Ridwan Oloyede
Ridwan Oloyede, a Co-founder of Tech Hive Advisory, specialises in law, technology, privacy, and data protection. With a proven track record, he has significantly influenced legislative policies in Nigeria, contributed to global frameworks at the United Nations, and was recognised as a national leader in data in the 2023 Who's Who Legal Rankings (WWL Rankings). He is an IAPP Fellow in Information Privacy. He also hosts a podcast called "Privacy Bar and Bants" where he discusses various topics relating to data protection, privacy, and personal data breaches.
About Ridwan
Information Technology Policy
Dedicated to advancing economic and societal development through technology, Ridwan Oloyede co-founded Tech Hive Advisory, an organisation committed to providing policy advisory and research support to African entities. As an IAPP Fellow in Information Privacy, Ridwan has collaborated with both African and global organisations, contributing his expertise to shape impactful policies in the ever-evolving landscape of information technology.
Consultant
Ridwan has played a pivotal role in legislative and policy development processes, creating environments conducive to technology-focused businesses while safeguarding human rights. His contributions include advising governments, committees, and technology-related interest groups. Notable accomplishments include active involvement in the formulation of significant policies and frameworks such as the NITDA Data Protection Guidelines 2017, CBN Payment System Vision 2030, and the Data Protection Bill 2022.
Researcher
A prolific writer, Ridwan leverages his writing as a powerful medium for influencing information technology policy. His contributions span a spectrum of technology-related legal issues from a local perspective, addressing surveillance, encryption, tracking technologies, and deceptive design. Noteworthy recognitions include being acknowledged as the legal influencer for TMT in Africa and the Middle East by Lexology and being ranked as a well-known author in Nigeria by Mondaq. His work includes insightful articles on data protection, such as "From Bytes to Rights: The Journey to a Comprehensive Data Protection Law in Nigeria" and "Data Protection in Nigeria: A look back at 2022 and projections for 2023."
Humanity
Committed to humanitarian causes, Ridwan actively supports initiatives that promote responsible innovation. He champions guidelines to address deceptive design by consumer protection authorities in Africa. Ridwan's commitment extends to privacy awareness through the creation and executive production of the "Privacy Bar and Bants" show and podcast. The platform serves as a space for discussing topics centred around data protection, data privacy, data breaches, and cybersecurity, aligning with his vision of responsible and ethical technology practices.
Speaker
Ridwan's impact extends beyond writing and consultancy as he actively engages as a speaker, facilitator, and panellist in global expert sessions. His perspectives cover a broad spectrum of topics, including surveillance, digital authoritarianism, child online safety, deceptive design, encryption and anonymity, data protection, and policy. Ridwan has spoken in various countries, including Nairobi, Rwanda, South Africa, Nigeria, and Leicester, United Kingdom, contributing to cybersecurity, data protection, and data ethics discourse.
Career
Career Journey
7+ Years in Technology related policy, legal and compliance advisory services
Ridwan began his career in traditional law firm practice but intentionally crafted his career in technology advisory. He set up the technology practice team at Famsville Solicitors and later co-founded Tech Hive Advisory, where he currently serves as the technology policy lead.
5+ Years experience in leadership and management roles
Throughout his career, Ridwan has taken on leadership roles, from establishing and leading the technology team at a commercial law firm to co-founding Tech Hive Advisory. He prioritizes not only ensuring the job is done well but also ensuring his team members benefit from the process and achieve personal and professional development goals.
3000+ Trained
Ridwan has led certificate and non-certificate training sessions for over 3,000 employees from 30+ organizations, including senior management, product development teams, and law enforcement agencies. These training sessions support organizations' privacy objectives.
25+ Legislative and Policy Contributions
Ridwan has advised and contributed to the development of over 25 policies, guidelines, and bills and made presentations to various regional legislature and stakeholders. He has been recognized for his contributions to the legislative and policy development of the Nigerian data protection ecosystem.
