The event attracted startup founders, CTOs, engineers, and business leaders from across the continent, all eager to learn how to integrate security into their growth journey without slowing innovation.

Key Highlights from the Speakers

David Ukap, Information Security Officer, MyUnideals, set the tone with a deep dive into Zero Trust Architecture and why startups should embrace it from day one.

Drawing from his experience at MyUnideals, he outlined how his team implemented Zero Trust to secure APIs, protect cloud resources, and enforce strong data access controls, all while aligning with ISO 27001, GDPR, and Cyber Essentials.

His practical advice for building security into product development cycles resonated strongly with attendees, especially those working in fast-scaling tech environments.

Ogbudu Joshua, Business Intelligence manager, PalmPay, focused on data-driven security, sharing how PalmPay protects customer data while scaling in a highly competitive fintech market.

He emphasised the role of business intelligence in detecting anomalies and preventing fraud, stressing that data governance and regulatory compliance (GDPR, NDPR) should be embedded into every startup’s growth strategy.

Asifat Olaoluwa, Cybersecurity consultant, Digital Encode, also spoke during the session with a compelling talk on cyber resilience, the ability not just to prevent cyber incidents but to recover quickly when they occur.

He offered actionable tips for startups operating on limited resources, including affordable security tools, incident response planning, and fostering a security-first culture across teams.

Audience Engagement & Takeaways

The Q&A session was one of the event’s standout moments, with attendees seeking advice on everything from low-cost security tools to strategies for winning customer trust through compliance.

Across the board, one theme was clear: security is not an afterthought, it’s a growth enabler.

Attendees left with a stronger understanding that:

• Zero Trust is not just for big corporations, it’s scalable for startups.
• Data security must be integrated into business intelligence and product.
• Cyber resilience ensures long-term survival in a fast-evolving threat.

Looking Ahead

Techeconomy extends its gratitude to our distinguished speakers for generously sharing their expertise and to our engaged audience for making the conversation dynamic and impactful.

If you missed the live session, a replay will soon be available on Techeconomy’s YouTube channel.

We remain committed to supporting African startups with resources, knowledge, and community connections to help them scale securely in the digital age.

The African market is not a monolith; it is a tapestry of diverse cultures.

With 54 different countries on the continent, each with unique economic situations, regulatory environments, and cultures, efficiently growing operations requires more than just replicating a single successful model. Expanding technology enterprises into African markets needs a practical and evidence-based strategy.

Real-world examples and verifiable data show that success in African markets requires adjusting strategies to local realities.

One significant challenge is the diverse regulatory environment, unlike the European Union, which has some amount of harmonisation, African markets are still largely fragmented.

Nigeria, for example, passed the Nigeria Data Protection Regulation (NDPR) in 2019, establishing guidelines for data collection, storage, and processing.

In contrast, nations such as Uganda and Zambia are yet to establish robust data protection legislations, creating inconsistencies that complicate expansion efforts.

This regulatory challenge can also be seen in the fintech sector with the implementation of the Payment Service Bank (PSB) guidelines and Regulatory Framework for Sandbox Operations, as well as in the e-commerce sector, where Nigeria’s National Information Technology Development Agency (NITDA) has issued guidelines for e-commerce operations, including data protection and cybersecurity measures.

The regulatory environments in some other African countries are less developed leading to inconsistencies in consumer protection and business operations. For instance, Uber had to adjust to Kenya’s specific legislative restrictions, which necessitated different pricing strategies and licensing procedures than in South Africa.

Infrastructure limitations are another significant impediment because, according to the World Bank, just 51% of Sub-Saharan Africa’s population has access to electricity in 2022, and in countries such as Chad and Malawi, it is less than 15%. Internet access also varies greatly; Morocco has the highest internet penetration rate of 91%, Kenya has an internet penetration rate 42%, while Somalia and Eritrea struggle with rates below 15%.

These disparities compel technology companies to create scalable solutions or products that work consistently even in low-connectivity and low-resource contexts.

This was a major reason for M-Pesa‘s success in East Africa, where the program was particularly designed to run on basic mobile networks, allowing financial inclusion for millions who lacked access to traditional banking institutions.

Africa is home to over 2,000 languages and diverse cultures that influence consumer behaviour. For example, in Nigeria’s northern states, cultural norms shape spending habits differently compared to the more urbanised and diverse south.

This means that a one-size-fits-all strategy is ineffective in such scenarios. The rise of e-commerce platforms like Jumia highlights how understanding local cultures and tailoring content, payment methods, and even marketing strategies to fit specific cultural contexts can drive adoption.

