Dr. Vincent Olatunji, President Muhammadu Buhari’s pick to head the new Nigeria Data Protection Bureau (NDPB) makes him chief of the nation’s dedicated data protection and privacy institution.
Before his new job, Olatunji was Director of eGovernment Development and Regulatory at National Information Technology Development Agency (NITDA), the Federal IT regulator that championed data protection and privacy through the NDPR, the Nigerian data protection rules that came into effect January 25, 2019, to provide safety nets for the private information of Nigerians in the digital age.
Nigeria, a fast-rising connected nation, is home to 195,463,898 (102.40%) active phones; 141,971,560 internet subscribers base; 78,041,883 (40.88%) active broadband user base, as of December 2021, according to official data by the nation’s telecoms regulator.
Minister on the Presidential Approval for Nigeria Data Protection Bureau (NDPB)
Olatunji, as the Pioneer National Commissioner/Chief Executive Officer of NDPB, Dr. Isa Pantami, Communications and Digital Economy Minister, who announced the appointment says, will provide leadership to the new data privacy and protection body also approved for establishment by President Buhari.
The President’s approvals “followed a request made” by the Minister says, underscoring that “NDPB has been established in line with global best practice and will focus on data protection and privacy for the country, among others.”
The successful implementation of the National Digital Economy Policy and Strategy (NDEPS) for a Digital Nigeria, Pantami adds “has significantly increased the adoption of data platforms and accelerated the datafication of our society. This has increased the importance of having an institution that focuses on data protection and privacy.”
Apart from that, the issuance of the NDPR in January 2019, as subsidiary legislation to the NITDA Act 2007, “has increased awareness about the need for data protection and privacy.”
On the watch of Olatunji, NDPB “will be responsible for consolidating the gains of the NDPR and supporting the process for the development of a primary legislation for data protection and privacy.”
President Buhari, he says, “also approves the recommendation of the Minister of Communications and Digital Economy, Professor Pantami, for Dr. Vincent Olatunji to serve as the National Commissioner/Chief Executive Officer of the Bureau. Dr. Olatunji hails from Ekiti State and, at the time of his appointment, was the Director of the eGovernment Development and Regulations Department at NITDA. The appointment takes effect immediately.”
Who is Dr Vincent Olatunji?
According to his bio obtained from the NITDA website by Technology Times, Dr. Vincent Olatunji has a doctorate degree in Geography and Planning from the University of Lagos and an Advanced Diploma in Computer Studies. He is a Certified Public Private Partnership Specialist (IP3 Specialist) and a PECB Certified Data Protection Officer. He has worked in the public sector for almost 30 years thereby acquiring practical proficiency and thorough understanding of government operations in Nigeria and other countries. He brings on board significant experience in team building, research activities, policy development, and strategic planning on various development initiatives across the three tiers of government in Nigeria.
He equally offers significant capability in the delivery of high-value outcomes as a skilled negotiator, social networker, and public speaker whose personal focus is on working with teams and individuals to maximise economic potential.
He joined NITDA in 2002 and has worked in various departments thereby rising to the position of a Director in 2014 and Acting DG in 2016. Currently as the Director of eGovernment Development and Regulations, he has effectively
He has served in many positions at various times which include the following amongst others:
Coordinated the development of actionable programmes for NITDA’s current strategic Pillars leading to repositioning the agency towards regulating the IT sector in Nigeria;
Coordinated the development of strategies and plans for the implementation and co-ordination of Nigeria’s eGovernment and National ICT Transformation Agenda;
Successfully mainstreamed the development and launch of various Policies, Guidelines and Frameworks such as the Nigeria Inter-Operability Framework, Nigeria Enterprise Architecture, Cloud First Policy, Government Digital Service Policy, Nigeria Data Protection Regulation and Smart Initiatives Framework to enhance Nigeria’s digital transformation;
Currently serves as the coordinating chairman of the activities of the National Interoperability and Enterprise Architecture Committee, Digital Transformation Technical Working Group, and Nigeria Data Protection Implementation Committee amongst others.
