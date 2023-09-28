A tech expert, Temmy Adelowo, has reiterated that protection of customer data must be prioritised by business organisations, saying the data should be well controlled to avoid sanctions. Adelowo, the CEO of Morebol Tech Company, said the data controller needed not to keep access to customers’ data. According to him, the data owner should be the only one who can access his data, saying the organization needs to get permission from the owner before accessing the data at the backend.

He also urged organisations not to take more data than what is needed for a particular transaction and discard such immediately after the transaction has been completed. Adelowo, who commented on the content of the new Nigeria Data Protection Act 2023, noted that the Act had stipulated fines including jail terms for data breaches by any organisation. The penalty amount depends on whether the violator is a data controller or processor of major importance or not.

Penalties against data controllers or processors of major importance shall be the higher of N10 million (approximately $22,000) or two per cent of the annual gross revenue of the preceding financial year. Penalties against other data controllers and processors shall be greater than N2 million (approximately $4,300) or two per cent of the annual gross revenue of the preceding financial year.

The Act also prescribed jail terms for the CEOs of MDAs and business organisations. The Commission is empowered to create regulations for new offences and that impose penalties not exceeding those prescribed under the Act (Section 56(3). As Nigeria continues to make its mark within the global digital economy and rapidly expand its technology ecosystem, this Act represents a continued focus on protecting the personal data of Nigerian citizens, in alignment with common internationally accepted principles of data protection.

However, the Act contains unique provisions that should not be overlooked, including a new classification of data controllers and processors “of major importance” and specific obligations attached to them, as well as broader protections for exempt processing activities. Overall, the Act represents a significant step in Nigerian data protection and notably resolves the long-running dispute regarding the identity and institutional authority of Nigeria’s primary data protection regulator.

Giving advice on data protection, Adelowo said a good data protection culture enhanced the integrity of an organisation, warning that a data breach would push an organisation into big trouble. “We have a lot of phishing and all that happening across cyberspace in Nigeria, and that is because we don’t have any regulations or regulators in place to help. Even most businesses, before now, didn’t understand what the data is, they have no understanding of how to manage customers’ data.

“Some people will get your information, your name, your phone number, and others from a business organisation you have your data with and start calling you to come and buy land, come and buy properties. Those calling you got your information from somewhere and that is why we need a protection act. “The new Act will reduce that even though we cannot rightly eradicate it completely, then we can mitigate the effect of data breaches in Nigeria.

“The new NDP Act has put the responsibility on the data controller, to make sure they process only the data needed and protect the data of their data subjects. “The Act also stipulates sanctions on any organisation that breaches their customer’s data. The customer can sue the organization, they can even pay up to N10 million for any data breach. So this new act is going to come and also monitor how businesses use the data of their clients.

Also, it will reduce data breaches. “If there is any data breach, the business owner needs to inform the data subjects within 72 hours. If there’s a data breach within the organisation, you have to call your customers and explain to them so that they will not use that as an advantage for you to pay heavy fines. “For instance, some scammers may call your customers on behalf of your organisation to scam them, if this happens, your organisation may be culpable if you don’t inform your customer and report it to the appropriate body because the new Act has covered all these.”