Jumia’s success in Nigeria is partly due to its partnerships with local logistics providers and its introduction of cash-on-delivery options, which addresses consumer trust issues in the market.

Economic inequalities across African countries also play a significant role in determining which business models will work.

The World Bank reports that South Africa’s GDP per capita is around $6,000, while Burundi’s is less than $300.

Such vast differences mean that tech solutions must be flexible enough to serve both high-income and low-income markets.

In higher-income regions like South Africa, subscription-based models for digital services tend to perform well, whereas in lower-income areas, freemium or pay-per-use models are more effective.

The ride-hailing industry offers a clear example of this. In Egypt, where there’s a growing middle class, Careem’s subscription and rewards programs have been successful.

Meanwhile, in less affluent areas of East Africa, SafeBoda operates on a low-cost, pay-as-you-go basis to attract a wider user base.

Local partnerships have proven to be essential in overcoming these varied challenges, as companies entering the African market often form strategic alliances with local entities to gain deeper market insights and establish operational footholds. This approach is evident in the growth of mobile money services across the continent.

In Tanzania, Vodacom’s M-Pesa scaled effectively by integrating with local banks, which provided the liquidity needed to manage high transaction volumes in rural areas.

Similarly, companies like Flutterwave have successfully expanded across multiple countries by partnering with local financial institutions to navigate regulatory frameworks and deliver localised solutions.

Regulatory collaboration in Africa has proven to be an effective strategy for managing diverse regulatory environments.

This was exemplified by the partnership of FMO, Endeavour and Afrigrow to drive growth in Africa’s Agritech sector. This collaboration can also take the form of participating in regulatory sandbox programs, which allows companies to test their innovative products and services in controlled environments under the supervision of regulators.

Companies like Jumia, Flutterwave and Paystack had established strong relationships with local authorities to navigate the various regulatory landscape across the continent.

Investing in local talent and skills development is another cornerstone for success, and the African Development Bank projects that by 2030, nearly 20 million people in Africa will enter the labour market annually.

Tapping into this young, growing workforce is not just about filling roles; it’s also about nurturing innovation that’s locally relevant.

Andela’s model, which involved training software developers in Nigeria, Kenya, and other countries before integrating them into global tech teams, highlights the importance of building local capacity.

Companies that prioritise upskilling their workforce not only benefit from cost efficiencies but also ensure that their products resonate with local needs.

Flexible business models that can be adapted to different market conditions are important for scaling across Africa.

For instance, in countries with relatively high smartphone penetration but low banking access, mobile money integration becomes a non-negotiable feature, and Safaricom’s success with M-Pesa in Kenya is a prime example of this.

The service’s ability to function on basic mobile phones and its integration with various microfinance options allowed it to gain widespread adoption even in low-income areas.

On the other hand, in markets with established banking sectors like South Africa, digital payment solutions need to offer added value beyond basic transactions, such as loyalty rewards or integrated financial services.

According to GSMA, Africa had 495 million mobile subscribers by the end of 2020, a number expected to reach 615 million by 2025 and this shows that the African tech sector offers immense growth potential.

This growth is driven by an increasingly young, urbanised population that is eager to adopt new technologies.

Companies aiming to tap into this growth must be willing to invest the time and resources needed to understand the nuances of each market.

Expanding across African markets is not just about scaling technology; it’s also about scaling relationships, trust, and local expertise.

Success on the continent is not guaranteed by merely bringing a product to market; it is achieved through deep engagement with each country’s unique challenges and opportunities.

About the writer:

*Samuel Prince Nwafor is a passionate finance and strategy professional with over 12 years of experience driving business growth across various industries, including tech, consulting, telecom, real estate, manufacturing, and oil & gas.

He has a proven track record of partnering with C-Suite leaders to craft winning strategies, expand businesses, make strategic investments, and design successful products.

Samuel’s expertise spans financial planning & analysis, financial modeling, investment analysis, and product design & pricing. Currently, he is a Doctorate Candidate at Durham University Business School, UK, and EmLyon Business School, France.

He is also a Fellow of the Association of Chartered Certified Accountants (ACCA) and a CFA Level III Candidate, holding an MBA from the University of South Wales.

The service-wide circular dated 7th November, 2022 with Ref No. SGF/OP/l/S.3/Xll/186, directed all MDAs of government to comply with the provisions of the Nigeria Data Protection Regulation (NDPR).

