Fintech Association Of Kenya’s Post

Very interesting but it's just a time bomb in many institutions. Data protection is something that many institutions have not paid keen interest in despite the many international laws on data privacy. Essentially, data protection safeguards information from damage, corruption, or loss and ensures that data is readily available to users through backup, recovery and proper governance. Data privacy is about controlling access to specific data. Data security aims to protect the integrity of the data against internal and external threats of manipulation and malware.

BREAKING: FG imposes N555m fine on Fidelity bank for data breaches The federal government has imposed a 555 million naira fine on Fidelity Bank plc for data breaches. The fine was imposed by the Nigeria Data Protection Commission (NDPC), supervised by the Federal Ministry of Communications, Innovations and Digital Economy. The National Commissioner of the NDPC, Dr Vincent Olatunji disclosed this in Abuja on Wednesday at a Stakeholders validation workshop on the Nigeria Data Protection Act General Application and Implementation Directive. Fidelity Bank plc has 14 days to pay up the fine upon receipt of the letter from the NDPC. According to Dr Olatunji, the fine was imposed on Tuesday (yesterday) after a series of efforts geared towards enforcement of the NDPC Act 2023 and ensuring industrial harmony, but the bank’s authorities proved difficult during investigations. Olatunji explained that Fidelity Bank not only violated the NDPC Act, 2023, but aggravated its matter by its arrogance towards constituted authority, and was fined 555 million naira representing 0.1 percent of its annual gross revenue in 2023. He added that the fine was the highest fine to be issued by the commission, asserting that the bank showed poor cooperation during the NDPC’s investigation. Olatunji explained that Fidelity Bank not only violated the NDPC Act, 2023, but aggravated its matter by its arrogance towards constituted authority, and was fined 555 million naira representing 0.1 percent of its annual gross revenue in 2023. He added that the fine was the highest fine to be issued by the commission, asserting that the bank showed poor cooperation during the NDPC’s investigation. Olatunji said: “Data protection compliance is important and we have stated that non-compliance will be punished. We have penalties that range from N10m or up to 2 percent of gross earnings for the previous year. “The whole thing is about awareness for people to be aware of what is in the law, and the data protection ecosystem in Nigeria is still evolving, which is why we need to create more awareness as much as we can to avoid ambiguity. “We have a PPP model to ensure compliance, we have licensed some professionals on data protection, that’s the Data Protection Compliance Organisations of Nigeria. “We have licensed about 194 of them, and they go around organizations, private sectors, to take them through compliance in terms of crafting their privacy policy, creating awareness within the organizations. WhatsApp Facebook Twitter Email LinkedIn Reddit The post BREAKING: FG imposes N555m fine on Fidelity bank for data breaches appeared first on Akelicious.

A step in right direction in regards to data privacy and protection.

Data protection is becoming a high risk area.

📢 The Qatar Financial Center (QFC) Data Protection Office (DPO) has recently imposed a reprimand and financial penalty on a QFC licensed firm for the infringement of QFC Data Protection Regulations 2021 (the Regulations). A substantial data breach at the firm led to the exposure of a considerable amount of personal data. The firm failed to notify the DPO within seventy-two hours of becoming aware of the breach. The Regulations mandate to report a personal data breach with in seventy-two hours of becoming aware of the breach. The firm submitted the personal data breach report to the DPO with a delay of at least 10 days. ➡️ The DPO has found the following reasons for the personal data breach: ·      Inadequate security measures ·      Lack of monitoring and oversight ·      Lack of implementation of relevant technical and organizational measures essential for maintaining the security of the personal data ·      Unauthorized access ·      Insufficient retention and recording of activities Accordingly, the DPO imposed a financial penalty of US$ 150,000 and have issued a reprimand on the firm. However, due to firm’s cooperation during investigation, the DPO has not issued a public censure in the matter. Further details can be found at : https://lnkd.in/dH2Pebre

