National Information Technology Development Agency, NITDA, has ordered a data controller, Electronic Settlement Limited, to pay the sum of N5 million as fine for certain breaches on personal data entrusted to the company.
NITDA said its action was in line with the requirements of the National Data Protection Regulation, NDPR.
The agency also directed the company to conduct Data Protection Impact Assessment on some of its data-intensive applications and products.
Electronic Settlement Limited, ESL is an indigenous payments company which claims to have the capacity to revolutionise the payment industry in Nigeria.
NITDA explained that the investigative process that led to the fine, involved an analysis of the company’s applications and websites; visit to the company’s office in Lagos, review of its technical documents as submitted to the Agency and interrogation of its officials by NITDA investigation team in Abuja.
According to NITDA, at the end of the process, it was established that there was a data breach involving the company.
It however, commend Electronic Settlement Limited for the actions taken to mitigate this breach, particularly, it’s taking full responsibility for the breach, updating identified security issues, cooperation with NITDA investigation team, recruitment of a data protection compliance organization, submission of its annual NDPR audit report and generally improving its compliance with the NDPR.
For NITDA, the company’s actions demonstrated sense of responsibility and duty to protect the data of Nigerians and customers in general.
It further explained that the objective of the investigation was to assess the risk resulting from the breach, with a view to identifying the causes, remedial actions taken and other necessary issues to avoid recurrence.
Director General of NITDA, Inuwa Kashifu Abdullahi said: “The company has been well briefed on our prescriptions for better information security and protection of personal data”.
In compliance with the NDPR and the need to prevent a repeat of this unfortunate breach, NITDA directed that Electronic Settlement Limited shall be under a six-month information technology oversight by NITDA and that the oversight shall involve implementation of prescribed security controls and processes; that a clear data security and governance document is drawn up between the Electronic Settlement Limited and all its Information Technology services vendors identifying roles,
responsibilities and processes involved in securing and protecting personal data and that the company conduct regular NDPR training for all staff, publish and implement appropriate policies as required by the NDPR. The agency also directed that the company should submit 2020/2021 regulatory audit as required by Article 4.1.6 of the NDPR, conducted by a Data Protection Compliance Organisation, DPCO as licensed by NITDA.
Meanwhile, the agency has approved the extension of time to file the annual audit report to 30th June, 2021.
It thanked the public for its continued interest in ensuring the full implementation of the NDPR to safeguard personal data of citizens and encouraged every data controller and processor to embark on necessary measures to protect personal data.
NITDA further reaffirmed its continued commitment to “implementing the NDPR vigorously and providing periodic updates to the public with regards to our activities and investigations in discharge of our mandate.”