The Circular which was signed by Mr. Boss Mustapha, the Secretary to the Government of the Federation, is to the effect that MDAs should:

a) designate appropriate officers as their Data Protection Officers (DPOs) who will  on regular basis advise management on data processing  activities of their  organization and ensure compliance with the provisions of the NDPR and all  matters relating to protection of the privacy, rights and freedom of data subjects; 

b) forward the name and contact details of the DPOs to Nigeria Data  Protection Bureau (NDPB) for documentation and requisite induction training;

c) appoint licensed Data Protection Compliance Organizations (DPCOs) who will  guide the MDAs through compliance framework and file their annual reports with the NDPB; 

d) make appropriate budgetary provision for annual Data Protection Audit compliance process and capacity building of Data Protection Officers as well as other staff; and

e) on annual basis, file the report of their Data Protection Audit to the NDPB not later than the 30th day of March of every year.

The implementation of the Circular is with immediate effect.

The National Commissioner and CEO, NDPB, Dr. Vincent Olatunji, lauds Federal Government for taking this historic step towards advancing fundamental rights and freedoms of Nigerian citizens and residents particularly in the area of privacy. “As an agency of government, we are cheered by this development because it clearly demonstrates the preparedness of public sector organizations and functionaries in providing an enabling environment for the growth of our digital economy.

According to a statement signed by Babatunde Bamigboye, Head, Legal Enforcement and Regulations at NDPB, with this circular, over 200 million Nigerian citizens now have additional reference to call in aid in order to protect lives and livelihoods in a data driven ecosystem.

“The Bureau will continue to cooperate with stakeholders so that the numerous benefits of lawful data processing such as job and wealth creation can spread to all nooks and crannies of Nigeria.

“MDAs may wish to make enquiries at the headquarters of NDPB at No. 5 Donau Crescent Maitama, Abuja or visit here”, the statement reads.

The NDPR, which was released on January 25, 2019, provides a broad framework for safeguarding the rights of individuals to data privacy.

Data protection is crucial because it shields an organization’s information against fraud, hacking, phishing, and identity theft. Any organisation that wishes to operate efficiently must create a data protection plan to guarantee the security of its information.

The audit, conducted by Guut Technologies Limited licensed by NDPB is aimed at reviewing organisations’ compliance levels in line with the provisions of the NDPR.

According to the agency, every company whose name appears on the compliance list is verified to be NDPR compliant, indicating their commitment to data protection and privacy. This should provide some level of comfort, safety, and assurance to their customers and relevant stakeholders when dealing with them.

Being NDPR compliant means Wragby has intentionally joined the fight for stronger, more effective laws and policies around the world to protect people’s personal information online.

Wragby Business Solutions and Technologies Limited, as data controller, remains committed to monitoring and continually improving data protection to meet our privacy responsibilities to our customers, staff, vendors, and regulators.

Wragby who earlier in the year became ISO 270001 certified has put in place standard measures that ensure the protection of customers’ data and the assurance of their privacy.

“Our Data Protection & Privacy Policies extensively cover every essential aspect of our relationship and engagement with customers and stakeholders”, the company said.

Mr. Babatunde Bamigboye, the Legal, Enforcement & Regulations Lead at NDPB confirmed the development in a statement made available to TechEconomy.ng.

According to Bamigboye, the complaint against Phillips Consulting is in connection with the activities of online lending platforms who (allegedly) willfully breach the privacy of citizens whilst the investigation of UBA PLC., pertains to allegations of infringement on the governing principles of data protection.

“It will be recalled that the NDPR mandates organizations to carry out due diligence before engaging in any data processing. This is to ensure that parties are accountable for any infringement on fundamental rights and freedoms of data subjects.

“The Bureau warns all data controllers and processors to eschew all forms of data processing that are detrimental to citizens as well as the economy and security of the country”, the statement added.

Many did not know the import of this presidential directive to NITDA and the kind of attention the management of the Agency would give to it.

People in the know can authoritatively confirm that the Agency swung into action by initiating several organizational restructurings in furtherance of the already established roadmap that was handed down by the Minister of Communications and Digital Economy, Prof. Isa Ali Ibrahim Pantami, the Agency’s former Director-General.

Since then, many laurels and accolades have come the way of the Agency, the recent, being the National Productivity Order of Merit (NPOM) Award coincidentally conferred on the Agency by the same President Buhari himself on Thursday, May 12th, 2022.

