for lawyers, it is for core tech people. My answer to them was that this is just an evolving sector; it’s an emerging sector in Nigeria. I’m not sure we have up to 25,000 people with core competency in data protection in Nigeria or who have their certification in data protection. But data processors, data controllers are more than 500,000 in Nigeria. We can see the huge gap. We still have a deficit of 475,000 of professionals with capacity to manage the nascent industry. We recognised that the issue of awareness is really key and even while we were under NITDA, we started awareness and with the support of the DPCOs, we got some traction. For instance, when we did the initial audit filing report, we were able to receive only 630 audit filing and if we look at CAC registered companies, there are about 3.1 million corporate entities. But things are gradually improving. The following year it increased to 1230 and it is on the rise. There are over 800 government ministries, departments and agencies (MDAs) and at least, 500 of them are fully captured in the data protection registry, even if it’s their staff alone, their vendors, their customers and those who are in data processing. All of these groups are now aware of their obligations to data subjects in terms of how to secure the data, how to manage it, how to process it, and how they are to share it including an understanding of the consent of the data subject.
The focus also includes the data subject, do they even know their right? Are they aware that if their data are collected, their consent is required? And you’re talking of over 200 million people who constitute data subjects in Nigeria spread across Nigeria’s huge landmass. We accept in the Bureau that in terms of awareness we have a great task and we are committed to bringing everybody along. We are taking the message to every actor in the sector. We’ve been to Nigeria Centre for Disease Control (NCDC), National Identity Management Commission (NIMC), Corporate Affairs Commission (CAC), NIGCOMSAT Ltd, and several other MDAs including major government data controllers and this is what we tend to do, then later we go to private companies. But we need to commend the private companies because the level of their compliance is higher than the public sector and that’s why we are starting with public sector. The query issued to Wema Bank and Bet Naija is part of the awareness too. Now, some people are already aware that there is a body that can actually rise up and say we want to investigate you over data breaches as empowered by law to so act. So, you cannot just do whatever you like and get away with it. No! Things have changed!
What are the strategies of the Bureau to address the awareness gaps?
Even beyond awareness, we are trying to have a strategic plan; the roadmap of 2023-2028 for us to know what we need to do, how do we get these things done, who are the stakeholders required to drive the roadmap? The roadmap will address issues of timelines, funding because awareness creation requires funding. Hopefully before the end of the year, we would be able to get inputs of various stakeholders through a strategic committee and validate our action plan. At the moment, we are already working to move beyond subsidiary legislation as a Bureau to an Act and so we are already working with the World Bank, Global Development Bank, and are involving all stakeholders to ensure that whatever we are producing is for Nigerians and it adequately captures our peculiar culture benchmarked against best global standards such as the European Union GDPR [EU Data Protection Regulation].
As the head of a new agency addressing very novel issues of data privacy, what are your ultimate goals for the Bureau in another 12 months?
To ensure that data subjects in Nigeria know their rights; that data processors in Nigeria know their obligations to data subjects; stakeholders are aware of what they need to do; to ensure that in terms of data protection, everybody is safe and there is confidence in the entire data protection sector; and to a large extent, we continue to build that positive international reputation to be seen as a country of serious people who know their rights when it comes to the issue of their data privacy. Also, to connect the objectives of data protection and to building a robust digital economy that is vital to capacity building as I had earlier mentioned. The data protection sector in Nigeria is young and the market is huge but grossly underserved. There are few data protection certified professionals so we need to build the capacity of our staff and of people, unemployed graduates who can be trained to become certified and close the skill gaps. Our target is to train 50,000 data officers in 12 months so in five years we are looking at 250,000 certified professionals in Nigeria. Of course, we cannot do this alone so we are fostering partnerships to drive our goals.
It would appear the Bureau is exploring partnerships with foreign governments like Finland and multinational like Facebook to build capacity and all that.
Finland is among the EU countries that has achieved so much in data protection. It is a small country but mighty in several ways. It will surprise you that they are only about 5.5 million in terms of population but their passport is topnotch in the whole world. Their passport can enter 175 countries visa free. They have a lot of data coverage because of Nokia, a homegrown country. Their application of the GDPR with local supplementary Act on data protection is the model not only for Europe but the rest of world. We are leveraging on all of these to learn from them and also share experiences with them. For instance, and it may surprise you, the issue of DPOs is original to us and we are sure other countries are studying our model to learn from us and how to apply the model. Knowledge sharing is important in this industry as a global one. We are already talking to Singapore which set up its own certification processes in 2013; we are talking of having a network of African data protection authorities in the 34 countries of the 54 countries on the continent.