Legal, regulatory and corporate stakeholders are urging companies operating in Nigeria’s digital economy to urgently reassess how they manage personal data, amid growing concerns over data breaches, poor vendor contracts, and inadequate compliance systems.
This is coming as organisations operating in the country are facing increased scrutiny under the Nigeria Data Protection Act (NDPA), enacted in June 2023 and creating the Nigeria Data Protection Commission (NDPC), the data protection watchdog for the country.
During a virtual session held Tuesday and titled “Data Breaches: Causes, Prevention, Reporting and Compliance,” hosted by Advocaat Law Practice, experts from MTN Nigeria, Interswitch, NDPC and others are calling for a multi-layered, proactive approach to data protection.
Oluwatoyin Araromi, Head of Compliance and Ethics and Data Protection Officer at MTN Nigeria, highlights the complexities involved for MTN Nigeria, the nation’s largest telecoms company that manages data for over 80 million subscribers, and also operates across multiple jurisdictions.
“We have over 80 million subscribers. And just the reality of ensuring that the data does not fall into the hands of the wrong person is challenging on its own,” Araromi tells attendees at the webinar. “Most of us on this call, I’m sure that when you wanted to get your SIM card, you probably did not come into MTN offices. You probably bought from an agent. Some of those agents are not literate. So, we constantly have to train and retrace the importance of data privacy for them.”
MTN Nigeria: Data is our milk
“Data is our milk. Data is our water,” Araromi tells participants, describing how the telecoms provider is constantly retraining agents—some of whom are illiterate—to uphold customer privacy.
“As you all know, we are the leading telecoms provider in Nigeria. And our footprint is cut across so many jurisdictions in Africa. So, data is our milk. Data is our water. So, one major challenge for us will be the vast data that we, you know, that we handle,” she says.
“We have over 80 million subscribers. And just the reality of ensuring that the data does not fall into the hands of the wrong person is challenging on its own,” Araromi tells attendees at the webinar. “Most of us on this call, I’m sure that when you wanted to get your SIM card, you probably did not come into MTN offices. You probably bought from an agent. Some of those agents are not literate. So, we constantly have to train and retrace the importance of data privacy for them.”
MTN Nigeria, she says, has separated data privacy from its legal or HR divisions by establishing a dedicated privacy office under risk and compliance, with certified staff trained to global standards. This underscores the increasing internal efforts underway at the telecoms company to deepen compliance with local and international data privacy rules.
Also speaking, Isimenmen Omiunu, Head of Legal Operations at Interswitch, stresses the need for comprehensive data processing agreements with third-party vendors. She wants companies to clearly define their roles—whether as controllers or processors—and to implement binding corporate rules where operations span multiple jurisdictions.
“It’s always advisable that there is a binding corporate rule,” Omiunu says, noting that such frameworks help companies remain compliant with differing laws across borders.
According to the Interswitch exec, “it will depend on the role that you are playing. If you are the data controller, the data processor, the subprocessor, or a joint controller. The impact of this classification will determine the level of responsibilities already imposed by law and expectations of the data subject and society at large.”
She says organisations must include key clauses such as liability for breaches, indemnity, and limitation of liability. “It’s always advisable that there is a binding corporate rule in the fact that you have one jurisdiction. So, when you have operations in various multiple jurisdictions, it would be necessary to have a binding corporate rule that also takes into consideration what the data protection laws are in all these other jurisdictions.”
Adeyemi Owoade, Legal Associate at Advocaat Law Practice, adds that companies must carry out Data Protection Impact Assessments (DPIAs) when launching new platforms or products that involve Nigerian user data. DPIAs, he says, are crucial in identifying risks tied to the handling of sensitive personal data such as financial or health information.
“If you are collecting this set of data, you are expected, based on the requirement of the law, to do DPIA,” Owoade warns.
“Provided that you are collecting data,” he says, “and you are processing data of Nigerians, it’s expected of you to know what, where, when, and how… When I say what, I mean what are the data that you need? Do you actually need this data? What do you need it for? And how do you collect the data? You must also know how you store this data. Are there going to be transfer of this data? Are you going to share this data with third parties? Is the data going to be transferred outside the country?”
A live poll conducted during the webinar session shows that 57% of respondents believe both individuals and organisations should share responsibility for data protection. Araromi of MTN Nigeria agrees, stating that individuals must also play their part by safeguarding their own data.