He has attended many Capacity Building programmes in various areas such as Public Sector Management, Project Planning and Management, Digital Transformation, and Data Protection amongst others.
He is a member of many committees of experts and also chaired some of them. He has represented NITDA and Nigeria at several local and international engagements. He was listed among the 100 Leading Telecom and ICT Personalities in Nigeria by the Association of Telecommunication Companies of Nigeria in April, 2018.
He has also won several awards from public and private sector organisations including his Alma Maters; University of Lagos, UNILAG Alumni Association, Award of Outstanding Commitment to University of Lagos Alumni Association, July 2017 and Ekiti State University Alumni Association, Award of Eminent Personality, Ekiti State University, 22nd June 2018. Ekiti State University also awarded him with a Doctor of Public Administration (HC) on 23rd June 2018. Dr. Vincent Olatunji is happily married with children.
NITDA: What Does NDPR Say
According to NITDA, under part of the IT regulator’s commitment to implementing the National Digital economy policy for digital Nigeria, it is pushing forward to create a framework for the planning, research, development, standardization, application, coordination, monitoring, evaluation, and regulation of Information Technology practices in Nigeria.
Data Privacy and protection remains one of NITDA’s priority areas including Developmental Regulation, Digital Literacy and Skills, Solid Infrastructure, Service Infrastructure, Digital Services Development and Promotion, Software Infrastructure, Digital Society, and Emerging Technologies & Indigenous Content Development and Adoption. Following the release of the NDPR, NITDA addresses some of the issues covered under data privacy and protection below:
What specific objectives is the Regulation meant to achieve?
The objectives of the NDPR are: data privacy protection; secure exchange of data; improve business environment and create sustainable jobs.
What is the scope of the NDPR. Who does it apply to?
The NDPR applies to all residents of Nigeria; all Nigerians within and outside Nigeria.
Has the Regulation come into effect and when does the 6-months grace period expire?
The Regulation came into effect on 25th January, 2019. A major advertorial was carried in four major national dailies between 14th and 15th of February, 2019 to sensitize people on this. The grace period elapsed by 25th of July, 2019 and extended till 25th October, 2019.
What is data processing?
Processing is defined in Article 1.3(r) as follows: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What is the legislative competence of NITDA to issue data regulation?
NITDA is empowered to regulate electronic data use in Nigeria. Section 6(a and c) of the NITDA Act 2007 makes this clear. This provision makes it clear that NITDA has the authority to regulate data from any electronic or digital platform. A breach of NITDA regulation is a breach of the NITDA Act as provided by Section 17 and 18 of the Act. Therefore, a breach of this Regulation is enforceable in the Nigerian court.
Our business operates an international model, wherein customer’s data are transferred across borders often, how does the NDPR impact on this model?
The NDPR recognizes the need for cross-border transfer of data in an era of globalized and high-speed business transactions. Article 2.11 of the Regulation, which relates to Transfer to a Foreign Country, addresses this concern. To comply with the provision and other aspects of the Regulation, the Data Controller would provide the following:
i. The List of Countries where personally identifiable information of Nigerian citizens are transferred in the regular course of business.
ii. The Data Protection laws and contact of National Data Protection Office/Administration of such countries listed in i) above.
iv. Overview of encryption method and data security standard
v. Any other detail that assures the privacy of personal data is adequately protected in the target country.
These information may be captured in the annual data audit report where the transfer is done in the regular course of business.
Does the NDPR mandate businesses to host data only on local servers?
The NDPR does not mandate private businesses to host data only on local servers, although this is highly encouraged. Government data as well as critical national data in the custody of private organisations must however be hosted in-country. Where hosted abroad, the Data Controller, should however, provide NITDA with the countries where such servers are located and their data protection policies.
Would data privacy audits conducted by private auditors be compliant to the NDPR?
