The NDPC Fines Fidelity Bank for Data Breach
On August 21, 2024, NDPC Fines Fidelity Bank. The NDPC (Nigerian Data Protection Commission) issued a huge fine of NGN 555.8 million to Fidelity Bank Plc. Since the commission was established on the 4th of February, 2022, this is one of the few penalties imposed on any organization. The investigation into the data processing activities of the bank started with a complaint lodged with the NDPC. The complaint stated that the bank opened an account for the complainant with personal and sensitive data without express permission of the subject. According to the NDPC, “It is to be noted that the Commission’s initial decision was issued in July 2023, and a directive to pay a remedial fee was issued in December 2023, and over ten correspondents were exchanged. The Commission issued repeated warnings to no avail. The Commission gave several opportunities for full accountability for over one year, considering the need to encourage compliance as a culture. However, Fidelity Bank did not provide the requisite, satisfactory remedial plan.” The commission, NDPC, was left with no other alternative than to issue a fine. NDPC Fines Fidelity Bank For What Reasons? During the investigation, NDPC found the data processing platforms of the bank lacking. Fidelity Bank was found guilty of the following: Why Does It Matter? Personal data is a very important part of every individual and organization. Some examples are: name, credit card number, bank details, age, etc. These data are often used by hackers and cybercriminals to perpetrate crimes like identity theft, fraud, and targeted accounts. Since organizations like banks and businesses gather such information for processing, they need to devise means of data protection. To combat this, Nigeria passed the data protection bill into law as the NDPA (Nigerian Data Protection Act) on 12, 2023. This law guides all organizations towards maximum protection of Nigerian citizens’ data. Now, this law isn’t limited to institutions in Nigeria. For instance, a company in the EU is subject to the NDPA, and so far, the data of a Nigerian is involved. To break it down, these are some of the principles of data protection followed by every organization: In addition to the above, businesses or organizations are mandated to outsource data processing to compliant third-party agencies only. What Does This Mean for Nigerians? The Nigerian banking sector lost approximately NGN 273 billion in 2022 and the number has spiraled beyond that. This shows the importance of data protection and security for banks. Let’s link this back to the ‘NDPC fines Fidelity Bank’ fiasco. Based on the allegations, Nigerians who have accounts with Fidelity Bank are at higher risk of data loss to criminals. Why? The agency the bank uses to process personal data is not NDPA-compliant. In addition to external threats, the personal or sensitive data of their clients risk threats from the inside. All it takes is one corrupt official and the rest is history. Really, the list is endless. What Was The Bank’s Response to The Trending “NDPC Fines Fidelity Bank”? The bank has denied all allegations of data violations by the NDPC. In a statement released on Thursday and signed by Dr. Meksley Nwagboh, Divisional Head, Brand & Communications, Fidelity Bank Plc. said, “Our attention has been drawn to a news story titled, ‘NDPC Fines Fidelity Bank for Data Breach.’ “While the matter is the subject of an ongoing engagement with the regulator, we wish to assure the public that we have conducted ourselves to the highest ethical standards by ensuring full compliance with existing laws on data protection. “Below is a breakdown of our dealings with the NDPC since we received their letter informing us about an alleged data breach: “On April 30th, 2023, we received a notice of investigation from the Nigerian Data Protection Agency (NDPA), now the Nigerian Data Protection Commission (NDPC). “The investigation was in respect of a complaint from [name has been withheld to protect the identity of the complainant], who claimed that [name withheld] details were used to open an account in the bank without [name withheld] consent. “Based on this notice, we conducted an internal investigation into the circumstances surrounding the claim and discovered as follows: It continued; “On May 2, 2023, we responded to the NDPC that the bank did not violate any law because there was no data breach and that the account opening process was not completed. “On our part, we carried out due diligence by immediately blocking the account and subsequently closing the account when we did not receive the outstanding documents. “At no point in the process was the account ever operational. “On July 7th, 2023, we were invited for a pre-action meeting with NDPC. During the meeting, we restated our position as earlier communicated to them in our letter dated May 2nd. “However, despite our explanation and evidence provided to support our claim, the agency informed us that they had reached a conclusion to impose a penalty on the bank. “On December 5, 2023, we got a letter from NDPC demanding we pay a’remedial fee’ of N250 million within 21 days. “We immediately commenced another round of engagements with the Commission as we were convinced we had not breached any existing law or regulation. “While discussions were still ongoing with the NDPC, we received another letter on the 20th of August demanding that we now pay N555.8 million naira. What’s Next After NDPC Fines Fidelity Bank As we anticipate further news on the situation, we hope Fidelity Bank proves its innocence. Otherwise, it might not survive the reputational and financial consequences. The data breach at Fidelity Bank serves as a stark reminder of the risks associated with digital information. The fine imposed by the NDPC can’t even be compared to the threat it poses to individuals. Financial institutions need to prioritize data security and invest in robust protection measures. You can trust us at Johan Consults. If you are a business owner and you are struggling with NDPR and GDPR compliance, you can contact us for a consultation.