“You should be accountable for that,” she advises. “We do not expect that because you have provided the telco with that information, then you go home, share your SIM details, share your password, and at the end of the day, there is a breach.”
Representing the NDPC, Ayomide Ogunjimade reiterates that organisations, not individuals, will be held accountable for data breaches. The NDPC, he says, favours a remediation-first approach rather than immediate financial penalties.
“The Commission has always adopted the approach of remediation rather than slamming every organisation that is guilty of a breach with a fine,” Ogunjimade explains. He identifies common compliance issues, including poorly-drafted data protection policies, unqualified data officers, and unlawful data transfers abroad.
However, he adds that, “it’s also good for data subjects to also be able to at least have basic knowledge of what data protection is. You shouldn’t share your personal data just to anyone. That’s why the Commission has a very strong standpoint when it comes to awareness. We ensure that not just the data controllers are aware of what data protection is, but also data subjects are aware of.”
The NDPC, he says, is also partnering with other regulators such as the Federal Competition and Consumer Protection Commission (FCCPC) to enforce pre-approval for digital lenders before they begin operations.
Despite this, Araromi and Omiunu are calling for more agile and sector-specific regulatory engagement from the NDPC. They are urging the Commission to increase collaboration, particularly with fast-evolving industries like FinTech.
According to the Interswitch exec, “it will depend on the role that you are playing. If you are the data controller, the data processor, the subprocessor, or a joint controller. The impact of this classification will determine the level of responsibilities already imposed by law and expectations of the data subject and society at large.”
MTN’s Araromi praises the NDPC’s efforts but calls for more agility. “I think for MTN, they started that discussion with NDPC to actually understand the different sectors… I think they’re doing well, but there is also room to do better… we should not have to wait for so long for regulatory feedback on sensitive issues.”
According to Omiunu, “they’ve been trying their very best, but I still think that there’s room for improvement. More engagement with regards to drafting regulations and guidelines, setting thresholds for FinTech companies like ours.”
According to the MTN Nigeria exec, “before you start setting thresholds, I believe the engagement should be very intentional, to see and understand how we operate in the FinTech world, the things that are possible and the things that are not. You know, financial technology is, I would say, somewhat new in this clime, so there are a lot of intricacies regarding financial technology that we believe if the regulators understand it until the end, they are setting regulations and setting guidelines that they will be able to be more subtle on.”
Speaking earlier in his welcome address at the webinar, Rotimi Akapo. Partner and head of the Telecommunications, Media and Technology Practice Group at Advocaat Law Practice observes that the theme, “Data Breaches, Causes, Prevention, Reporting and Compliance” is timely.
“In recent years,” he says, “we have witnessed a sharp increase in data breach incidents across both public and private sectors, ranging from ransomware attacks on financial institutions, unauthorised access to health records, to leaks of sensitive customer and employee data.”
While the incidents may differ in scale and nature, Akapo observes that “what they share in common is their potential to erode trust, compromise individual rights, and expose organisations to serious legal and regulatory consequences.”
With Nigeria’s enactment of the Nigerian Data Protection Act in 2023, and the establishment of the NDPC as the nation’s data protection watchdog, “the compliance obligations on data controllers and processors have become more clearly defined, and the consequences of non-compliance more pronounced. For legal practitioners, compliance professionals, and data protection officers, this has created an urgent need to not only understand the legal and technical dimensions of data breaches, but also to build robust internal frameworks for breach prevention and timely reporting and response management.”
With Nigeria’s enactment of the Nigerian Data Protection Act in 2023, and the establishment of the NDPC as the nation’s data protection watchdog, “the compliance obligations on data controllers and processors have become more clearly defined, and the consequences of non-compliance more pronounced. For legal practitioners, compliance professionals, and data protection officers, this has created an urgent need to not only understand the legal and technical dimensions of data breaches, but also to build robust internal frameworks for breach prevention and timely reporting and response management.”
The webinar session brings together a community of experts united by a common objective: to strengthen Nigeria’s data protection ecosystem.
“We intend to explore the root causes of breaches, from phishing scams and insider threats, to poor encryption and third-party vulnerabilities. More importantly, we will unpack how organisations can prepare through risk assessment, staff training, clear reporting protocols, and alignment with regulatory expectations under the NDPA.”
According to Akapo, “it is our hope that this webinar will not only enhance our understanding, but also encourage collaboration and action towards building more resilient, compliant, and privacy-conscious organisations in Nigeria.”
Home
