Data blunder
The National Data Protection Commission (NDPC) has fined Fidelity Bank Plc ₦555.8 million for breaching its customers’ data, the…
The National Data Protection Commission (NDPC) has fined Fidelity Bank Plc ₦555.8 million for breaching its customers’ data, the commission’s National Commissioner, Vincent Olatunji, said in Abuja. Mr Olatunji said the Commission has been investigating the bank since April 2023, adding that it decided to issue a full penalty due to its arrogance and poor cooperation during the investigation. Olatunji stated that the fine, issued on Tuesday, must be paid within 14 days. It is the highest-ever fine the commission has imposed for violating the Nigeria Data Protection Act 2023 and Nigerian Data Protection Regulations 2019, totalling 0.1% of the bank’s 2023 annual gross revenue.
Globally, data protection has become increasingly important for regulators and regulated entities. In Europe, for example, data protection breaches can result in fines of up to $15 million per incident. Similar laws are in place in Nigeria, and all regulated financial institutions have been required to implement the guidelines since 2020. However, they have not been consistently enforced. The Nigeria Data Protection Act 2023 established the NDPC, and the commission seems eager to make a strong impression and capture Nigerians’ attention. It is unusual for a regulator to impose a sanction on an institution due to arrogance and poor cooperation during an investigation, even if the law grants the Commission such powers. We anticipate an increase in enforcement actions by the NDPC in the coming years, and only compliance can protect firms from penalties. Nigerian firms must invest in the necessary technology, processes and governance to ensure compliance. This is especially important, considering the enforcement agency may prioritise revenue generation through fines. Another perspective to consider is the NDPC’s role in safeguarding public data, such as National Identification Numbers (NIN), passports and other sensitive information, especially in light of recent breaches. For instance, the NIN details of a minister were reportedly purchased for just ₦100 ($0.06), with no visible action taken by the agency. This raises an important question: if private institutions are held to high compliance standards, what expectations are being placed on the government to lead by example? Given the amount at stake, Fidelity Bank may go to court to challenge the NDPC’s authority, which could take years to resolve. However, an out-of-court settlement between both parties is more likely.