Nigerians and businesses’ risk losing N2m or more to the government for violating the Nigeria Data Protection Regulation 2019.
The National Information Technology Development Agency made this known on Wednesday in a public notice signed by the Director-General/Chief Executive Officer, NITDA, Dr Isa Patanmi.
The agency said it commenced the implementation of the Nigerian data protection law, which seeks to safeguard the rights of Nigerians to data privacy, on April 25, 2019.
“NITDA hereby notifies the general public that consequent upon its official issuance and public presentation of the Nigerian data protection regulation on January 25, 2019, full implementation of the regulation commenced from the April 25, 2019,” the DG said.
According to Patanmi, the regulation will ensure exchange of personal data is done safely and securely; prevent the manipulation of personal data and ensure that Nigerian businesses remain competitive globally.
He noted that data protection was a key requirement in ensuring confidence in business transactions.
The agency said it had been mandated by the Section 6(c) of the NITDA Act of 2007, to “develop regulation for electronic governance and monitor the use of electronic data interchange and other forms of electronic communication transactions among others.”
Pantanmi added that the Act had granted NITDA the power to enforce compliance and penalise defaulters.
He said the penalty for breaching this regulation in addition to any other liabilities includes “payment of the fine of two per cent of annual gross revenue of the preceding year or the sum of N10m, whichever is greater in the case of a data controller dealing with more than 10,000 data subjects.
“In the case of a data controller dealing with less than 10,000 data subjects, payment of the fine of one per cent of the annual gross revenue of the preceding year of the sum of N2m, whichever is greater.”
According to the data regulation, data subjects must give consent to the processing of their personal data for one or more specific purposes and the purpose for collection should be made known to the subject.
The regulation added that data processing by a third party should be governed by a written contract between the third party and the data controller.
Breaches in data regulation has become a global issue attracting fines and litigation by government, especially in the European Union.