So, What is personal data?
This is any information that can be used to identify an individual. This includes names, phone numbers, contact information, location information, financial information, transaction history, gender, ethnicity, health records and sexual orientation.

What personal data is covered?
Personal data of customers and potential customers, employees and potential employees, vendors and service providers.

What is processing?
Anything done with personal data (whether or not by automated means) including collection, organization, storage, transfer, destruction and deletion.

1. Lawful Processing of Data: Data can and should only be processed lawfully. Processing of data is only lawful, if at least one of the following applies:
   • Consent has been given by the data subject – consent is required, for example, when the bank processes personal data by so-called profiling for marketing purposes, etc. or where 3 rd party products are offered that are not related to the offer of banking products
   • Processing is necessary for the performance of a contract - for example, this includes the processing of identification and contact details for account creation.
   • Processing is necessary for the compliance with a legal obligation – for example, data transferred to CBN or regulatory authorities in connection with mandatory measures aimed against money laundering and terrorist financing or the processing of data to ascertain credit exposure when negotiating loans.
   • Processing is necessary to protect the vital interests of the data subject or any public interests – for example, sending marketing messages to customers, processing data for risk management purposes etc.


2. The need for Consent: where consent is being relied upon as a lawful basis for processing, the consent of the data subject must be informed, freely-given, understandable and unambiguous. This means that the data subject must know what they are consenting to. The provision of banking services shall not be conditional upon the giving consent to the processing of personal data by the data subject. Consent must be active (i.e., no pre-ticked boxes or ‘opt-out’ situations). Data subjects are also allowed to withdraw consent easily.


3. Clarity of Privacy Policy: any medium through which Personal Data is being collected or processed shall display a simple and conspicuous privacy policy that the class of data subjects targeted can understand.


4. Data Integrity and Storage Limitation : personal data collected should be adequate (only collect as much as is necessary), accurate and stored only for the period within which it is reasonably needed.


5. Rights of the Data Subject: These include, the right to object, the right to erasure, the right of access, right to data portability, etc. These rights must be properly communicated to the Data Subject in a clear, concise and accessible form.


6. Data Security: Security measures, including firewalls and data encryption technologies, to protect personal data from theft, cyberattacks, manipulation, environmental hazards, etc. should be implemented.


7. Third-party processing: data processing by a third party shall be strictly governed by a written contract between the bank and the third-party.


8. International Data Transfer: transfer of personal data to a foreign country may be allowed where NITDA has decided that the recipient country has adequate data protection. Transfer activities are subject to the supervision of the Attorney General of the Federation


9. Data Protection Impact Assessment: an assessment of the impact of personal data processing should be carried out where processing, in particular, new technologies, would likely result in a high risk to the rights and freedoms of data subjects.

The NDPR requires that Data Controllers and Processors:

• Designate a Data Protection Officer (DPO) who will be responsible for driving NDPR compliance within the organization. The current Data Protection Officer is Fatai Tella.
• Document and publish a Data Protection policy in line with the requirements of the NDPR. Sterling Bank has a plethora of Data Protection Policies click here
• Ensure continuous capacity building and training for the Data Protection Officer and other personnel involved in the processing of personal data.
• Engage a Data Protection Compliance Organisation (DPCO) to perform a data protection audit and file a report with NITDA within the stipulated timeline

As high as 2% of our Annual Gross Revenue of the preceding year or payment of the sum of 10 Million Naira, whichever is greater. Not to mention, reputational damages and prosecution.

It is important to note that the right to a private life and associated freedoms are considered fundamental human rights and have been protected by laws all over the world. Data protection is a big risk issue in business today. It is important that we understand our roles and responsibilities in data protection.

For more information on the concerted efforts the bank is making to protect the privacy of her data subjects, please contact the Enterprise Data Office. You can also access the Bank’s Data Protection Policies here