BRIEF OVERVIEW OF DATA PROTECTION IN NIGERIA

Introduction

The rapid growth and expansion of financial technology, commonly known as fintech, in Nigeria has significantly contributed to the ease of financial transactions and increased financial inclusion. This progress is largely due to the ever-evolving world of technology, which has greatly improved access to financial services. However, for this personalised financial experience to be possible, fintech companies must collect personal information and data from their users, such as names, addresses, phone numbers, and even the National Identification Number (NIN) and Bank Verification Number (BVN).

These sensitive data points are vulnerable to misuse and breaches, which can result in fraudulent activities, identity theft, and other related issues. It is therefore crucial that fintech companies exercise due diligence in safeguarding the data they collect against breaches or theft. To ensure this, the Nigerian government has established various legal frameworks and agencies to ensure that these fintech companies fulfil their legal obligations in compliance with the laws governing user privacy and data protection. This article aims to provide a brief discussion on these legal obligations, compliance requirements, and potential breaches.

Data Protection

Nigeria has several regulatory bodies tasked with ensuring that user data is properly protected and handled by fintech companies. Among these is the Nigerian Data Protection Commission (NDPC), which is considered the principal body overseeing data protection, privacy, and guidelines. The NDPC is tasked with enforcing the Nigerian Data Protection Act 2023, which supersedes the Nigerian Data Protection Regulations (NDPR) 2019 and the NDPR Implementation Framework 2019, both of which were issued under the authority of the National Information Technology Development Agency (NITDA) Act. The NDPA establishes crucial data protection guidelines that every fintech company must follow, including but not limited to:

• Ensuring that any data being processed is done within the confines of lawful use, following the principles of consent, transparency, and security.
• Implementing appropriate technical measures to ensure the security of personal data, including protection against accidental destruction, loss, misuse, or unauthorised disclosure.
• Requiring every fintech company to have a data protection and privacy policy that is easily accessible and understandable, clearly outlining how user data is handled, secured, and used.

There are many more legal obligations embedded in the Act that fintech companies must adhere to. In the event of a breach, penalties and sanctions may be imposed. For example, the NDPC has the authority to investigate suspected breaches and impose penalties ranging from fines to imprisonment, or both, depending on the severity of the violation.

Conclusion 

Nigeria’s legal framework on data protection concerning fintech companies is vital, as it demonstrates the government’s commitment to integrating technological advancement while maintaining legal boundaries. This framework enhances user trust and confidence in the fintech space, ensuring that fintech companies remain accountable and transparent by strictly adhering to the provided data management guidelines. When there is a default, adequate penalties and sanctions are imposed as necessary.