The NPOM Award is an award of honour and dignity instituted by the government to reward hard work and excellence. 

In a letter conveying the conferment of the Award to the Agency, the organiser of the Award, the National Productivity Centre confirmed the approval of the president to confer on NITDA the award in recognition of its “high productivity, hard work and excellence hinged on the Agency’s recommendation on the report of the committee on National productivity Order of Merit Award after a “rigorous selection processes.”

The letter, which identified NITDA as the only government Agency out of 50 awardees maintained that one of the numerous accomplishments of NITDA is its strict adherence to information security and safety” that has been proactively “creating a robust incident management procedure through which any irregular or adverse event that occur and affect the normal functioning of a system is adequately dealt with.”

Yes, the above reason proffered by the organiser to honour NITDA this so well is justifiable but the Agency has performed creditably well to the admiration of IT stakeholders and Nigerians in general.

One could imagine that a once obscured IT Agency that the government has pencilled down for merging or proposed to be a unit in its supervisory ministry could metamorphosis to the level of winning a National Productivity Award under six years of intention to alter its existence.

It began in 2016 when Prof Pantami assumed office. During his well-crafted inaugural speech, the then Director-General admonished his “esteemed colleagues” (as they were then) that he was at the Agency to change its narrative because “clearly, NITDA is crucial to the technological aspiration and development of our country in this ruthlessly competitive global world where we can’t afford the luxury to lag. This is particularly true in this challenging economic time when our country dearly needs ICT in its bids to diversify the economy. He added that the Agency is very strategic to the aspiration of the country and in that case, it requires a “harmonious blend of knowledge with creativity.”

Members of staff were also enjoined to possess certain qualities such as integrity, professionalism and commitment to duty for the success of the Agency.

The above determination to change the narrative, and the admonitions to staff to also change their work ethics birthed the transformation of NITDA. NITDA under the administration of Prof. Pantami focused on seven strategic key pillars of IT Regulations, Cyber Security, Capacity Building, Local Content Development and Promotion, Digital inclusion and Government Digital Services.

These pillars were religiously implemented between 2017 to 2020. The feats recorded by the Agency in these three years were unprecedented and they have become the geese that laid the golden eggs for the Agency. 

Unarguably, Prof. Pantami laid the foundation for the Agency’s trajectory to development but not without the knowledge of his then Technical Adviser and now the NITDA’s Director-General, Kashifu Inuwa, CCIE.

They both envisioned the roadmap and conceptualized all projects executed. Obsessed with these modest achievements his “mentor” and predecessor recorded, on  assumption of office as the 5th Director-General, Inuwa made continuity his watchword. 

Surprisingly, by the end of the last decade even with the outbreak of COVID-19, the results of these efforts have begun to be manifesting; leading to an improved contribution of the IT sector to the country’s Gross Domestic Product, (GDP). For instance, in the last quarter of 2020, the ICT sector grew by 14.70 per cent which made it the only sector to have grown by double-digit.

This was attributable to the robust implementation of the digital economy policy implementation which NITDA is one of the implementors.      

After the launching and unveiling of the National Digital Economy Policy and Strategy, NDEPS by President Buhari in November 2019 with the mandate to implement eight pillars of Developmental Regulation; Digital Literacy and Skills; Solid Infrastructure, Service Infrastructure; Digital Services Development and Promotion; Soft Infrastructure; Digital Society and Emerging Technologies and Indigenous Content Development and Adoption to accelerate the development of Nigerian digital economy, NITDA launched its Strategic Roadmap and Action plan for 2021-2024 with planned implementation strategies to be in line with NDEPS. 

It all began with the internal restructuring of the Agency to prepare its workforce for the challenges ahead.

The Director-General conceptualized a system that ensures no staff is indolent by setting monthly, quarterly and annual performance targets for them, the aggregate of which form the performance scorecard on which staff are evaluated at the end of the year.

Departments, Units and Subsidiaries also signed their scorecards which contain the various initiatives that will facilitate the implementation of SRAP with the Director-General.

This is a complete deviation from the culture of annual assessment measures employed by the other Ministries Departments and Agencies of government.

This approach has become a model most organisations are now emulating. For instance, a team from the Office of the Head of Service recently visited the Agency to understudy the model for nationwide implementation.

Staff are also being socialized regularly with the cultural reorientation with a view of changing their mindset and conditioning their minds to the new core values of the Agency which are People-First, Innovative and Professionalism which if religiously adhere to will “proactively facilitate the development of Nigeria into a sustainable digital economy” 

It is unquestionable, the series of awards various organisations have bestowed on NITDA in recent times. This is owing to the contributions of the Agency toward the diversification of the nation’s economy.