Data Protection Impact Assessments: Why You Need One
With advancements in tech, the process of collecting, and storing data was expected to be smooth. Unfortunately, the use of the internet for data collection and transfers exposes it to more threats. The owners of the data collected are now vulnerable, as their data can suffer accidental loss or compromise. In the wrong hands, sensitive data can be destructive e.g. impersonation, targeted attacks, and the likes. What do organizations do then? They devise means of data protection, guided by data protection laws around the world. As a precautionary method, data controllers (entities that collect and determine the purpose of data processing) are required to carry out a data protection impact assessment. What is a Data Protection Impact Assessment (DPIA)? Data Protection Impact Assessment is the process of determining the level of risks involved with collecting personal data for a project. All projects come with risks, as long as data is involved. The main issue is how prepared data controllers are to contain the risks. Given that it is impossible to fight an unknown enemy, the purpose of a DPIA is made more obvious. A Data Protection Impact Assessment will identify the risks and also find ways to reduce the impact. The Importance of A Data Protection Impact Assessment Organizations stand to lose everything unless they perform DPIA. Think about it: no one would keep money in a bank prone to robberies. The same principle applies in this case. Clients trust organizations to keep their data safe. Regular data loss or compromise will do enough damage to shut down a company. A DPIA ensures data controllers are aware of risks to data and ready to curtail them. Threats to organizations’ reputations are thus averted. Besides that, organizations can avoid penalties of data protection laws around the world. The GDPR, for example, deems a DPIA necessary under certain circumstances. So, carrying out a Data Protection Impact Assessment is important to achieve GDPR- compliance. When is a DPIA Required? According to the Nigeria Data Protection Regulation (NDPR), it is necessary in situations where they process highly sensitive data. Sensitive data under the NDPR refers to personal data relating to an individual’s: And others, as determined by Section 30(2) of the NDPR. A DPIA is required when the data handled belongs to sensitive or differently-abled subjects. Systematic monitoring, large-scale profiling, automated decision-making with legal effects, and the application of new technological solutions are some of the situations that need a DPIA. On the flipside, data protection impact assessment is not required where data processing is not likely to result in high risk to rights and freedoms of persons. Honestly, organizations should carry out a DPIA when handling a new project. To be on the safe side. Who Should Be Included in DPIA? The controller is 100% responsible for carrying out a DPIA. Other groups are involved in the process, but the data controller is held most accountable Now, the data controller may choose to outsource the process to a third party. Especially when the organization lacks the expertise, experience, or personnel to conduct it. A project deemed risky may also warrant the use of a data protection service consultancy. Since the process is likely to affect several aspects of a project, it is necessary to involve engineers, developers, and designers. They will be able to shed more light on the DPIA process. The data protection impact assessment should be carried out with the utmost care. This requires a team of professionals well-versed in the DPIA process. Whether overseen internally by the organization or outsourced to a consultancy, the GDPR and the Data Protection Bill mandate the appointment of a Data Protection Officer (DPO). Who is a DPO? A Data Protection Officer is a person overseeing the process of a Data Protection Impact Assessment. A DPO can be outsourced by a data protection service consultancy, if an organization lacks the personnel for it. Lastly, data subjects must be involved when carrying out a DPIA. This will show transparency while taking the concerns of the subjects into consideration. How To Do a DPIA Conducting a data protection impact assessment is serious business. Doing it the wrong way can cost an organization valuable time and money. To make the process simpler, here is a DPIA template you can follow. Step 1: Identify The Need. It will be futile to carry out a Data Protection Impact Assessment where it is not important. Below are some questions to determine if it’s necessary. Step 2: Context If you answered yes to any of the above questions, then you can move on to this step. Here, you have to be clear and specific. Be as detailed as possible. Step 3: Describe the Flow of Information. For extra clarity, make use of a flow diagram. Step 4: Identify and Assess the Privacy Risks. Make a list of the identified risks, their impacts, and the likelihood of their occurrence. Step 5: Make a Risk-reduction Plan. Once the risks have been identified, the next is to create a counterplan. How do you intend to curtail the effect of each of the risks? Document your plans, leaving no stone unturned. The expected result of the counterplan should also be documented. Step 6: Delegation Assign a part of the process to several personnel for greatest effectiveness. Record who oversees what and the stipulated time frame for the activity. Step 7: Reassess the Entire System. Double-check all the identified risks, impacts, and likelihoods against the control methods. This will cut all loopholes. These 7 steps are enough to get an idea of how to conduct a Data Protection Impact Assessment. DPIA vs. PIA The Data Protection Impact Assessment and Privacy Impact Assessment (PIA) are tools that organization use to estimate privacy risks to personal data in projects. While the former is a specific and mandatory requirement of the GDPR, any organization can use PIA to assess the privacy impacts of their activities. DPIA is legally necessary in certain cases within the EU, while PIA is the best data protection practice and privacy compliance globally. Conclusion In compliance with data