NITDA does not accept audit report by non-licensed third-party auditors. The Data Controller may encourage its auditors to obtain the Data Protection Compliance Organisation (DPCO) license or alternatively deal with NITDA licensed DPCOs. Every audit report required under the Regulation must be accompanied by a Verification Statement by a licensed DPCO.
When are Data Controllers expected to file data protection audit report?
Except for other specified purposes or request by NITDA, Data Controllers are expected to file their data audit report annually before the 15th of March of the following year.
What is the role of a Data Protection Compliance Organisation (DPCO)?
A “Data Protection Compliance Organization (DPCO)” means any entity duly licensed by NITDA for the purpose of training, auditing, consulting and rendering services and products for the purpose of compliance with the NDPR or any foreign Data Protection Law or Regulation having effect in Nigeria. In essence, any organization that wishes to provide any form of data privacy protection service to Nigerian companies must acquire this license. Submission of annual audit report by Data Controllers must be accompanied by a verification statement by a licensed DPCO.
Do Data Controllers wishing to transfer data abroad, obtain permission of the Attorney-General of the Federation before doing so?
Article 2.11 of the NDPR provides: Any transfer of Personal Data which is undergoing processing or is intended for processing after transfer to a foreign country or to an international organisation shall take place subject to the other provisions of this Regulation and the supervision of the Honourable Attorney General of the Federation (HAGF).
Data Controllers do not require permission of the Attorney-General for every transfer of Data outside Nigeria. In transferring data abroad, Data Controllers shall provide the following information to NITDA through their annual audit report or where specifically requested by NITDA.
i. The List of Countries where Nigerian citizens personally identifiable information of Nigerian citizens are transferred in the regular course of business.
ii. The Data Protection laws and contact of National Data Protection Office/Administration of such countries listed in i) above.
iv. General overview of the data protection mechanism to protect Nigerian citizens’ data.
NITDA shall relate with the Office of the Attorney General of the Federation to seek guidance on Nigerian legal position on any aspect of the Regulation or where there is a breach of private data in a foreign jurisdiction.
We have engaged a Data Protection Compliance Organisation (DPCO) but our audit process is not concluded, what should we do?
The Controller may through its appointed DPCO file a request for extension, stating the processes already initiated and other information to show commitment to compliance.
We process less than 2000 data subjects, do we need to file data Audit Report?
No! There is no need to file audit report. However, it is essential to conduct the audit for future reference.
How do we submit the audit report?
The report, accompanied with requisite payment, is to be submitted through a DPCO to NITDA.
If we file the Initial Data Audit Report (IDAR), would we be obligated to file another report before 15th March, 2020?
No! Organisations who implement demonstrable corrective measures after filing IDAR are exempt from filing 2019 Annual Audit Report which expires on 30th June, 2020.
How much are we to pay for audit filing?
Filing of Report of less than 5,000 Data Subjects N10,000
Filing of Report of more than 5,000 Data Subjects N20,000.
How do we pay the Audit Filing fee?
Pay into NITDA TSA account. In the Description, write- XXXXXX LTD AUDIT FILING. (Note that the GIFMIS number is not a mandatory field)
Can Data Controllers and Processors file Audit Reports directly?
No! Filing of audit report must be done through a DPCO.
Our sector regulator has issued a data protection regulation for my sector, are we still expected to still comply with the NDPR?
Yes, the NDPR applies to all sectors and every data controller and processor.
What are the possible consequences of non-compliance with the NDPR?
i. Breach of personal data by a non-compliant Controller or Processor would attract criminal and administrative sanctions
ii. Data Subjects have the right to take civil actions against the Controller on the basis of the NDPR
iii. Business implication of non-compliance include brand image damage, loss of customers, restriction from international market opportunity; lack of support from national Supervisory Authority against foreign investigation of breach by an international authority.
Does the NDPR limit my right as a professional to advise clients on Data Protection?
No! Professionals are not restricted from performing their professional duties; however, only licensed DPCOs can provide verification statement on an audit report. Also, request for recognition of data protection training, services, or products is predicated on licensing as a DPCO except management deems otherwise.