The National Commissioner of the Nigeria Data Protection Bureau, Dr Vincent Olatunji, speaks with SAMI OLATUNJI on the factors inhibiting efficient data privacy and protection in Nigeria, among others To begin, what type of data does the bureau protect, and how? One of the major objectives is to protect the privacy of natural persons, to protect their data – how it is being collected, stored, transmitted, processed and secured. This is to ensure that the data of people are adequately protected and processed within the available regulations in the country. So, we are looking at natural persons who are Nigerians. By data, we mean anything that can be used to identify a person, such as your name, email address, house address, telephone number, etc. All these are your personally identifiable data. There is what we also call sensitive data, such as your health information, ethnic group, religion, ideology, among others. For sensitive data, there is a need for additional security in terms of encryption, tokenisation, and pseudonymisation when processing or transmitting. That is the major difference between sensitive data and personally identifiable data. What would you say are the major challenges to data protection and privacy in Nigeria? The major challenge is ignorance. A lot of people don’t know what we talk about when we say data privacy and data protection. Data subjects that we are protecting will tell you that they have been giving out their details and nothing has happened to them. So, they ask, what do you mean by you seeking to protect my data? However, there is the issue of identity theft, with people stealing other people’s data. Many data subjects don’t know this. On the part of data controllers, they owe us as data subjects an obligation to secure and process within the law and ensure they put in place necessary measures in terms of technology and human capital. Also, what kinds of people are in charge of processing data? Do they even understand what data protection is? Do they even know that they should be knowledgeable enough to understand the laws and regulatory instruments available in the country? For instance, in Nigeria, as far back as 1999, the 1999 Constitution of the Federal Republic of Nigeria, specifically Section 37, speaks to the issue of protecting your privacy in terms of your name, address and telephone conversations. It is clearly stated in the constitution and there are some other Acts and paragraphs, such as the Freedom of Information Act, NCC Act, NIMC Act 2007, Cybercrime Act, among others. There are some sections that speak to the issue of privacy and protection. Despite that, Nigerians are still not aware. That is why we need to do a lot in the area of awareness on the part of data subjects and data processors. There seems to be a lack of adequate awareness among Nigerians on the Nigeria Data Protection Regulation, which was issued in 2019. What is the bureau doing to bridge the awareness gap? We have been having a lot of awareness, even as far as going to schools to talk to students about what data privacy and protection are, and what they need to do to protect their data and information. The information you give out is not under your control. You should know the information you give out. If anybody is taking your information, they need your consent. They need to tell you why they are taking your information. If you don’t want them to process your information anymore, you have the right to do so. If you say you want to move your information from one data processor to another, you have the right to say so. If you want to correct your data, you have the right to say so. All these are rights data subjects have but they don’t know. We have been informing them. There is something we do on annual basis, which is the Data Privacy Week. 28th of January every year is World Data Privacy Day. But in Nigeria, we do it usually for one week. During those days, we normally hold a press conference when we were still under NITDA, and that is what we will continue to do. We have a programme called Adopt-a-School, whereby we send some of our staff members to schools where they talk to students about data privacy and protection. We also invite lots of dignitaries to come and listen to us on data privacy. Also, one special strategy we have adopted, which is original to us in Nigeria, is licence Data Protection Compliance Organisations. These are organisations that offer compliance as a service. They come to your organisation and guide you to ensure that you are in line with relevant organisations. This has helped us to increase the number of audit fillings we receive each year. Others are trying to emulate this model from us. Also, from time to time, we release press statements. On our website and our social media platforms, most of the messages we give out are all about how you can protect your data. How would you rate the level of compliance with the NDPR so far? Are there certain loopholes that may hinder full compliance? Compliance is still very low. We have over 2.1 million companies registered with the CAC. We have over 800 MDAs. So, we are talking about like 2.9 million organisations. Let us assume that about 500,000 of them are data processors. The question is how many of them file