10+ Published Reports
Ridwan has actively led and participated in the research team responsible for publishing 10+ reports on critical policy and practice issues across different thematic areas. This includes collaborating with national and regional consumer protection authorities in Africa to create a guideline on deceptive design.
50+ Organisational Privacy Programs Managed and Delivered
As the Technology policy lead at Tech Hive, Ridwan has supported over 50 organizations in aligning their key stakeholders, business, and privacy objectives with processing activities to comply with relevant data protection laws in various markets.
80+ International speaking engagements delivered
Ridwan has delivered speeches, presented papers, and served as a panelist and moderator on various technology policy issues at different gatherings of individuals interested in these fields.
25+ Publications
Throughout his career, Ridwan has published over 30 articles on legal and policy issues relating to technology, innovation, and data protection in Africa. His work has been recognized and deemed instructive.
Executive Producer Privacy Bar and Bants
Ridwan produces Privacy Bar and Bants, a podcast and show aimed at demystifying privacy and other digital risks for enthusiasts and aspiring professionals in Africa. The show promotes greater online safety awareness and began as a live show before transitioning to a podcast.
Professional Affiliations and Recognition
Expert, Council of Europe, Data Protection Unit
Member, Privacy Working Group, National Institute of Standards and Technology (NIST)
Fellow of Information Privacy (FIP) – International Association of Privacy Professionals (IAPP)
See more Other Professional Affiliations and Recognition
Research Fellow, Africa Academic Network on Internet Policy
Co-Founder, Africa Data Governance Initiative (ADGI);
Researcher, Responsible Data Governance for Artificial Intelligence
Co-Founder, Privacy Alliance
Member, Africa Digital Rights Network;
Member, Advisory Board, the Continental Approach
Trustee, Africa Biodata Foundation;
Member, Afroleadership;
Member, Africa Law & Tech Network; and
Volunteer, Ikigai Innovation Initiative
My Blog
The new data protection bill in Nigeria
The new data protection bill in Nigeria
The Nigeria Data Protection Bureau (NDPB) has published a copy of the new Data Protection Bill. In recent months, the National Commissioner of the NDPB has reaffirmed the commitment to enacting a data protection law by the end of the year. Furthermore, recently, the chair of the Senate Committee on Information Communication Technology, and Cybercrime promised that the bill would be passed within thirty days of being introduced in the national assembly.
A validation exercise for the bill was held in Abuja yesterday. The commitment to seeing the bill passed is commendable. There have been more than ten previous attempts to pass a data protection law before this point. This is the sixth attempt to pass a data protection law since 2018. The bill will be presented as an executive bill. The hope is that the current endeavour will see the end of the tunnel, unlike previous attempts.
A copy of the bill is available here.
Comment on the Data Protection Bill 2022
The bill will apply where the controller or processor is a Nigerian resident, where the processing takes place in Nigeria, or where the organisation actively targets, markets to, or monitors Nigerian residents. The bill does not apply to personal or household use. Furthermore, certain provisions of the bill will not apply where processing is required for national security, crime investigation and prevention, public health emergency control, or journalistic exemption.
The review looks largely at the operational aspect of the proposed law
Bridging the gaps under the NDPR
In general, the bill is a significant improvement over the Nigeria Data Protection Regulation (NDPR). Notably, the new bill fills some gaps in the NDPR. For example, it expressly states the principles of fairness, transparency, and accountability. Similarly, legitimate interest is recognised as a lawful basis, but at the same time, imposed conditions that will make it impracticable to use. The legal basis for processing sensitive personal data was clearly stated, and how to provide a privacy notice when the data is not collected directly from the data subject was addressed.
The bill expanded controllers’ and processors’ mutual responsibilities. The rules on child protection are more explicit, and there is even a new requirement for age verification. Furthermore, it appears to have reconciled the age of a child to 18 in order to be consistent with the Child Rights Act rather than the confusion created by the Data Protection Implementation Framework (DPIF), which defined a child as anyone under the age of 13. The DPIF’s mandatory requirement for multinational corporations to have data protection officers in Nigeria is no longer in effect. It provided additional clarification on the exercise of data subject rights. Another appealing aspect of the bill is the possibility of departing from the DPIF’s requirement that references to the African Union Convention on Cybersecurity and Personal Data Protection (Malabo Convention) and the GDPR be made where the NDPR is unclear. For context, Nigeria is yet to sign or ratify the Malabo Convention.