Foremost among these contributions is the prudent management of the limited resource in the implementation of the Federal Government’s Information Technology projects across the country which is under the Developmental Regulation pillar of SRAP.

To NITDA, regulation is not to stifle the sector but rather to enable a conducive environment for the sector to thrive competitively in order unlock, support and enhance opportunities for market-creating innovations. Initiatives under this pillar include; IT projects clearance which has seen 258 projects cleared from MDAs  with over N2.4billion saved for government; implementation of the Nigeria Data Protection Regulations that has created a market value of N2billion, 7,680 jobs and 33 licensed Data Protection Organisations.

The testimonial of NDPR is another success story entirely. Nigeria became the first African nation to launch the NDPR after the European Union and many countries in Africa are now approaching NITDA through Nigeria government for guidance on their Data Regulation policies.  

The captivating ways of implementing the NDPR by NITDA had led the government to be proactive in establishing the Nigeria Data Protection Bureau, (NDPB), a full-fledged parastatal that will be responsible for regulating and protecting the use of personal data in the country.

During the unveiling of the NDPB, minister Pantami revealed that it has become imperative to establish the NDPB “because many global IT giants would not do businesses in a country with no data protection law or institution.”

He added that; “A country like Nigeria with a huge and increasing population need to have an institution of government mandated with data privacy and confidentiality.”

The intention of the government to achieve 95 per cent digital literacy in the next 10 years which NITDA is championing through its Digital Literacy and Skill pillar of the SRAP is also attractive to many stakeholders to ‘adorn’ the Agency with awards. This pillar focuses on ensuring the acquisition of digital skills across works of life and creating a pool of globally competitive human capital that is capable of igniting the digital transformation.

The Agency, in promoting digital inclusion has facilitated the training and empowering of 750 People Living with Disabilities, (PLWD) thousands of artisans on phone repairs, 57, 774 active students have enrolled on NITDA Academy for Research and Training, (NART) and undergoing 67 active online courses and certifications.

The Agency has given 74 Master scholarship slots to Nigerian youths on IT related courses; 12 Master scholarships on ICT law and 12 PhDs have been awarded thus far.

Similarly, 1,500 junior school teachers were trained on digital skills, 300 participants drawn from 30 MDAs trained on digital literacy, 100 journalists trained in digital journalism and over 300 women were also trained and empowered with digital tools on ‘Techprenuership.’  

It is practically impossible in a country like Nigeria where economic power to acquire digital tools is not readily available to build the required human capital needed for a thriving digital economy sector.  Without empowering the people with the necessary tools needed to function is like building a castle in the air, a path NITDA would not follow.

The unwavering supports NITDA has been providing for Nigerians to increase the level of digitisation and digitalisation across the country are highly commendable.

Under the Digital Transformation Pillar of SRAP, initiatives such as the implementation of the National Adopted Village for Smart Agriculture, the implementation of Nigeria Smart Initiatives, and the facilitation of a digital inclusion program for People Living with Disabilities and other digitally unserved people have seen the Agency donating digital tools to Nigerians.

In the last one year, for example, NITDA has built and equipped 80 Digital Economy Centres with e-learning facilities across the country, four special IT capacity building centres, and 966 digital tools donated to beneficiaries of different digital capacity building training.

Also, the Agency has provided 530 laptops and desktop computers for Nigerian students, 50 laptops were given to the participants in the workshop for digital journalism for women; 50 Nigerian Information Technology Reporters Association were also given 50 computers after they were trained on digital journalism; 418 tablets and repairs tools were given to artisans to supports their trade; beneficiaries of NAVSA have also been given 785 tablets to aid agricultural practice in the country. 

NITDA has brought benefits of immense proportion to the country through the initiation of various initiatives as handed down to it by its supervisory Ministry under the guidance of the Minister, Prof Pantami.

This award and many more it had received in recent times could be attributed to the collective efforts of all staff with the Director-General providing the leadership and direction needed to excel.

Quoting from what he said in one of the interviews he granted after the honour, the Director-General noted that “looking at how far we have come, for me, what attracted this recognition is the transformation and innovation we introduced and how we try to be professional in whatever we do. We try to make sure that all the services to our customers supersede their expectations.”  

