Picture this: your aunt sends a WhatsApp broadcast demanding your NIN, BVN, blood group, and “favourite soup for verification.” You smile, type “Egusi,” hit send — and that’s exactly how wahala [trouble] begins.
In Nigeria, personal data is not just data — it’s gold garri. Marketers feed on it, scammers swim in it, and the law now guards it. Under the new Nigeria Data Protection Act (NDPA) of 2023, the NDPC stands like a hall security at Quilox — nobody gets through without ID and patience.
This isn’t talk for boardrooms only. Real fines are landing on people’s desks. Fidelity Bank was slapped with a ₦555.8 million fine last year over data breaches, and MultiChoice just received ₦766.2 million in July. That’s not “we’ll see later” — that’s “pay now, argue later” energy.
When a company loses your data or exposes it, they must tell the NDPC within 72 hours if your rights are at stake. No sweeping breaches under FOMO-fuelled blankets. And if they ignore the law, the fine? It could be the higher of N10 million or 2 % of yearly gross revenue for big players, or N2 million (or the same 2 % threshold) for smaller outfits. That’s not chukwu in action — it’s your boss company’s bank account we’re talking about.
So, what do you —and businesses— do to stay afloat without the fines? First, stop giving your details like you’re on a promo. That barber asking for your BVN to “hold slot”? Tell him to “hold clippers” instead. If they can’t explain why they need your data, don’t hand it over.
There’s a thing called data minimisation — think small chops portion, not buffet. Only share what’s needed. And don’t leave apps asking for your location “always on.” That’s how apps become amebo — and your privacy becomes gossip.
Secure your digital doors like PHCN is coming with a surprise disconnection. Use strong passwords, enable two-factor authentication, and never, ever reuse your ATM pin for Facebook comments or WhatsApp. That’s how people invite kidnappers to dance in their DMs.
Audit your phone and computer the way you audit fuel prices. Check what apps have access to your camera, contacts, mic, location — and pull the plug when they don’t need those anymore. Make permission revoking your new pastime.
Businesses, listen well. Have a privacy policy people can actually finish reading — don’t make it longer than Nollywood film titles. Know what data you collect, why, where it’s stored, who touches it, and when it goes to data heaven (i.e., gets deleted). Don’t keep passports “just in case” till 2042. That kind of “just in case” is how NDPC holidays become your financial nightmare.
Train people consistently. One annual slide deck won’t cut it. Use real Nigerian examples — like phishing SMS texts that look like they’re from GTB, “free” data that isn’t, USB sticks found in DF Mall, “send code for verification” scams. Add puff-puff and suya if it helps attendance — and retention.
Remember your vendors too. That email service provider, ERP system, or that cousin’s guy who coded your loyalty app — all of them touch your data. Get contracts in place and make sure they follow the rules. If they mess up, you’ll still pay, so vet them like you vet suya vendors: inspect the meat and grill before you buy.
Treat deleting data like discipline. If you can’t justify why something’s still stored, drop it. Storage is cheap until your regulator asks why a 2016 KYC is still in your database. Hoarding is not heroic — it’s a one-way ticket to fines.
And when (not if) trouble hits, speak up fast. Silence after a breach is not wisdom, it’s negligence. Notify the NDPC, mitigate damage, document everything. That’s how you turn a mess into a clean exit — and maybe avoid headlines like Fidelity or MultiChoice.
Privacy isn’t being paranoid — it’s being streetwise with an edge. Just like you wouldn’t travel to your village and leave your pot of stew on the fire, don’t let your data burn unseen. Set strong passwords, question every form, delete what you don’t need, train your people, and get contracts that protect you. NDPA is awake. Nigerians are watching. Protect your data — and your pocket will say, “Thank you.”
Michael Irene, CIPM, CIPP(E) certification, is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