The Long Arm of DPA, 2019: ODPC Complaint No. 380 of 2024 - Sigei Caleb v. Mulla Pride Limited In a determination dated June 3, 2024, the Office of the Data Protection Commissioner (ODPC) found Mulla Pride Limited (MPL) liable for violating the complainant’s right to be informed of the use of their personal data, as required by Section 29 of the Data Protection Act, 2019 (DPA, 2019). The ODPC issued an enforcement notice against MPL, recommended the prosecution of MPL directors for obstruction contrary to Section 61 of the DPA, 2019, and ordered MPL to compensate the complainant KES 250,000.00. This determination demonstrates the extensive authority of the ODPC in ensuring data protection and privacy. Despite MPL admitting to contacting the complainant multiple times regarding a loan he was not a party to, disciplining the agent responsible, apologizing for the breach, and informing the ODPC that they were in the process of closing shop, it was apparent that it was ignorant of what the ODPC could do. The ODPC investigations revealed that MPL was still operational and only closed on the day ODPC officers were scheduled to visit their premises for investigations. Additionally, the ODPC flagged MPL as a repeat offender, having obstructed the ODPC in a similar case in Complaint No. 135. This case underscores the critical importance of data compliance in modern day Kenya. Beyond fines, entities that breach data laws risk the prosecution of their directors. As demonstrated in this case, the ODPC will not hesitate to recommend criminal prosecution against the directors of non-compliant entities depending on the nature of breach. The determination can be accessed here: https://lnkd.in/d2B3QFWK

Banks, telcoms, oil firms to lose 2% revenue for data breach – FG Commercial banks, telecommunications companies, and other organisations will lose two percent of their annual revenue to the Federal Government for any breach of their customers’ data, the Nigeria Data Protection Commission (NDPC), has said. Olatunji said, depending on the impact on the victim and other factors, the sanctions could be more or less severe. He said: “At the core of the NDPR is the essence of respect – respect for the personal data of our citizens, respect for privacy, and respect for digital rights. This respect is now solidly etched in the NDPA”. . . Our firm stands ready to assist your organization by conducting comprehensive risk assessments, compliance audits, and gap analysis against ISO 29100 and relevant frameworks. We provide actionable recommendations and support for remediation efforts, ensuring alignment with international best practices in data protection. By partnering with us, you can strengthen your organization's data privacy posture, mitigate breach risks, and demonstrate a proactive commitment to respecting digital rights and customer privacy. Let us empower your team to safeguard sensitive information and navigate regulatory challenges with confidence. If your organization is on this table, then you have to register for our upcoming webinar on, "Effectively  Auditing ISO 29100; Privacy Framework in the Digital Era" which will be anchored by our very own Managing Partner! Webinar Details: Speaker: Orlando Olumide Odejide Date: 23 May, 2024 Time: 11AM Registration Link: bit.ly/EAT29100 Adherence to international standards like ISO 29100 can mitigate the risk of regulatory penalties and revenue losses. Register Now!

Mulla Pride Ltd, a Digital Credit Provider was held to be in breach of the Data rights of the complainant for using his mobile number for the purpose of being enlisted as a secondary contact(guarantor in case of breach) to one of its customers without his consent. Analysis and determination 🔷Before the respondent used the complainant's mobile number as a secondary contact to its customer, it ought to have sought his consent. 🔷Failure to seek the complainant's consent violated his right to information. 🔷In collecting data, data controller/processors ought to collect the data from the data subject directly unless in exceptional instances. 🔷The Respondent failed to demonstrate that the facts in this case met the exceptions of collecting data indirectly from the data subject. 🔷The Respondent also failed in notifying the complainant the use to which his collected data was to be put into. ⚖️The Respondent was ordered to pay the complainant kshs. 250,000 as compensation for the data breaches . ⚖️The data protection commissioner recommended criminal proceedings against the respondent from obstructing the office from performing its duty.

