Nigeria’s Data Protection Commission chief, Vincent Olatunji, wants to blacklist noncompliant firms that are not adhering to the data privacy laws
Nigeria’s Data Protection Commission (NPDC) will blacklist companies that have refused to comply with its data protection regulations. Its commissioner, Dr. Vincent Olatunji, in an exclusive interview on the sidelines of its workshop held in Ikeja yesterday, said it will also publish a white list of companies that have complied with the provisions of the law in terms of safeguarding the data of citizens in the country on its website, adding that, “it creates confidence and trust in whoever wants to do business with you.”
According to Olatunji, all data controllers and data processors should be registered within six months of the enactment of the law, in line with the act’s provisions, and file an annual audit report with the commission, submitted between January and March next year. The commissioner explained that as a continent, Africa is trying to fashion out a common law for data protection under the African Union regulatory framework for data privacy.
Clarifying the unclear provisions
Before now, lawyers had raised concerns about unclear provisions of the act, especially in areas like the commission’s independence. Some noted that there might be a possible conflict in the discharge of section 32 of the act, which provides for a data controller of significant importance— to have a Data Protection Officer (DPO) who can either be an employee or engaged by a service contract.
Olatunji told TechCabal that the NDPC is independent; section 7 of the law speaks to that. He explained that it would be difficult for the commission to stand alone without the ministry as long as it continues to enforce the provisions of its act under the federal government.
The commissioner also said there was no conflict with Section 32 of the act. According to him, a DPO advises a data controller on collecting, processing, storing, sharing, and securing data in line with the requisite laws locally and globally. DPOS must exist to be able to advise their organisation appropriately. “The DPO should link the organisation and outsiders, including the NDPC. That is why as a data controller of major importance, you must have your own DPO to advise you, to create awareness, to build capacity and tell you the kind of measures to put in place,” Olatunji explained.