…Commission sensitizes, engages stakeholders on NDP Act application, implementation directive
By Dele Ogbodo
The Nigeria Data Protection Commission (NDPC), on Tuesday fined Fidelity Bank Plc the sum of N555, 800, 000.00 for breach of the Nigeria Data Protection Act.
The fine which is the equivalent of the bank’s 0.1% of its 2023 gross earnings, the commission says must be paid to federal government within 14 days on the receipt of notification from the Commission.
Fielding questions at the sideline of the sensitization workshop on the National Data Protection Act Guideline Application, Implementation Directive (GAID) in Abuja on Wednesday, the National Commissioner for NDPC, Dr. Vincent Olatunji, said: “Since we started the only time that we issued major penalty was yesterday on Fidelity bank and we have issued a fine of about N555 million to Fidelity bank that they have to pay because we have observed some breaches.
“We have been working with them since April 2023 when we started investigation and by the time we finalised they claimed arrogance and so we decided to issue full penalty on them which is about 0.1% of their gross earnings for 2023.
On stakeholders’ contribution the Act’s applicability and implementation directive, he said to avoid ambiguities where people will say they don’t understand the law it has become imperative, adding that that the whole essence of having a guide which is the general implementation directive and even at the level they have articles which are like law and they recite it as explanatory note to the NDPR Act.
He however said that it is the same thing that the Commission is embarking on the Act that was signed by President Bola Tinubu June 12, 2023.
He said: “What we have done now is to have explanatory notes on each of the sections of the law stating the implication of the statement that has been written in the law and usually when you do that it is always better as part our rules making process what we usually do is to subject it to review by our stakeholders.
“We did the first one in Lagos on the 19th of June this year, this is the second one just to make sure that everybody is involved in whatever we are doing so that by the time the document out, we all will see that it is our document because we have been able to make our inputs to what we are doing.”
On the stakeholders meeting held in Lagos, he added: “What we collated are the inputs that we received when we did it in Lagos, we are also going to collate same here and now do a thorough review of the original draft incorporating the views of our stakeholders to ensure that we cover although we have more 100 or even 200 views on the issues.”
According to him, the Commission will look at the relevance of the inputs and then the value that such inputs will add to the document that will be produced, explaining that the most important thing is that after producing this document it will be released as our guide in Nigeria and when it gets to anywhere it should be able to stand tall as something that is credible.
He reiterated the entire exercise is also about creating awareness for people to know what is in the law and to know what they should do and what they should not do.
He added: “If look at the data ecosystem in Nigeria, it is still evolving we just started about 3 years ago and we cannot compare ourselves with other countries that started 20 years.
“It is still new and that is why it is important to create as much awareness so that everybody understand what we have in the law so that there will be no ambiguity.
On compliance, he said: “What we have done in our model in Nigeria which is unique to us and the number one model across the globe, we have a PPP model as we have licenced some professionals, called data protection data compliance organizations in Nigeria.
“We have licensed about 194 of them and what they do is to go round organisations, private sector organisations to take them through compliance, crafting their privacy policy and creating awareness within the organization in terms of letting them know their obligations under the law and also carrying out data impact assessment and training their staff.”
He added that it is the responsibility of the companies to register them with us and submit their annual audit report to the commission and with this we know the level of compliance.