Personal data leaks to become more costly   In the past year, Russian businesses have seen major data leaks. Enormous amounts of personal data collected by major banks, retail and transport companies have found their way to the net, with the incidents causing mass violations for people and reputational damage for companies.   So it was only a matter of time before lawmakers reacted.   There are now two bills in the State Duma (lower parliament) that harden liability – both administrative and criminal – for personal data breach. If these bills pass, business will have to adapt accordingly.   There will be new types of administrative liability. For example, if after a data leak incident the controller (or personal data “operator” per Russian laws) does not notify the Russian data protection authority (Roscomnadzor) or notifies it too late, they could be fined up to RUB 3M (about USD 35K).   There is also a proposal to increase other administrative fines, especially for companies. Maximum fixed-amount fines could reach up to RUB 15M (about USD 170K), for example, if personal data of more than 100K data subjects is leaked or if sensitive data is leaked. If the violation repeats, the controller could be fined based on their turnover – from 0.1% to 3% of annual company revenue, but in any case no less than RUB 20M (USD 227K) and up to RUB 500M (USD 5.7M).   Although, let’s be honest, increasing fines is not necessarily a cure for lowering the number of violations.   In addition, new criminal violations will be added to the Russian Criminal Code as regards illegal turnover of PD. Depending on the gravity of the violation, punishment could include not just fines, but also imprisonment. For example, illegal cross-border transfer of personal data could result in up to 8 years of prison with a fine up to RUB 2M (USD 23K). This expands the circle of people who can be held liable for the crime, including company management.   Needless to say, data protection is something to be noted prior to a leak incident occurring, and companies are advised to audit their current data processing practices, enhance their information security technical and organizational measures, as well as increase awareness of their staff regarding the law.   We will keep watch as to progress with these bills. Meanwhile, keep your personal data safe.   We can change the world Stand up for Your Values Vlad Zabrodin ©

DO YOU KNOW YOUR RIGHTS AS A DATA SUBJECT UNDER THE NDPA??? In our increasingly connected world, the importance of protecting personal data cannot be overstated. Our personal information is deeply intertwined with everyday activities, from online banking to social media. As a Nigerian, the Nigeria Data Protection Act (NDPA) 2023 empowers you with crucial rights to safeguard your personal information. The Rights include: RIGHT TO ACCESS 📂 You have the right to know what information organizations hold about you. This means you can request a copy of your personal data from any company, and they must provide it. RIGHT TO RECTIFICATION ✏️ If you find that your data is incorrect or incomplete, you have the right to request that it be corrected or updated. Ensuring your data is accurate is your right! RIGHT TO ERASURE (Right to be Forgotten) 🗑️ In certain situations, you can request that your personal data be deleted. Whether the data is no longer necessary or you simply want it removed, your request must be honored. RIGHT TO OBJECT 🚫 You have the right to object to the processing of your data, especially if it’s being used for marketing or other purposes you don’t agree with. Once you object, the organization must stop processing your data for those specific purposes. RIGHT TO DATA PORTABILITY 🔄 If you want to move your data from one service to another, you can request it in a structured, commonly used format, allowing for easy transfer to a different provider. RIGHT TO RESTRICT PROCESSING ⏸️ If you’re unsure about the accuracy or use of your data, you can request to temporarily limit its processing. This gives you control while any issues are being resolved. RIGHT TO BE INFORMED ℹ️ You have the right to know how your data is being collected, used, and shared. Organizations must be transparent about their data practices, ensuring you’re fully informed. RIGHT TO WITHDRAW CONSENT ❌ If you previously gave consent for your data to be used, but now want to change your mind, you can withdraw your consent at any time. Organizations are required to stop processing your data as soon as you revoke your consent. RIGHT RELATED TO AUTOMATED DECISION-MAKING AND PROFILING 🤖 You have the right not to be subject to decisions made solely based on automated processes, including profiling, that could significantly affect you. You can request human intervention, express your viewpoint, and contest the decision. These rights are designed to protect your privacy and ensure that your personal information is handled with care and respect. Knowing and exercising these rights helps you stay in control of your data. Please let’s continue to make privacy a priority! 🛡️ #YouFirst #DataPrivacy #KnowYourRights #NDPC