GDPR Compliance: All You Need to Know To Get Started
The digital age has made the world into a village. Conducting business across borders is now possible, and data transfer is done at lightning speed. Sure, this came with its own consequences. Data is threatened now more than ever with unauthorised access, mishandling, loss, and cyberattacks. Pushing organisations to put in place data protection systems. This is where GDPR compliance steps in. We will be looking at what GDPR is, who it applies to, the principles guiding it, and how it compares to the Nigerian Data Protection Regulation. What is GDPR? GDPR stands for General Data Protection Regulation. It was established to govern the process of data protection in the European Union (EU) and European Economic Area (EEA) on May 25, 2018. It dictates how data is collected, processed, and used by organisations and individuals. The GDPR is regarded as the most comprehensive data protection regulation. Due to this, compliance is a top priority among data handlers. Who Does The GDPR Apply To? A common misconception is that GDPR holds power only in the EU. True, the GDPR protects the data of EU citizens. According to Article 3 of the GDPR, it applies to entities processing the data of EU citizens. Regardless of their geographical location. For instance, any business in Nigeria processing customers’ data has to be GDPR compliant once an EU citizen is in the mix. Basic Terminologies in The GDPR Decoding the GDPR and all it stands for can be difficult, especially to a beginner. Without understanding the terminologies used, it’ll be even more confusing. To assist, here is a breakdown of the common terminologies in the GDPR. Data Controller A data controller is an entity (organisation or individual) that collects data for its own use. This entity determines the purpose for which data is collected and how it is processed. A controller may work alone or with others to process data. Data Processor This is usually a third-party entity that processes the data provided by the controller. Although the processor has access to data, it doesn’t control the purpose. Personal Data Personal data is simply any information that can be used to identify a real person. For example, name, address, national identification number, IP address, etc. Personal data covers a broad range of data. It can be basic, like age, or extremely sensitive, e.g., a social security number. Data Subject A data subject is the person whose data is being processed. The data subjects of businesses are their clients. What Are The 7 GDPR Principles? The GDPR has seven principles guiding data controllers and processors on how to protect data. This is also called the principles of data protection, and they are listed below. Lawfulness, Fairness and transparency Data controllers must process data for lawful reasons. Such reasons must be made clear to the data subject beforehand. Purpose limitation Personal data can only be processed for the purposes clearly stated beforehand. It cannot be used for any other purpose, contradicting the initial one. Data Minimisation The personal data collected must be relevant and limited only to the stated purpose. This is to avoid causing harm to subjects. Accuracy This means that all personal data must be accurate and up-to-date. Also, inaccurate data must be corrected or destroyed immediately. Storage Limitation Personal data collected should not be stored for longer than necessary. Once the purpose of the processing is over, the data should be deleted. Integrity and Confidentiality Personal data must be processed with appropriate security against accidental loss, destruction, or damage. Accountability. This principle states that data controllers must follow the GDPR. And also be able to prove their compliance. Compliance can be proven through regular data audits, data processing records, and appointing a data protection officer. There is one more key GDPR requirement, which is: Right To Be Forgotten. Under article 17 of the UK GDPR, data subjects have a right to have their data deleted by data controllers after a period of time in the following events: When the personal data is no longer needed for the stated purposes. When the data subject revokes consent to the processing and there is no lawful reason to continue. Need to get consent? Learn how to write a GDPR consent statement. Where the owner objects to the processing and it cannot be overridden lawfully. Where data is used for direct marketing or a minor is involved. Learn about more GDPR requirements and Data Protection Impact Assessments, inclusive. What is GDPR compliance? GDPR compliance is when an organisation meets all the requirements for protecting data stated in the GDPR. GDPR compliance is required when data controllers and processors are handling data belonging to EU citizens. Why is GDPR compliance important? Compliance with GDPR is important to avoid hefty fines and penalties. Organisations that fail to meet the GDPR standards could be fined up to 4% of their annual global turnover or $20 million, whichever is higher. For non-compliant businesses, the fine is not all they have to worry about. Data loss is the greater penalty. Customer trust will be compromised, and the company’s image will be damaged. Now that you know the consequences of non-compliance, let’s look at how to be