There are also new provisions, such as mandatory registration, the transformation of the NDPB into the new data protection commission, the inclusion of a journalistic exemption that will strengthen freedom of expression, and the introduction of prior consultation with the regulator for data protection impact assessment where the risk cannot be mitigated, among other things. Finally, the bill introduces the concept of a controller and processor of “major importance.” While an attempt was made to define these terms, the classification threshold remains unknown, but the commission promised to define the tiering.
The confusion: amplifying existing gaps
Despite efforts to fill gaps in the NDPR, the bill still has room for improvement. I have highlighted some concerns below.
Mandatory registration
The new bill requires data controllers and processors of “major importance” to register with the commission. The registration fee will also be set by the commission. While the requirement appears in many African data protection laws, its relevance appears limited to revenue generation. There is no data or empirical evidence to suggest that countries that require registration have higher compliance rates than those that do not. This must be done carefully to avoid turning registration into a tick box Olympics, as the filing of data protection audits has suffered when it has been wrongfully misclassified as evidence of data protection compliance when, in fact, it only satisfies one requirement under the NDPR and one pillar of monitoring under most privacy program frameworks. If the drafters intend to keep the provision, they must clarify that being listed on the register is not proof of compliance with the entire law.
International data transfer
The international data transfer mechanism under the NDPR and DPIF has been chaotic. The NDPR, for example, includes a provision for countries when making an adequacy decision. However, the DPIF published a list of countries that included countries without data protection laws or with data protection laws but with no established or designated authority to enforce the law. A civil society group is currently challenging the list at the Federal High Court for the failure of NITDA to follow its own rules. The DPIF created binding corporate rules (BCR) and standard contractual clauses (SCC) without specifying the approval process and content for BCR or adopting a standard or template for SCC, which added to the confusion.
This provision will almost certainly have the greatest impact on businesses. The concept of an adequacy decision for countries and appropriate safeguards for controllers and processors appears to have been conflated by the bill’s drafters. Section 43 (1) (a) copied the GDPR’s appropriate safeguards provided in the letter but not in spirit or intent. It is critical that these provisions are properly drafted in order to avoid imposing new operational challenges on businesses.
Data retention
Another potential operational difficulty is the storage limitation provision. Anyone who has attempted to create a data retention schedule knows how difficult it can be. The bill restricts the retention period to where the law allows it or where the data subject consents. This could simplify the complexities of data retention, where contracts, research, a court order, or the defence or establishment of a legal claim could all play a role.
Data subject rights
The bill’s provisions on exercising rights are far more comprehensive than those in the NDPR. However, it lacked a timeline for responding to the right requests.
Independence
One of the biggest problems and criticisms of NITDA and the NDPB was their lack of independence, which affected how the NDPR was implemented. Under the African Union Convention on Cybersecurity and Personal Data Protection, the Economic Community of West African States Supplementary Act of Personal Data Protection, the Declaration of Principles on Freedom of Expression and Access to Information in Africa, and Convention 108 of the Council of Europe, one of the measures of independence is not being tied down by the executive arm of the government. A close reading of the bill suggests that a minister has supervening power. In addition, the constitution of the governing council is largely made up of representatives of government institutions, which casts doubt on the commission’s independence. Consideration should be given to civil society and human rights interests.
Sanctions and enforcement
The bill risks falling into the same trap as the NDPR, where the number of data subjects affected by a violation was the sole determinant of fines. The bill classified violators as either controllers or processors of “major importance.” The risk of violation and other factors, not just the size of the organisation, should be considered regardless of size. Other factors to consider include the nature, gravity, and duration of the infringement; the purpose of the processing; the number of data subjects involved; the level of damage and damage mitigation measures implemented; intent or negligence; degree of cooperation with the Commission; and personal data categories.
