Nigeria: NDPC to Impose Sanctions on MDAs’ Executives for Data Breaches

The Nigeria Data Protection Commission (NDPC) has announced that it will now hold chief executives of government Ministries, Agencies, and Departments (MDAs) accountable for any data breaches that occur under their watch. Dr. Vincent Olatunji, the National Commissioner of the NDPC, revealed that these executives will face sanctions because the government cannot be fined from its own coffers. He also highlighted that compliance with data protection laws among MDAs has increased to 9% from 4% last year.

While private companies have faced sanctions under the Nigeria Data Protection Regulation (NDPR), government agencies have not been fined, despite concerns that they are often responsible for data breaches. However, with the signing of the Data Protection Bill into law, this era is coming to an end.

Private sector organizations currently demonstrate a 49% compliance rate, significantly higher than the 9% compliance rate in the public sector. To enhance compliance in both sectors, the NDPC is conducting nationwide capacity-building programs to train more data protection officers.

Olatunji emphasized that there are provisions in the law that could result in the imprisonment of CEOs of MDAs if a data breach occurs and impacts data subjects. A circular has been issued to ensure that all MDAs appoint resident Data Protection Officers (DPOs) and provide appropriate training to staff on data protection. The NDPC expects compliance levels among MDAs to improve, and the CEO will be held responsible for any breaches.

Government agencies such as the National Identity Management Commission (NIMC), Nigeria Immigration Service (NIS), and Federal Road Safety Corps (FRSC), which handle significant amounts of Nigerian citizens’ data, are also required to comply with the data protection law recently signed by President Bola Tinubu.

In terms of possible sanctions, the NDPR stipulates that if a Data Controller deals with over 10,000 Data Subjects, a fine of 2% of the organization’s annual gross revenue from the previous year or a sum of N10 million (whichever is greater) must be paid. For Data Controllers with fewer than 10,000 Data Subjects, the sanction involves a fine equivalent to 1% of the organization’s annual gross revenue from the preceding year or a sum of N2,000,000.00 (two million Naira) (approx. EUR 2,000) (whichever is greater).