Lilian M.’s Post

Recent events have underscored the importance of NDPA compliance. Fidelity Bank a Nigerian bank was fined a staggering N555.8 million by the Nigeria Data Protection Commission (NDPC) for a data breach that affected over 900,000 customers. This incident serves as a stark reminder of the severe consequences of non-compliance. Why NDPA Compliance Matters; Financial Protection: By complying with NDPA, you safeguard your business from potentially crippling fines. The Fidelity Bank case demonstrates that penalties can reach hundreds of millions of naira. Customer Trust: Data breaches erode customer confidence. NDPA compliance shows your commitment to protecting customer data, enhancing your reputation and fostering loyalty. Legal Security: Compliance shields your business from legal actions that could arise from data breaches, saving you from costly litigation and reputational damage. Competitive Advantage: In an increasingly data-conscious market, NDPA compliance can set you apart from competitors, attracting privacy-minded customers and partners. Operational Efficiency: Implementing NDPA-compliant processes often leads to improved data management practices, benefiting your overall operations. Take action now: -Conduct a thorough audit of your current data protection practices. -Implement robust security measures to protect customer data. -Train your staff on NDPA requirements and best practices. -Regularly review and update your data protection policies. Don't wait for a costly breach to prioritize data protection. Act now to ensure your business is NDPA compliant. Our team of experts is ready to guide you through this process, ensuring your business remains secure and compliant. #NDPA #DataProtection #InformationSecurity #Compliance https://lnkd.in/dMAzjYNg

Recent events have underscored the importance of NDPA compliance. Fidelity Bank a Nigerian bank was fined a staggering N555.8 million by the Nigeria Data Protection Commission (NDPC) for a data breach that affected over 900,000 customers. This incident serves as a stark reminder of the severe consequences of non-compliance. Why NDPA Compliance Matters; Financial Protection: By complying with NDPA, you safeguard your business from potentially crippling fines. The Fidelity Bank case demonstrates that penalties can reach hundreds of millions of naira. Customer Trust: Data breaches erode customer confidence. NDPA compliance shows your commitment to protecting customer data, enhancing your reputation and fostering loyalty. Legal Security: Compliance shields your business from legal actions that could arise from data breaches, saving you from costly litigation and reputational damage. Competitive Advantage: In an increasingly data-conscious market, NDPA compliance can set you apart from competitors, attracting privacy-minded customers and partners. Operational Efficiency: Implementing NDPA-compliant processes often leads to improved data management practices, benefiting your overall operations. Take action now: -Conduct a thorough audit of your current data protection practices. -Implement robust security measures to protect customer data. -Train your staff on NDPA requirements and best practices. -Regularly review and update your data protection policies. Don't wait for a costly breach to prioritize data protection. Act now to ensure your business is NDPA compliant. Our team of experts is ready to guide you through this process, ensuring your business remains secure and compliant. #NDPA #DataProtection #InformationSecurity #Compliance

📢 The Qatar Financial Center (QFC) Data Protection Office (DPO) has recently imposed a reprimand and financial penalty on a QFC licensed firm for the infringement of QFC Data Protection Regulations 2021 (the Regulations). A substantial data breach at the firm led to the exposure of a considerable amount of personal data. The firm failed to notify the DPO within seventy-two hours of becoming aware of the breach. The Regulations mandate to report a personal data breach with in seventy-two hours of becoming aware of the breach. The firm submitted the personal data breach report to the DPO with a delay of at least 10 days. ➡️ The DPO has found the following reasons for the personal data breach: ·      Inadequate security measures ·      Lack of monitoring and oversight ·      Lack of implementation of relevant technical and organizational measures essential for maintaining the security of the personal data ·      Unauthorized access ·      Insufficient retention and recording of activities Accordingly, the DPO imposed a financial penalty of US$ 150,000 and have issued a reprimand on the firm. However, due to firm’s cooperation during investigation, the DPO has not issued a public censure in the matter. Further details can be found at : https://lnkd.in/dH2Pebre

