The Nigeria Data Protection Commission (NDPC) has indicated its readiness to hold chief executive officers (CEOs) of governments’ Ministries, Agencies, and Departments (MDAs) responsible for any data breach in their organisations as part of its sustained drive towards data protection in the country..
The National Commissioner of the commission, Dr. Vincent Olatunji, was quoted as saying that the MDAs’ chieftains will be sanctioned on any breach of the Nigeria Data Protection Act as government cannot be made to pay fine into its own coffers.
On the level of compliance with the provisions of the enabling law, he disclosed that the level of data protection by MDAs still remain low, increasing to just 9% this year from 4% last year while the level of compliance by the organized private sector had risen to 49%.
Olatunji pointed out that whereas the Commission had been sanctioning private companies under the Nigeria Data Protection Regulation (NDPR), no government agency had been fined even amid concerns that they were the most culpable on data breaches.
Following the signing of the Data Protection Bill into law now, the NDPC boss hinted that in order to improve compliance by both public and private organizations with the provisions of the law, the commission would soon commence capacity building for more data protection officers nationwide.
He said: “There are provisions in the law that even the CEO of an MDA could be jailed if there is a data breach with impact on the data subject. We have also issued a circular to the effect that all MDAs must appoint a resident Data Protection Officer (DPO) and ensure that they train all their staff to understand what data protection is and also to make appropriate budget provisions for data protection.
“So, we are expecting the level of compliance by MDAs to increase from now. We are also creating awareness to ensure that all MDAs comply with the provisions of the law. But if there is any breach, yes, we can’t find government to pay the government, but there is somebody responsible for that, and that is the CEO. And that is why the DPOs should report to the CEO of any organization they work with so that there are no ambiguities in whatever they are supposed to be doing. So, whatever happens, the CEO will be held responsible,” Olatunji added.
On the likely sanctions for breaches, he explained that in the case of a Data Controller dealing with more than 10,000 Data Subjects, the regulation stipulates the payment of a fine of 2% of the organization’s annual gross revenue of the preceding year or the payment of the sum of N10 million, whichever is greater.
Similarly, he clarified that in the case of a Data Controller dealing with less than 10,000 Data Subjects, the sanction involved the payment of a fine representing 1% of the organization’s annual gross revenue of the preceding year or payment of the sum of N2,000,000 (approx. EUR 2,000), whichever is greater.