The elated Kashifu added, “When we were nominated, we were not contacted about it, I think they did some survey and it was after they finished, they came to us to give them some information about the Agency. So, this shows that the transformation we have achieved, people outside there are seeing them. It is impacting the sector and society in general. Also, for me, this shows that the staff are up and running because, as a leader, my work is to set direction and govern the processes but the staff are the engine room. They are the ones doing the work, they are the ones delivering the services, and they are the ones surpassing customers’ expectations.” 

And to those that might want to query the parameter used in selecting NITDA as the only government organisation so awarded, may I quickly remind you that, since 2016 (not undermining the performance of previous management of the Agency) the performance narrative of the Agency has changed.

The once obscured NITDA has become more prominent; metamorphosizing into a more responsive Agency that is trying to set the nation’s foot on the threshold of digital transformation.

The Agency might not have taken Nigeria and Nigerians to where they want to be but it has taken them away from where they used to be and with this award, and those that have come before it, the Agency knows that to whom much is given much more is expected as the management and staff are ready to roll up their sleeves for new challenges have beckoned.

Oladokun Lukman O., is a Corporate Affairs and External Relations Staff of NITDA writes from Abuja.   

Wema Bank is on NDPB’s radar after allegations that the bank and its agents have been opening unauthorised accounts for customers with information sourced from their Bank Verification Number (BVN) details.

On the other hand, the Nigerian betting platform Bet9ja suffered a ransomware attack perpetrated by the BlackCat ransomware group on April 6, which the company confirmed two days after the attack.

BlackCat group is regarded as the successor to BlackMatter and REvil gangs that target corporate environments with customisable ransomware. READ MORE.

Mr. Babatunde Bamigboye, the Legal, Enforcement & Regulations Lead at NDPB confirmed the development.

He said that Wema Bank and Bet9ja are under investigation in line with Sectio​​n 37 of the 1999 Constitution and the provisions of Nigeria Data Protection Regulation (NDPR) 2019  – particularly Articles 2.1(2)-(3), 2.6 and Article 4 of the NDPR. 

“It will be recalled that sometime in May 2022, some customers of Wema Bank PLC complained of breach of their rights to data privacy and protection by the Bank.  This data processing, according to the complaints against the Bank, involves using their personal data to open accounts.

“The Bureau is also investigating report of breach of data privacy at KC Gaming Networks. The breach in this case involved alleged external attack on the KC Gaming Networks. 

“At this stage, the objectives of these investigations as directed by the National Commissioner/CEO of the Bureau, Dr. Vincent Olatunji, are to determine the impact of the breaches on the affected data subjects and the remedial actions taken by the concerned data controllers. The Bureau assures members of the general public that it will ensure proper accountability of the data controllers in the ongoing investigations”, Bamigboye said.

While this has opened banking services to the population, it also makes the sector an attractive target for ransomware and malware attacks.

Data protection has become a key element of success in a digital world, a fact that is highlighted by the Nigeria Data Protection Regulation (NDPR), which was issued in 2019 and is the principal regulation and framework for data protection in Nigeria. With ransomware attacks on the rise, an attack is a matter of ‘when’, not ‘if’.

The NDPR means that ignorance can no longer be used as an excuse for not protecting data.

More aware of the risk

Although digitalisation and open banking have changed the way financial services in Nigeria operate to a certain extent, the risk to data remains essentially the same as it ever was.

If malware breaches occur, or data is lost or deleted, there is a risk to business that can have detrimental consequences.

The NDPR recognises the critical nature of data and provides legal safeguards for the processing of personal data. The draft Data Protection Bill 2020, which will replace the NDPR if passed into law, will add to this by creating a regulatory framework for the protection and processing of personal data.

In line with global trends and best practices, there is now increased awareness around the need to protect data. While it has always been important, it is becoming mandatory because it is regulated.

From the inside out

Data security is a significant challenge for financial services organisations in Nigeria, and gaps in data protection mean vulnerabilities that can be exploited by malicious actors. With ransomware and other attacks on the increase, it has become imperative to address these gaps in a more proactive manner.

This starts from the inside, with internal processes and education on the risks and the need to safeguard data, particularly personal information.

Financial services and other organisations need to become stricter in how their internal users interact with data and become more proactive on monitoring, detecting anomalies, blocking suspicious activity, and essentially protecting data as a whole.

Becoming more proactive in approach

The first step in protecting data is the ability to identify critical and/or sensitive data as well as the risk that it is exposed or potentially exposed to. This requires an intelligent solution to help identify and highlight sensitive data that is either at risk or stored incorrectly.