Banks, telcoms, oil firms to lose 2% revenue for data breach – FG Commercial banks, telecommunications companies, and other organisations will lose two percent of their annual revenue to the Federal Government for any breach of their customers’ data, the Nigeria Data Protection Commission (NDPC), has said. Olatunji said, depending on the impact on the victim and other factors, the sanctions could be more or less severe. He said: “At the core of the NDPR is the essence of respect – respect for the personal data of our citizens, respect for privacy, and respect for digital rights. This respect is now solidly etched in the NDPA”. . . Our firm stands ready to assist your organization by conducting comprehensive risk assessments, compliance audits, and gap analysis against ISO 29100 and relevant frameworks. We provide actionable recommendations and support for remediation efforts, ensuring alignment with international best practices in data protection. By partnering with us, you can strengthen your organization's data privacy posture, mitigate breach risks, and demonstrate a proactive commitment to respecting digital rights and customer privacy. Let us empower your team to safeguard sensitive information and navigate regulatory challenges with confidence. If your organization is on this table, then you have to register for our upcoming webinar on, "Effectively  Auditing ISO 29100; Privacy Framework in the Digital Era" which will be anchored by our very own Managing Partner! Webinar Details: Speaker: Orlando Olumide Odejide Date: 23 May, 2024 Time: 11AM Registration Link: bit.ly/EAT29100 Adherence to international standards like ISO 29100 can mitigate the risk of regulatory penalties and revenue losses. Register Now!

Email statements are personal information and are normally sent to an individual’s personal email address. This is considered private information to the extent that to access the statement, you need a password. This safeguards the information and ensures that only the intended recipient can access this information. What happens then when you keep receiving e statements that are foreign to you? Think of a scenario where another person receives your e statements without your consent. This is what Maina Jackson Irungu experienced after Family Bank Ltd continuously sent him email notifications containing e statements of another customer. Despite several attempts to have the information corrected through in writing, Family Bank did not give in. the Bank only responded upon receiving a notification from the Office of the Data Commissioner Holding and reasoning of the court 🔷️The court held that email statements is personal data and by continuously sending unsolicited emails to the Complainant despite notification in writing to stop, the Respondent violated the complainant’s right to erasure. The Respondent did not comply with the complainant’s request within the stipulated 14 days in the Data Protection Act. Family Bank only complied after it received a notification from the ODPC. They therefore violated the complainant’s right to erasure and correction of information. 🔷️An enforcement notice of Kshs. 250,000 was issued against Family Bank Limited. What to do as a data controller/processor ✅️Ensure that you are accurate in the capturing of the information of the data subjects and it is up to date. ✅️Erase or rectify inaccurate data within the 14 days. #dataprotection #dataprivacy #compliance

The Office of the Data Protection Commissioner (ODPC) has ordered Family Bank Limited to pay Ksh 250,000 in compensation to Magna Jackson Irungu for violating his data privacy rights by repeatedly sending him email statements for an account he did not own, despite his requests for the practice to stop. The case, initiated on April 25, 2024, revealed that Family Bank had erroneously captured Irungu's email address from a KRA PIN Certificate presented by another customer during onboarding, and continued sending statements for over six months despite the complainant's visits to their Nyeri branch and written requests for erasure. Family Bank only addressed the issue after receiving a formal notification from the ODPC, acknowledging that while the statements were password-protected and showed only the last four digits of the account number, they had failed to comply with the 14-day response requirement for erasure requests under Data Protection Regulations. The Commissioner found the bank liable for violating the complainant's right to data erasure under Section 40(1)(b) of the Data Protection Act, noting that the bank either intentionally or negligently failed to correct the error until ODPC intervention, and directed the bank to ensure accurate data collection and timely rectification of errors going forward. This ruling highlights the importance of robust data governance frameworks and the real financial consequences of non-compliance with data protection laws and signals a shift in how financial institutions must approach customer data management, especially as the sector rapidly digitizes. The incident also reveals a critical gap in many banks' data verification processes, particularly in the integration of third-party documentation like KRA certificates into customer onboarding procedures. The case also demonstrates the growing sophistication of African data protection authorities in balancing consumer rights with the operational realities of financial institutions, while setting clear expectations for response times and remediation procedures

#data #dataprotection See post below

#DataBreach and #DataProtection - another EUR 20,000 fine applied by the Romanian Data Protection Authority (ANSPDCP) following an investigation related to data breach incidents notified by one controller to the #DPA. ANSPDCP indicates that the investigation was triggered after the controller reported three separate data security breaches, as follows: 🛑 Incident 1: A client reported that a credit was taken out in their name without their #consent. It was found that an employee had unlawfully used the client's credit application and related documents, despite the client having withdrawn the application. The employee conducted unauthorized cash withdrawals and bank transfers, compromising various categories of personal data, including names, personal identification numbers, addresses, phone numbers, and financial details. 🛑 Incident 2: Two employees shared confidential transaction information with a former employee via social media platforms, who then passed it on to the client's relatives. This unauthorized access and disclosure included the client's personal data such as names, personal identification numbers, addresses, account numbers, transaction dates, and amounts. 🛑 Incident 3: A client reported the existence of unsolicited products and missing funds from their account. Internal investigations revealed that an employee had conducted numerous unauthorized operations in the names of multiple clients, including modifying contact details, opening accounts, and requesting credit products. The investigation concluded that the controller had not implemented sufficient technical and organizational measures to ensure a level of security appropriate to the processing risk, resulting in unauthorized access and disclosure of personal data. To rectify these issues, the following corrective measures were imposed: ✅ Technical and organizational implementation plan - implement a technical and organizational procedural plan that includes a process for periodic testing, evaluation, and assessment of all actions related to the introduction and updating of personal data for data subjects (clients), including client notification and consent in any form for any modifications to personal data that may be carried out by the employees of the controller. ✅ Regular employee training and information dissemination - ensure regular awareness regarding the risks of unauthorized processing of personal data by employees, the dissemination of this information is required at intervals of no more than six months, including the necessity of proving acknowledgment by each employee who has access to personal data and responsibilities in the current data processing activities of clients. These measures offer valuable and practical guidance, especially on ANSPDCP expectations on regular employee trainings and internal dissemination of information. Link to the press release in the first comment (Romanian). #GDPR #Compliance #PrivacyMatters

