Chief Executive Officer of Data Services Protection Limited (DSPL), Tunde Balogun, speaks of data as the next big asset of global value that will replace crude oil in no distant time. DSPL, which offers data protection services nationwide to public and private entities, is one of the Data Protection Compliance Organisation (DPCOs) licensed by IT regulator, National Information Technology Development Agency (NITDA), to do data audit and filing in the country. Among other functions, DPCOs are licensed to provide data protection regulations compliance and breach services for all companies or organizations regarded under the law as Data Controllers and Data Administrators. Since being licensed, DSPL has grown to be one of the industry’s leading lights with extensive market grip of the public and private sectors. Its clients include Plateau, Oyo states and Upperlink among others. Balogun is also the convener of the Association of Licensed Data Protection Compliance Organisations of Nigeria (ALDPCON), the umbrella bodies for all DPCOs in Nigeria.
Your company, Data Services Protection Limited (DSPL), is currently in Oyo state handling some works for the state on data basis, how and what stands you in good stead?
We are one of the 70 licensed Data Protection Compliance Organisations (DPCOs) in Nigeria. Our officers have worked extensively on GDPR in Europe, so we are one of the few licensed DPCOs in Nigeria that have some of the advanced few set skills and good training capacity. So, that is why most of our clients are public sector institutions. I guess it is because we have some of the most advanced tools kits and data protection knowledge in the country. It’s no suprise we got Oyo State job and a few other public institutions as well.
How have you gone about the contract?
As you are very aware, NDPR [Nigeria Data Protection Regulation] is just about two years old in the country and even globally, data protection is just about 8 years old. Therefore, it is a new industry gaining ground. Talking about NDPR in Nigeria in particular, one thing we have observed is there are no standards when it comes to the quantity required from industry, so, one of the things we have observed is that most of the other licensed DPCOs assume that NDPR starts and ends with just audits. Audit is just five per cent of the total implementation of a privacy programme. So, there is still other 95 per cent deliverables that our other competitors in Nigeria are not aware of as I said, because audit is the one that has the 15th of March deadline, for all audit reports to be submitted every year. Audit reports like I said is just five per cent of the work but most other DPCOs always think NDPRs starts with audit and as soon as they are done with their clients then their client is compliant. That is one of the areas we are addressing in DSPL, we are executing our own deliverables to our clients and in Oyo State for example, that is what we are doing it beyond audit.
What is the purpose of the NDPR and why is the government insisting on having it in all institutions?
Data protection is just something everyone is aware of, data is the most valuable asset in the world right now and for the nearest future and that is very true if you are look at the five richest companies in the world, they are not manufacturing, they are not engineering, they are not into oil, the only thing they do is selling people’s personal data and they make billions. So, that will let you know that data is the most valuable asset in the world, more valuable than diamond, more valuable than crude oil.
So, you need to protect such a valuable asset that is the reason why every country in the world has a data protection law. It would have been unserious if a big like Nigeria don’t have her own law on data protection. And not just because of size, but because it is a valuable asset and it needs to be protected. That is why when personal data gets into the wrong hands, we know the damage it causes. That is the reason why Nigerian government is insisting that every institution, both private and public that collects Nigerian citizens’ personal data, must comply with NDPR.
You said Oyo state has started with eight MDAs, are there any plans to cover the other ministries?
We are doing the rollout in Oyo State in phases, so as soon as we finish this phase, we will start the second phase in other MDAs as well. The plan is to have it across all MDAs in the state. Just to put as footnote, data protection compliant is a journey. It does not happen in one single year, that is why audit is mandatory every year and the audit has to be done every year and the reports submitted on the 15th of March every year, because what data protection does is that, it might take some organisations 5 years to be data protection compliant. So, what the audit does is that it exposes your shortfalls, your gaps.
Do you have an idea of states that are data protection compliant?
From my own perspective, there is no state that is compliant on a state level, but what they do is that each ministry in the state tends to comply on their own. Because remember, NDPR is about protecting personal data, not all ministries collect so much personal data. So, what some of the states are doing is that they are choosing their ministries which are heavily burdened with processing a lot of personal data. Also in Nigeria, they complain of scarcity of funds, so they have to prioritise. So, answering your question, we know Plateau State, because we have done quite a lot of works in Plateau State. We are in Oyo State, those are the two states. Then we have some few federal agencies that we service as well.