Missing icons
The bill is silent on requirements that could strengthen accountability, like data protection by design and default and documenting a record of processing activities, among other things. However, the bill grants the commission broader power to issue regulations that may address these missing provisions.
Timelines
The bill will benefit from timeline precision. For example, timeliness for registration approval, data subject rights, and complaint resolution, among other things, are missing.
Conclusion
The bill is a necessary intervention, and its passage is an important outcome. However, the desire to pass a law in record time will be defeated if a flawed bill is enacted. Given how difficult it is to change a law in Nigeria, the people the law is meant to protect, and the businesses that are supposed to work with it will be the most affected. Furthermore, the bill should avoid focusing on large market players while ignoring small players capable of even more “horrible practices” with the tiering of controllers and processors of “major importance.”
While it may be easy to dismiss concerns about the absence of some important provisions because they can be addressed through regulation, the regulatory rein under NITDA and the NDPB did not provide much timely clarification on the NDPR. For example, the DPIF took nearly two years to finalise, and there was confusion about which version of the document was valid. The new commission should spend more time and effort developing useful commentaries, guides, guidelines, and resources to help with compliance. In addition, the NDPB, which will be transformed into the commission, should invest in increasing its capacity and competence in order to improve complaint resolution time and ensure consistency of response in the face of an inquiry or regulatory confusion.
Finally, I suggest more people participate in the process by sending their suggestions to legal@ndpb.gov.ng.
Data protection compliance: when it’s a “tick-box Olympics” and a race to nowhere
“The most important thing in the Olympic Games is not winning but taking part; the essential thing in life is not conquering but fighting well.” Baron Pierre de Coubertin.
The Olympic Games have provided numerous memorable and iconic moments as athletes prepare and compete intensely. As with the Olympics, developing an effective privacy program requires a substantial investment of time, resources, and effort, but the payoff is immense.
This article examines Nigeria’s data protection compliance landscape and serves as a cautionary tale and wake-up call for a different approach that prioritises “fighting well” over passive involvement.
The introduction of the Nigeria Data Protection Regulation (NDPR) and its Implementation Framework increased organisations’ interest in and efforts to implement compliance measures. Previously, multinational or international organisations with compliance obligations in other countries would typically extend their global privacy programs to local entities. While this renewed and stepped-up effort is commendable, there are concerns that the push for compliance will lead to a tick-box Olympics and, ultimately, a race to nowhere.
“Tick-box culture’ is when an organisation monitors its processes and policy using checklists to show both the internal organisation (employees, management, board, etc.) and the outside world (customers, industry regulators) that processes are in tip-top condition and fully compliant with legislation and regulations.”
The NDPR and its Implementation Framework impose a few compliance obligations on entities subject to them. Developing a privacy program entails incorporating these measures and other best practices. A tick-box approach to data protection compliance may imply a race to demonstrate compliance through vanity metrics.
“Vanity metrics are metrics that make you look good to others but do not help you understand your own performance in a way that informs future strategies.”
One of the measures that have emerged or been adopted in the Nigerian industry to demonstrate data protection compliance is the demand for evidence of the filing of the audit report. Data controllers who exceed a certain threshold based on the number of data subjects whose information they process are required by the NDPR to conduct an annual audit and file a report with the regulator. Too often, the request is a part of due diligence, a contracting requirement, a request for proposal, or a regulatory requirement. There are reports of regulators requesting this document during audits or visits and commercial banks requiring it for onboarding. Some businesses also request it as proof of compliance or evidence of the other party’s implementation of data protection measures. As a result, we are elevating this document to a comprehensive proof of regulatory compliance. The request for audit evidence is sometimes phrased as a “certificate or evidence of compliance.”