Once it has been identified, it can be proactively protected or moved to more appropriate storage to avoid exposure and data leakage.

Once again, however, this begins with awareness, because if organisations do not know what data they have or where it is, it cannot be protected effectively. Proactive solutions are also essential, because reacting to an event after the fact means that it is more difficult to recover efficiently or at all.

Financial services are the foundation

Trust in financial systems is imperative for the stability of countries, and the trust of customers is the number one determinant of success.

These businesses are also large enterprises entrusted with extremely sensitive personal information. This not only makes them attractive targets for ransomware, it means that the reputational damage of an attack can have catastrophic consequences.  Having a trusted partner that is a specialist in data protection is essential in helping financial services organisations in Nigeria keep up with the dual challenges of increased attacks and a growing body of legislation.

A complete protection solution, offered via Software as a Service (SaaS) through a trusted partner, helps financial services organisations to identify sensitive information and security gaps, be proactive in preparing for an attack, react efficiently and effectively protect data, their most important business asset.

Across Africa, many existing data security and protection laws were modelled on the regulations of the EU’s first data privacy legislation – the EU Data Protection Directive (1995), which preceded the GDPR.

Current data protection law in Africa is therefore largely similar to the GDPR, although there are also some significant differences. Businesses with operations in Africa that are already GDPR compliant will find that this is a good first step, with local expertise also essential to ensure compliance with jurisdiction-specific differences in the laws and regulations.

Enid Baaba Dadzie, Senior Associate at Kimathi & Partners in Ghana, notes that Ghana’s Data Protection Act was passed in 2012, ahead of the adoption of the GDPR, so it does not expressly follow the GDPR framework.

However, the Act regulates the collection and processing of personal data through similar principles provided in the GDPR.

Similarly, Sonal Sejpal, Partner at ALN Kenya | Anjarwalla & Khanna notes the provisions of Kenya’s Data Protection Act, 2019 also correspond to those of the GDPR, but are not identical.

Janet MacKenzie, Partner and Head of the IPTech Practice at Baker McKenzie in Johannesburg says the Protection of Personal Information Act (POPIA) was first prepared as a draft bill in 2009, and was based on the EU Directive, which was replaced by the GDPR in 2018.

There are similarities and major differences between POPIA and the GDPR. For example, the GDPR only protects the personal data of natural persons and does not extend its protection to juristic persons, whereas POPIA protects the data of both natural and juristic persons.

Pierre Deprez, an Associate at Nasrollah & Associés Baker McKenzie in Morocco, notes that current data privacy law in Morocco follows the “declarative” framework of the EU Directive n°95/46, which prevailed in Europe before the GDPR was passed.

In Rwanda, both the Law Nº 058/2021 of 13/10/2021 relating to the Protection of Personal Data and Privacy and the draft Regulation Governing use of Personal data in Rwanda 2019 follow the same framework as the GDPR.

According to Emmanuel Muragijimana, Chief Associate at K-Solutions & Partners in Rwanda, “These legislations have some highlighted similarities, including principles relating to processing of personal data, obligations on the companies and organizations in order to ensure the privacy and protection of personal data, providing data subjects with certain rights, and assigning powers to regulators to ask for demonstrations of accountability or to impose fines in cases of non-compliance.”

Arnold Lule Sekiwano, Partner at Engoru, Mutebi Advocates in Kampala, Uganda, says that privacy law in Uganda is also partially based on the GDPR.

“Uganda’s Data Protection and Privacy Act (2019) (Act) aims to protect the privacy of the individual and of personal data and is, in some limited respects, inspired by the GDPR. The Act also mirrors the UK Data Protection Act, 1998, which revolves around several principles concerning data protection and collection. The Act created the personal data protection office in NITA-U, also an independent body synonymous to the UK’s Information Commissioner’s Office, set up under Chapter 6 of the GDPR. One of the main contrasts of Ugandan privacy law with GDPR is the absence of legitimate interest as a legal basis for processing in the Ugandan Act,” he explains.

Ammar Oozeer, Barrister at Law at BLC Robert & Associates explains that in Mauritius, “the Data Privacy Act (DPA) 2017 is aligned with international standards, namely the GDPR and the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data. However, there are certain instances in the DPA 2017 where the provisions are not the same as those contained in the GDPR. For example, the hefty administrative penalties under the GDPR have not been reflected in the DPA 2017, the requirement under the DPA 2017 for controllers and processors to be registered with the Data Protection Office prior to the processing of personal data, and the absence of automatic transfer to countries ensuring an adequate level of protection based on the determination of the Data Protection Office. 