Data Protection in Banking: The NCBA Case Sets New Standards Did you know your personal information could be accessed by former employees of your bank? A recent determination by Kenya's Office of the Data Protection Commissioner (ODPC) in the case of Rose Wambui Muigai v. NCBA Bank PLC sheds light on the crucial need for robust data security measures within our financial institutions. Here’s a quick summary of the case and what it means for data protection in Kenya’s banking sector: 💼 Case Summary: Rose Wambui Muigai lodged a complaint against NCBA Bank, alleging that her personal data—phone number, full name, and vehicle details—was accessed and disclosed by former bank employees. The ODPC found NCBA liable for this data breach due to lapses in its internal security measures, awarding the complainant KES 250,000 in compensation. 📜 Legal Insight: The decision emphasized banks' obligations under Kenya’s Data Protection Act, 2019, and highlighted that institutions must secure client data from unauthorized access, even by former employees. NCBA’s failure to report this breach also contravened mandatory disclosure rules, setting an example for stringent data privacy enforcement. ⚖️ Why This Matters: This case is a clear warning that data protection is not merely a compliance checkbox but a vital component of client trust and organizational integrity. As Kenya strengthens its data protection framework, banks and other institutions must adapt by implementing and continuously upgrading security protocols to protect clients’ sensitive information. For a deep dive into this determination and its implications for data compliance in Kenya, check out my latest article: https://lnkd.in/emuc37tV 🔹 Stay Updated: Follow Mbuchi & Associates Advocates for more insights on data protection and compliance. Join us on the journey towards safer, more secure data practices! #DataProtection #BankingLaw #KenyaLaw #Compliance #ODPC #PrivacyLaw

THE United Bank of Africa (UBA) Plc has received a fine of N8 million for grossly violating a customer’s right to data privacy. The bank (UBA) was found liable for unilaterally opening a domiciliary account for one Folashade Molehin (customer) without her consent thereby breaching her right to data privacy. The case was supported by Paradigm Initiative's digital rights reporting platform, Ripoti. The customer had told the court that she submitted her bank details to her employer for purposes of payment of her monthly salary. Her employer transferred her salary to her Savings Account and she waited in vain for the bank to confirm that $300 had been lodged in her savings account. The customer later received a text message from the bank (UBA) informing her that a domiciliary account had been created for her without and the said amount deposited into the account. The customer therefore sought a court declaration that the bank decision to unilaterally open a domiciliary account without her consent or prior knowledge was a gross violation of her right to data privacy as enshrined in Section 37 of the 1999 Constitution of the Federal Republic of Nigeria. Also it is a gross breach of the Nigeria Data Protection Regulation, 2019. The bank on the other hand, argued that there was no processing of the customer’s data during the account opening process. However, the Judge, Justice A O Faji of the Lagos Judicial Division, citing clause 1.3 (xxi) of the Nigeria Data Protection Regulation (NDPR), determined that the data was indeed used to create the tier-one domiciliary account for the customer. The court also held that the bank failed to meet the necessary requirements for opening a tier one domiciliary account, including Know Your Customer (KYC) compliance, and therefore liable for the violation. The court observed that the bank's hasty actions were unjustified, as they could have easily contacted the customer either by phone or text message, like they did to notify her of the credit, instead of unilaterally opening a new account. From the above scenario you will agree that the cornerstone of data protection/data privacy is consent. Consent allows an individual to control how his/her information is being used. This consent is an integral part of data privacy laws and regulations, serving as a foundation for ethical and legal data handling practices. I am Hannah Adeyemi, your Data Protection Attorney, feel free to connect with me. #Data Protection #Data Privacy