their annual audit and how many of them comply with the provisions of the NDPR? When we did the first audit, we received 630 audit reports. That means there was a huge gap. The following year, we received 1,230 audit reports. We doubled that of the previous year. We are gaining ground but that is still very low. However, now that we are a full-fledged bureau, we expect that we will receive the audits in thousands within the shortest period. Nigeria is yet to sign into law its data protection bill. Are there certain roadblocks that need to be addressed and how is this affecting the effort at ensuring effective compliance with data protection and privacy? I think the major roadblock is a collaboration among stakeholders. In 2019, there was a law passed by the National Assembly but it was not assented to by Mr President. Now, we are working with the World Bank, European Investment Bank, and French Development Agency to have a principal legislation. Our aim is to ensure that the law goes to the National Assembly this third quarter and we want it passed before December. This is to ensure that before the end of this government’s tenure, we will have a principal legislation. The bureau investigates data protection and privacy breach. How many of such investigations have been conducted this year? How many firms are involved? What progress has been made on the investigations? Under NITDA, we made three major investigations, and we actually issued fines. We issued to a payment platform, state government, and one of these loan sharks. Under the NDPB, we issued queries to Wema Bank and BetNaija. We received some responses from them and we are trying to set up a formal meeting to further investigate. We need to do thorough investigations before we can head to court. How is the bureau currently tracking and curbing the spread of loan sharks in the country? The thing is that these people studied their system and identified the vulnerable group. By the time you tell them you want to give a loan of N30,000 without any collateral, people go for it. Also, the kind of conditions they give, a lot of people don’t read, not knowing that part of it allows them to have access to your contacts. So, when you default, they start sending messages to your contacts. We are addressing the issue from two perspectives. One from the part of privacy, that is, you don’t have any right to start sending information to other people who are not your customers. These people are a third party to you. By accessing those people, you have invaded their privacy. We are investigating in that area. Two, what kind of technology are you using? Is it even cleared by NITDA? The good news is that we now have a national joint committee of a lot of Federal Government institutions, such as NITDA, NDPB, FCCPC, ICPC, Nigeria Police Force, CBN, and NCC. We are doing a joint investigation to look at this issue. The CBN will approach it from the part of the regulatory body for the financial sector. The ICPC will look at the perspective of financial crime. NITDA will look at it from the perspective of technology. NDPB will look at it from the perspective of privacy and protection. NCC will look at it from the perspective of telecommunication. So, we are looking at regulations and technology and trying to issue a framework, which will be done shortly in order to guide them so that they don’t just take advantage of Nigerians. It may interest you that in March this year, there was an operation led by the EVC of FCCPC, Prof Babatunde Irukera, and that was a big one. We seized some of their computers and arrested some of their officials; and the case is still on. We appointed one of our licensed DPCOs to work with them. But we discovered that these people are very difficult. They are Asians backed by a few Nigerians. Just last month, we got a lead that one major consulting firm in Nigeria is working with them and we are trying to go against that one too. We are investigating it. We are putting pressure on them from all the regulatory bodies. International agencies often talk about hackers breaking into Nigerian companies’ data and stealing billions of naira. What’s the cause and what is the agency doing about data theft and misuse? Hacking into databases is for various purposes. One, just for the fun of it, to show that they are not secure. Two, for financial purposes, to steal identity and use the identity for fraud. We are recommending to data processors that when you do software updates, you should carry out your data protection impact assessment to minimise possible risks that may come up during the updates. We urge organisations to put in place relevant measures and file a report with us so that it is obvious to us that they have done their best. Also, our cybersecurity unit is in place to curb the issue of cybercrime. What appropriate measures would you recommend to the average Nigerian toward ensuring effective data protection and privacy? We tend to give out our information unknowingly. Some people give out their cards to people around them. This shows that we need to really create awareness for data processors and data subjects. Nigerians should learn to ask more questions from anyone trying to collect their data and be more informed on data privacy and protection.