Going forward, do you have any plans to cover more states?
We are hoping as I said. With the way our services are evolving, we are almost becoming the default licensed DPCO for public institutions, at the local, state and federal levels. That is why even before we start talking about getting more states, I think what we need to ask is, what is really happening in the country right now, because I personally surface as the convener of the association of the 70 licensed DPSOs. So, what we tend to do as an association is that at every point in time, we look at the public arena and we look at the association, either public or private that are currently involved in any activity that deals with processing of Nigeria’s personal data.
Some parties are into membership registration for example, they are collecting a lot of personal data including biometrics, we have been trying to get a way to bring it to the attention of the party executives that it has to come under the purvey of the NDPR. More so, in biometrics, you don’t waste time in doing data protection because biometrics in the wrong hands, that person can assume your identity. So when you have public institutions collecting personal datas, including biometrics and it is being stored in an agent’s laptop that can be forgotten in a danfo or whatever, you could imagine what might happen? Another one is the NIN, for example NIMC; they are the largest collector of data in Nigeria. So, those kinds of heavy personal data need to have NDPR focus on it. So, we are planning to go to other states, we are already speaking with some of them.
Is this connected to cyber protection?
Yes, cyber security is a major component, because there are seven principles in data protection and securing someone’s personal data is one of the principles in it. So, cyber security is part of securing someone’s personal data.
Breaking it down to a layman level, how do you do this?
We won’t give you details on how we implement, but I will tell you that data protection is not intrusive. What I mean by it is not intrusive, especially the audit process, is that sometimes when we speak to the clients, they think data protection audit is like financial audit where the accountant will come, auditors will come, start looking into account books etc. Data protection audit is not like that, we don’t come to your organisation and ask you to give us your username and password, and start opening your server, no we don’t do that, because that is infringement. What we do is that we develop questionnaires that we give to you. So, that questionnaire, you will be the one to complete it, you will send it to us, and the responses to that questionnaire is what we will we use to get through picture of your data protection control and risk. That is why you find out that during the lockdown period, the data coming from the Bureau of Statistics about the state of the economy is been growing in ICT.
What we tell people is that please do not talk about digital economy if you are not ready for data protection. What we do is that, your personal data is your property, the government did not give it to you, your bank didn’t give you your name, your address is your personal property, the government did not give it to you. At that time, when you are giving that personal data to the bank because you want to open a bank account, you are doing that only for the purpose of opening a bank account. You are not giving it to them to start selling to one bank in South Africa or Rwanda; they have no right to do that. So, that is why I said our loyalty lies with the data subject. Our job is to ensure that those organisations are not doing that, to make sure they are not abusing the personal data and if they need to use your personal data, they need to seek your consent.
So, how would you know if an organisation is not data protection compliant?
Now, this is where the awareness needs to come in. If you look at GDPR standard for data protection law in the world, two years before GDPR kicked off, we spent those years doing awareness, all the European countries make sure they let the people know the dos and don’ts, let the citizens know their rights, then by the time GDPR was implemented 2 years after, everybody knew what was going on. But on Nigerian side, the public are not aware of NDPR. But it is going to get better, because it is when the public is aware and you know your right has been bridged that you can go and report the organisation.
I will give you an example. I went to Domino Pizza one day, I ordered for pizza and they asked me for my name and some other details and I asked why? Because these are my personal data, they said because the pizza is going to take minutes before it is ready, so when the pizza is ready they can call me to come and pick it. I said okay, good, that is why you need my personal data right, they said yes. So, immediately I leave there with my pizza, what should they do? They should delete my data, isn’t it? Because the reason why they asked for my personal data has been fulfilled, so they don’t need to hold my personal data with them anymore. Two weeks later, I started getting messages from Chicken Republic and organisations and before you know it, it may fall in the hands of someone like Hushpuppi. So, this is the reason why you need to ask your clients for their permission and why data protection is compulsory. So, there is a need for necessary and adequate awareness to let the people know there is a law that protects them when they rights are being violated and hopefully that will encourage compliant and enforcement.