He notes further, “The Mauritian legislator has adopted a criminal regime for sanctioning contravention of the DPA 2017. However, if an individual has suffered prejudice as a result of a breach of the DPA 2017 by a controller or processor, for example, following a personal data breach, the individual may claim damages or that breach under the law of tort.”

Ammar explains that to attract foreign investors, in particular, from the EU, it is imperative that African countries have robust data protection legislation because data protection is regarded as a fundamental right in the European Union.

Ijeoma Uju, Partner at Templars in Lagos, Nigeria, says that the Nigerian Data Protection Regulation (NDPR), 2019, is significantly modelled after the GDPR, noting that, “both laws are reasonably similar in terms of rationale and core principles. The NDPR and the GDPR both aim to provide data subjects with a certain level of protection regarding their personal data. The material scope of the laws are consistent, with common definitions and principles on processing of personal data in general.

“For example, the GDPR require data controllers to report a data breach within 72 hours after becoming aware of such breach. The same provision can be found in the NDPR implementation framework. Beyond the similarities, both laws also have notable differences. One major difference is the requirement under the NDPR for the filing of data audit reports on an annual basis if certain processing thresholds are met. Additionally, unlike the NDPR, the GDPR is a more unified framework. Although the NDPR and the Data Protection Bill aim to achieve this goal, Nigeria laws on data protection and privacy are currently not as comprehensive or unified,” she notes.

The GDPR has clearly given African governments a yardstick by which to measure and develop their own privacy laws, as well as giving African organisations an international standard to adopt, and thereby maintain the trust of the international community. However, it is also imperative that local expert advice is sought to ensure compliance with country and region-specific laws.

The National Commissioner who made this assertion during a working visit to Dr. Abimbola Alale, the Managing Director of the Nigerian Communications Satellite (NIGCOMSAT), and her management team at the Space Agency’s Headquarters in Abuja noted that best practices that meet global standards in the protection of data must be adopted in satellite communications.

Olatunji said that with the redesignation of the supervisory Ministry to include Digital Economy and with the launch of the National Digital Economy Policy and Strategy (NDEPS), relevant laws must be put in place to guarantee protection of data.

“The NDEPS is the roadmap for the digitization of the country and appropriate laws and regulations must be put in place to ensure protection of data in line with global standards bearing in mind local and international regulations to safeguard data of citizens”, he stated.

While commending the Honorable Minister of Communications and Digital Economy, Prof Pantami for the giant stride he took in the issuance of the Nigeria Data Protection Regulations (NDPR), Olatunji disclosed that the industry is now worth over 4 billion naira with about 8000 people gainfully employed.

He added that the role of the Bureau is to ensure that data of Nigerians wherever they are is adequately protected and to ensure that all organizations in Nigeria comply with the provisions of the NDPR.

Olatunji further mentioned that the Bureau was established to ensure the implementation of the NDPR to safeguard the rights, freedom and privacy of citizens as well as ensure that the country has a principal legislation in that regard.           

The NDPB boss however noted that the Bureau was not out for sanctions but rather encourage organizations to comply with the provisions of the NDPR and make it a culture by default.

“We are out to create awareness on data protection for all data processors and data controllers to adopt and see as a norm so that the global community will see us as being serious when it comes to issue of data privacy and protection”, he averred.

Emphasizing on the importance of the awareness being created by the Bureau, he emphatically stated that data subjects need to know their rights in terms of consent, security, storage and cross border transfer of their data while at the same time enlightening data controllers on their obligations to data subjects.

“It is highly important that those in charge of data processing in organizations are sound enough to know what to do, how to do and the kind of measures they need to put in place in terms of organizational and technical measures to ensure the safety of data of their subjects”, he mentioned.

He then gave assurances of the Bureau’s support in terms of trainings, peer reviews and guidelines to NIGCOMSAT and urged them to comply with the provisions of the NDPR by annually filing their audit reports with NDPB.

Alale in her remark applauded the National Commissioner and his team for their proactive initiatives in ensuring the security of data in the country.

Affirming her support to the Bureau, Alale stated that NIGCOMSAT is already working on their data privacy audit report for the year which will be filed with the Bureau and promised to share the guidelines with their partners who in turn can be independently monitored by the Bureau.

“As we push forward the digital agenda of Nigeria, we should support one another and we at NIGCOMSAT pledge our support to you”, she said.