NITDA's Kashifu Inuwa Abdullahi
0

The National Information Technology Development Agency (NITDA) has imposed a five million naira fine on Electronic Settlement Limited (ESL) among other sanctions for breach of personal data by the financial technology company.

The regulatory agency also ruled that ESL shall be under a six-month information technology oversight to ensure implementation of all prescribed security controls and processes.

NITDA’s ruling signals the increasing zero tolerance by the IT regulator for data protection breaches as defined under the Nigeria Data Protection Regulation (NDPR) of 2019.

The NITDA has “concluded its investigation process on the personal data breach by Electronic Settlement Limited. The investigative process involved an analysis of the company’s applications and websites; visit to the company’s office in Lagos, review of its technical documents as submitted to the agency and interrogation of its officials by NITDA investigation team in Abuja. At the end of the process, we have established that there was a data breach involving the company,” notes a statement this week by the agency’s Head, Corporate Affairs and External Relations, Mrs. Hadiza Umar.

NDPR is Nigeria’s principal data protection legislation

Nigeria’s principal data protection legislation is the NDPR issued by the NITDA on 25 January 2019 pursuant to Section 32 of the NITDA Act 2007 as subsidiary legislation to the NITDA Act 2007.

In addition to ensuring the privacy rights of citizens or data subjects domiciled in their servers, the NDPR mandates all organisations that process the personal data of more than 1000 data subjects in a period of 6 months and 2000 data Subjects in a period of 12 months to submit a Data Protection Audit report to NITDA not later than 15th March every year.

Investigation to assess risk and provide remedial actions

According to NITDA, “the objective of our investigation was to assess the risk resulting from the breach, with a view to identifying the causes, remedial actions taken and other necessary issues to avoid recurrence. The company has been well briefed on our prescriptions for better information security and protection of personal data”

“In compliance with the NDPR and the need to prevent a repeat of this unfortunate breach, NITDA has directed as follows:

ADVERTISEMENT
  1. Electronic Settlement Limited shall be under a six-month information technology oversight by NITDA. The oversight shall involve oversight of implementation of prescribed security controls and processes.
  2. That a clear data security and governance document is drawn up between the Electronic Settlement Limited and all its Information Technology services vendors identifying roles, responsibilities and processes involved in securing and protecting personal data.
  3. That the company conduct regular NDPR training for all staff, publish and implement appropriate policies as required by the NDPR.
  4. Submit 2020/2021 regulatory audit as required by Article 4.1.6 of the NDPR, conducted by a Data Protection Compliance Organization (DPCO) as licensed by NITDA.
  5. Conduct Data Protection Impact Assessment on some data intensive applications and products.
  6. Payment of the sum of Five million Naira only (5, 000, 000. 00) as fine in line with the requirements of the NDPR.

More in News

You may also like