How NDPC is changing the narrative in safeguarding personal data

In this interview with the National Commissioner and Chief Executive Officer of Nigeria Data Protection Commission (NDPC), Dr. Vincent Olatunji speaks to Matthew Denis on how the regulatory agency is gradually changing the narrative to ensure that all the data controllers and processors undergo proper registration to safeguard their clients privileged information again Fraudulent activities in the country.

Sir, can you give us an overview on your operations since inception?

The whole world is going digital in how we work and interact with people. Sports, Businesses and the medical world are all going digital. If you remove digital technology from people’s lives, a lot of them would not be able to work. This is because of the possibility, potential, breakthrough barriers by Artificial Intelligence (AI) getting things done faster, which is more cost effective and globally competitive. We’re treating this like a foundation of your identity. No matter what you want to do, digital technology is all about service delivery that will be impactful to achieve the aims and objectives of the commission. Also, to be mindful of cost effectiveness and the target which is definitely the people.

So that identity which we give out on regular basis to organisations for official engagement is like leaving our digital footprint behind. The whole world has stood up and said that this footprint, how can we guarantee its security and safety? People have access to your information, to collect and process your data information in terms of your name, telephone number, bio-data, email addresses, bank details, NIN and a lot of other things about you. How are we sure such information that you give out is protected in some many ways? That is why this is attracting global attention.

The whole operation considers how to ensure that the people whose information we collect, their integrity, education and lives are protected. THis is because there are consequences for non protection of personal lives. That’s why all over the world they are putting in place laws to guide the way personal data is being connected and processed. We are now looking at the people in the Ecosystem data controllers and processors who determine how these data are collected to know the purpose why your data is being collected and being used.

When those who collect data on behalf of data controllers and the data subjects (you and I, over 200 million people when you give out your information for telecom, banks, medical service, airport, etc) do their work, the regulator (NDPC) will enforce the law which is embedded in the amended 1999 constitution section 39 on the right to protect our privacy. So in view of what is happening globally, Nigeria put up the agency in 2019 to oversee how personal data is being processed and are protected within the law framework. And also to improve our global competitiveness and businesses, because a lot of multinational companies, countries and organisations will not be willing to do business with you if their personal data is not guaranteed. So looking at that the NDPC established a committee to implement the threshold within one year. Part of what we are to do is to implement government decisions and to develop a principle law for data processing in Nigeria, and now we have a principle law called  Nigeria Data Protection Act 2023 passed by the 9th National Assembly and signed by President Ahmed Tinubu government on June 12th, 2023.

This was among the first set of laws that the President signed when he came onboard because he understands the potentials, powers and possibilities of the Digital Economy, and most importantly, his 8-point agenda is driven by data technology. So what we are out to do at the Commission is to ensure that the rights, freedom and interests of all Nigerians are protected when they share their personal information. When you have your personal information with your bank, telecom, hospital, airport we ensure that these data controllers and processors put in place measures called technical and organisation measures within the provisions of the law.

Your Commission has given a timeframe for Data Controllers and Processors to register between January to ending June 2024. What is the level of compliance?

The ecosystem is just evolving and a lot of people don’t just understand what we’re talking about. Data process, data controller, data subjects are concepts unknown, that is why we have embarked on creating awareness. We are done with the first phase and very soon we will create awareness on the need for them to register, because it speaks on the reputation of their organisation, compliance, and credibility. One thing that this will create is trust and confidence in your data processing activities as an organisation. We have up to the end of June, 2024 for all of them to register and we are starting another level of massive campaign for them to register in the next two weeks. But in terms of compliance the situation is still low. When we started in 2022 we had about 1,777 data controllers and processors and last year it rose to over 2,000, but it’s very low when compared to the number of data controllers and processors we have identified in the country. We have identified about 500,000 and today we’re doing less than 3,000. That means we have not even started at all, which is why we are speaking to stakeholders and bringing everybody onboard. We have released the guidelines strategy telling you who qualifies as Data controllers and processors, and their categories with independent registration. In February 2024, we released a guide for those that qualify to register with us, so we expect in the next few months it will increase

We have discovered through findings that there are a lot of defaults by the financial sectors in terms of personal data protection of their clients. What roles will NDPC play to remedy these lapses?

What we are doing is to create awareness and build capacity. To be fair to them, a lot of the banks (financial sector) in terms of compliance are higher than other sectors of the economy. Because they understand that any bridge in the banking sector can cause them to lose millions of customers. However, we are looking more into the area of technical measures, the level of security that they are putting in place and organisation measures. I have been engaging them largely that is why we are coming out all loud to increase awareness.

Some of them will come to us and sit down with the information Security officer but the work of data information gathering is different from the work of a solicitor. Data Protection officers are the ones to see on the processing of data activities to ensure that whatsoever we are doing is within the confines of the law which the solicitor doesn’t know, and that is the checks and balancing in what they do.  Though the level of their compliance is still low, it is better than other sectors. We are still working and discussing with them to ensure that their level of compliance gets better. Funny enough the cases that we have handled are more from the financial sector because they deal with people everyday even the unbanked in one way or another. So it’s getting better but we can do more and definitely we are on it in the months ahead.

In terms of your operations, what are the challenges and what happens to the Data Centres built like the Galaxy Backbone in Abuja, Kano Centre and others? Based on the capacity, how many of them are efficient?

We have a very good capacity in terms of data centres in the country. For instance, you have just mentioned Galaxy Backbone. We have a Tier three data centre in Abuja and Tier four data centre in Kaduna as a backup, and it’s huge. By government directive, all Ministries Departments and Agencies (MDAs) are supposed to put their data with Galaxy Backbone, however, there are several challenges before in terms of service delivery, support and so on, but I think the narrative is changing now.

They have all the necessary things to place in terms of capacity, support and facilities, costs etc. In addition to that there are a lot of participants in the private sector regarding data delivery in Nigeria who are doing a lot in terms of infrastructures and standards. We can expect the best from them. Security, big time assets but the major problem is cost. Looking at power alone you have to run on diesel or petrol for almost 24 hours daily. Also infrastructures are major issues because we are seeing others that are offering service less than half of some are offering in Nigeria. So definitely, one will want to patronise those ones but all these challenges are being addressed now. However, a lack of proper coordination of data centres in Nigeria has been a major challenge. As part of the globalisation, we want to coordinate good information exchange with other countries but operate within the corridors of the existing laws of the land.