The National Commissioner for the Nigeria Data Protection Bureau, Dr Vincent Olatunji, has disclosed that the Commission will prosecute the Chief Executive Officer of any government agency found guilty of data breaches.
He made this disclosure on Monday in Abuja at a press conference to shed more light on Nigeria Data Protection Law 2023.
Lamented the low level of data compliance among government agencies, with compliance level rising from four per cent to nine per cent after a series of training, awareness, and a circular, which was issued last year.
Olatunji added that while private organisations can be made to pay a fine for data breaches, asking a government agency to pay a fine is the government fining itself.
Therefore, instead of a fine, the head of the agency will be prosecuted for the breach.
He said, “What we have in the law now, if we want to fine a government organisation, it is using government money to fine government. So, we are saying the CEO must be prosecuted, that is what we have in the law. So, if you are the CEO, and you say you are a government official, and nothing will happen. If there is a data breach, we will leave government, it is you that will be prosecuted.”
He added that a number of training is planned to ensure awareness and compliance in the private and public sectors.
The NDPC boss further noted that over 100 organisations, which include mostly lending platforms, are being investigated.
He added some investigations were concluded, with appropriate sanctions meted but did not disclose the names of organisations sanctioned.
Olatunji said, “Between when we started now, we have investigated over 100 organisations. Most of them are lending apps.”
He added, “We have dealt seriously with them. Currently, Sokoloan that is like the arrowhead of such organisations, we issued fines and are currently discussing with them. We have investigated about seven banks. Some are ongoing and we have concluded some. Those that we have completed, we have issued sanctions to them.”
On the fines for the breach, he noted that although the law states that any organisation found guilty should per two per cent of their gross earning, the Commission issues fines based on the level of the damage.
He said, “What the law says is that they should pay two per cent of their gross earnings but looking at our economy in Nigeria, we are preaching ease of doing business. Some of them if you tell them to pay that fine, that means, in fact, they confess to us, that almost all their top management staff will go. So, what we are saying is that it depends on the impact of the breach on the data subject.
The NDPC boss also said that the Commission has earned over N200m from licences and breaches, with over N50m made from only data breaches.
“On breaches alone, we raised more than N50m. From licences and everything, from when we started, without a law, we raised over N200m for government,” he said.