The National Information Technology Development Agency (the “NITDA”) is empowered under the Nigerian Data Protection Regulation (“the NDPR”) to impose fines for any data breach by data controllers or processors.
True to its mandate, the NITDA, on the 15 March 2021 imposed a fine of N5, 000,000[1] (Five Million Naira) on a Fintech company and a 6 (Six) month regulatory oversight to ensure that the Fintech company implements the security controls and processes prescribed under the NDPR. We note the NITDA has directed the Fintech company to do the following:
- draw up a clear data security and governance between the Fintech company and its IT vendors specifying their roles, responsibilities, and processes involved in securing and protecting personal data;
- conduct regular NDPR training for all staff, publish and implement appropriate policies;
- undertake and submit its 2020/2021 regulatory audit as required under the NDPR; and
- conduct a Data Protection Impact Assessment on some data-intensive applications and products.
This is a strong message from the NITDA to all data controllers and processors to ensure that their data protection practices are updated in line with the provisions of the NDPR.
We will continue to monitor the space and provide updates.
[1] Equivalent to US$13,123
