Data Privacy in Nigeria – A Deep Black Hole

The world that we live in today has evolved into an electronic entity as everything has become digitized. For shopping, we visit digital platforms such as Amazon and Alibaba – For dating, we download apps like Tinder – For educational purposes, we register on platforms like Udemy, Coursera – For financial transactions, we use banking apps on our mobile devices and the list goes on and on. As a matter of fact, it is almost impossible to imagine how life existed in the past without this technological boom, today we cannot function adequately without these things!

The value proposition of this digital wave of innovation and disruption is the ease at which it connects the entire world ever so seamlessly. Now the Nigerian businessman can sit down in the comfort of his living room and conduct business with an associate in China over his mobile device. 

---

Digital Platforms & Electronic Devices

As these digital platforms and electronic devices continue to disrupt the traditional ways of doing business and living life day by day, it inevitably creates some avenue for exploitation if certain conditions are not addressed and enforced. The end result of not ensuring that data privacy compliance is met while administering these digital platforms could present a haven for cyber-criminals and self gratifying business exploiters. While using digital products and electronic devices it is inevitable that data is collected from users knowingly or unknowingly. The role of data privacy is to ensure that certain procedures are met to ensure the safety of personal data.

The avenue for electronic communication are digital platforms and smart electronic devices. Digital platforms include websites (applications), mobile apps, and electronic gateways. Electronic devices include phones, smart wristwatches, PCs and laptops to mention a few. Thus, without digital platforms and smart devices it is not possible to communicate electronically. Likewise, organizations storing employee information electronically adopt the use of databases installed in servers accessed using an electronic front end interface.

It is important to note that these digital platforms and electronic devices have the potential to run algorithms to collect as much information as possible from people using these platforms without their consent. Likewise, it is pertinent to note that if these digital platforms are not properly secured it poses a threat for a data breach where personal data collected (or saved ) by these platforms can be hacked and foster a series of mishaps such as identity theft, ransom and misappropriation of funds.

---

Nigeria -Situation Analysis

According to Statista, internet user penetration in Nigeria saw a slight increase between the years 2017 and 2021, going from 43 percent to over 51 percent. As of July 2021, there were more than 108 million internet users in Nigeria. Moreover, the share of the Nigerian population that uses the internet via any device at least once a month is expected to grow up to 60 percent approximately in 2026. 

Moreover, the establishment of the Bank Verification Number (BVN) and National Identity Number (NIN) displays a willingness in Nigeria to embrace a digital culture. As embracing a digital culture has many benefits it is also important to safeguard this culture by ensuring that frameworks are established to prevent abuse of data that is warehoused on these digital platforms. 

In Nigeria, a positive step has been taken in the right direction via the establishment of the Nigeria Data Protection Regulation (NDPR) to ensure that personal data is processed in accordance with specific, legitimate and lawful purposes consented by the Data Subject. However, there is a shortcoming with the NDPR, it is not as tough as the GDPR towards enforcing compliance. As a result of this, there is a lackadaisical approach by organizations in Nigeria about data privacy compliance. Without strict penalties for non-compliance there would be no drive for data protection implementation and herein lies the challenge.

The EU established the General Data Protection Regulation (GDPR) to ensure compliance by Data Controllers in Europe. The GDPR framework was established to ensure that organizations of all types that collate data follow procedures that ensure users give consent for use of their data and also to ensure that the same data is stored securely free from unauthorized user access. To enforce the GDPR, the EU data protection authorities can impose fines of up to € 20 million (roughly $20,372,000), or 4 percent of worldwide turnover for the preceding financial year – whichever is higher.

Implementation of the GDPR in the EU has been quite successful and I believe that the success is rooted in the heavy fines imposed on organizations who do not comply with the standards laid out for data protection laws. 

The NDPR has been well fashioned after the GDPR, however, enforcement does not share the same intensity and this is the problem.

With my knowledge of data privacy issues, I am often in shock when I witness certain occurrences in Nigeria, I have shared some of my experiences bulleted below:

• While attending to  me in a banking hall, a customer service representative had forms filled in by other customers littered all over her desk. The forms exposed information of individuals such as their name, date of birth, bvn, etc
  
• After I purchased an item from a leading telco in Nigeria, I started receiving cold calls from other companies marketing similar products to me. I asked how they got my number and they mentioned that it had been given to them from the telco that I had patronized previously
  
• After purchasing a ticket to board a ferry (managed by the State Government), I had to write my name and phone number in a public exercise book where I could see the names and numbers of everyone else
  
• I received a broadcast message from a contact on whatsapp trying to sell me hundreds of names with their corresponding phone number and email for a fee. He was trying to sell the data to me so that I could use it for bulk sms/email marketing.

These are just a few instances of ‘personal data abuse’ that could have devastating consequences as well as abuse and intrusion of privacy. Indeed, data privacy in Nigeria is a deep black hole.

The journey for data privacy compliance in Nigeria is gargantuan as it first starts with educating the general populace about the delicacy of data and the results of not handling it properly.

Data – The New Property

There is now a new type of ‘property’ and it is ‘data’. Individuals have as much ownership of their data as well as they commandeer ownership of their other possessions (property, funds, etc). Your data is your property and you have the right to determine how it is used and distributed because your data is your electronic identity in the digital world that we live in today. If your data is misused and falls into the wrong hands you can easily be robbed of your identity.

As you would lock the doors of your house before retiring for the night to safeguard lives and property within, so also should your data be protected by yourself and those who have it for various reasons (including digital platforms and electronic devices).

---

The Way Forward

It is not enough to talk about the dangers without profurring a way forward, thus I have listed some ideas below to increase awareness and implementation of the NDPR:

• Enforce data privacy in organizations based in Nigeria with heavy fines for non compliance
  
• Establishment of Data Privacy Task Force
  
• Add Data governance as a course in Nigerian educational institutions (compulsory elective in higher institutions)
  
• Regulate penetration of digital platforms in Nigeria

---

Summary

Indeed Nigeria has already embraced a digital culture and the establishment of the NDPR is a step in the right direction. However, data privacy in Nigeria still remains a deep black hole because we have not yet fully acknowledged the dangers that lie ahead if it is not yet fully enforced.

The action plan starts from you – the data subject, be mindful how you share your data and who you share it with, ensure that you read the privacy statement of digital platforms to confirm what data is collected and how the data is used while you engage their platforms. 

As an organization, invite a Data Protection Officer (DPO)  to overhaul your practices and make you NDPR compliant. Remember that you are responsible for the safety of personal data that belongs to every member of your organization.

---

Need More Information?

If you need more information about NDPR compliance you can contact the author at damola.adewusi@serverpointnig.com