GDPR-compliant. How to Ensure GDPR Compliance To become GDPR compliant, organisations need to do the following: Understand the GDPR principles and the rights of data subjects. Document data processing activities. Ensure they have the consent of the data subject(s). A GDPR compliance checklist can help you track your progress, or better yet, seek expert advice with Johan Consults. GDPR Compliance Checklist You can use the checklist below to know how compliant your organisation is with the GDPR. Know what data you are processing and who has access to it. Have a lawful basis for processing data. Make your data processing activities transparent. Implement adequate data security measures like encryption and pseudonymization Develop a data breach management system. Assign a data protection officer for GDPR compliance. Ensure the privacy rights of data subjects by making it easy for them to: Request and get all their data. Correct or update inaccurate data Revoke their consent to data processing. Request the deletion of information. For an easier job, you should try out
NDPR: An Overview of The Nigeria Data Protection Regulation
Organizations all over the world are facing a great challenge, “how to safeguard data”. The process of safeguarding data, known as data protection, is a delicate one. Companies, small, medium, and large, are exposed to data threats like cyberattacks, accidental loss, and compromise. Where the wrong persons access data, forgeries, targeted attacks, and impersonations are some of the consequences. This pushed countries—Nigeria included—to lay ground rules to guide organizations through protecting the data of their citizens. Examples are the NDPR, GDPR, UK GDPR, etc. In this article, you’ll learn all there is to know about the Nigerian Data Protection Regulation(NDPR) What is the NDPR? The full NDPR meaning is NIGERIAN DATA PROTECTION REGULATION. It is a set of rules guiding the protection of Nigerian data by organizations. The Nigerian Data Protection Regulation has four objectives, which are: Territorial scope of the NDPR Just like most data protection laws, its reach extends beyond Nigerian borders. The NDPR applies to any organization processing the personal data of Nigerian citizens (home or abroad), regardless of its geographical location. For instance, If an organization in the EU wants to process the personal data of a Nigerian citizen, it has to follow the NDPR. When was the NDPR Established? The establishment of the Nigerian Data Protection Regulation occurred in January 2019 by the National Information Technology Development Agency (NITDA). Who Regulates NDPR? In the initial stages, the NITDA was the regulatory body. However, there was a need to create a separate body for the NDPR. The NITDA was stretched beyond what was necessary. The Nigeria Data Protection Bureau (NDPB) was established as the regulatory body. The purposes of NDPB are: Principles of the NDPR The Nigerian Data Protection Regulation has some principles guiding organizations (data controllers) Consent Organizations must get the full consent of the data subjects before collecting, processing, and storing data. The subjects must give consent freely with no trace of foul play. The data subjects also have the right to withdraw their consent. Lawfulness Data can only be collected for lawful purposes. Organizations must clarify the reasons for data collection, processing, and storage. Such purposes should be clearly disclosed to the data subjects. Accuracy Another principle is Accuracy. All the data collected by organizations must be correct. Any inaccuracy should be rectified immediately. Data minimization Data collected can only be processed for the stated purposes. It is unlawful to process data for any reason contradicting the initial purposes. Security Organizations must take specific precautions to ensure data security. This includes measures against unauthorized access, disclosure, loss, and alterations of personal data. Rights of data subjects. Also, the NDPR has provisions for data subjects. Individuals have the clear right to halt the processing of their data. They can also request access, erasure, and correction. Differences between the NDPR and NDPA. NDPA stands for the Nigerian Data Protection Act. Its issuance was in February 2023. The NDPA is the current data protection law in Nigeria. Its issuance did not completely overrule the previous laws—NDPR and the Data Protection Bill. Rather, they were placed under its umbrella. While the NDPA covers most of the NDPR, it lacks the specificity of the latter. The major difference between the two lies in the definition of terms. In summary, the NDPA and NDPR are more similar than different. In times where there is a conflict between the two, the NDPA is supreme. NDPR and GDPR The Nigerian Data Protection Regulation (NDPR) and the General Data Protection Regulation (GDPR) are the regulations for data protection in Nigeria and the EU, respectively. When it comes to it, the penalties are different. Non-compliance with the GDPR comes with a fine of up to 4% of the annual global profit or €20 million, whichever is higher. The NDPR non-compliance penalty is less severe. A fine of up to 2% annual global profit or 10 million Naira, whichever is greater. Nigerian Data Protection Regulation is an adaptation of the GDPR. GDPR is more comprehensive, with a broader scope. In conclusion The Nigerian Data Protection Regulation is important for safeguarding data in Nigeria, and meeting international standards while addressing local needs. Compliance with the NDPR will help organizations avoid penalties and foster trust among the client community. Are you an organization looking to scale up your NDPR and GDPR compliance? You can reach out to us at Johan Consults and be sure to get the best.