“You cannot improve what you cannot measure.” Peter Drucker
An audit and the accompanying report are merely health checks. And, as with health checks, if the gaps are not closed, how can that be considered evidence of optimal wellness? Some privacy program frameworks include an audit under the “monitoring” or “data processing ecosystem risk management” pillar to ensure the program is periodically assessed and measured. Examples are the NIST Privacy Framework, and the Secure Control Framework, among others. Audit’s elevated status in Nigeria is largely attributable to its statutory nature.
As part of my job, I frequently receive requests for NDPR “compliance certificates or evidence of compliance.” And each time, I have had to explain that the NDPR does not have a certification mechanism and is not a standard to be certified against. Still, there is a common misconception that conducting and filing the statutory audit equates to all of the rules in the NDPR being followed.
The prevalence of this misconception is exemplified by the large number of organisations that use labels such as “NDPR-compliant” and other similarly prestigious phrases as part of their public relations efforts to indicate that they have complied with the regulation sufficiently. If one digs deep enough, justifications for the successful completion of the audit filing process can be found for these statements, which are otherwise mere puffery. This may not be a bad thing, especially in terms of public relations, but it is false and suggests a false sense of adherence. In contrast, filing an audit report demonstrates compliance with just one of the many obligations outlined under the NDPR and its Implementation Framework and does not replace compliance with the entire regulation.
The fear is that this misconception and misrepresentation by organisations is not merely deceptive to the outside world but also creates a false sense of adherence for entities about the true extent of their data protection obligations. What has also exacerbated the misrepresentation and false narrative is the framing by the regulator, press, and advisers, who continue to sustain the narrative, and the pressure to demonstrate evidence of compliance, which is deeply rooted in the tick-box approach to compliance. For example, on the regulator’s website, the list of organisations that filed audit reports is framed as
While the regulator’s intention is not to fuel misinformation, the list is frequently shared in the context of the evidence of data protection measures being implemented. Similarly, headlines and framing of stories like this, this, this, this, this, this, this, and this, among many others, are not only misleading but also give organisations a false sense of adherence.
While the seal given to organisations that have filed the report is carefully worded to imply that it is simply an audit, which is commendable, the market paints a different picture. Financial institutions, regulators, and prospective business partners now request it, believing it to be a magic wand demonstrating compliance with all NDPR’s obligations. As a result, organisations that did not meet the numerical threshold for filing an audit report now do so or are under pressure to do so to demonstrate compliance with prospective business partners.
Concerns about the tick-box approach to compliance extend far beyond the audit reports. The recent compliance notice issued by the regulator, requiring organisations to take specific actions before inclusion on the “National Data Protection Adequacy Programme (NaDPAP) Whitelist,” will have a similar effect. Organisations will only submit the requested checklist of evidence, and there is no monitoring system in place for verification. Are individuals who identify themselves as data controllers expected to comply? Is there any oversight or independent verification for the information provided? There are more questions than there are answers.
The new obsession will be to appear on the “adequacy whitelist” and the list of organisations that have submitted an annual audit report. Finally, these reservations extend to the new data protection bill’s mandatory registration requirement. In my analysis of the bill, I have expressed my reservations. Putting it, here again, there is no evidence from real-world comparisons to show that countries with registration requirements have a higher compliance rate than countries without registration requirements.
Swimming against the tide
Although it is excellent for statutory compliance and regulatory risk management, rather than rushing to brag about being “NDPR compliant,” which is not more than just filing an audit report and a press release, businesses should focus on developing a solid privacy program, which will be far more promising. Organisations should focus on meeting their accountability obligations to demonstrate compliance with the regulations rather than being distracted. A privacy program is a marathon. It also entails assessing the maturity of their privacy program and looking for ways to continuously improve their current posture.
Businesses serious about managing third-party risk and understanding the changing risk landscape will not put a premium on having evidence that they filed an audit report alone. However, addressing third-party risk entails establishing a more efficient due diligence process to control exposure, which should be a top priority. For instance, pre-contractual due diligence may consist of questions with supporting documentation, while in-contract due diligence may include provisions for audits and inspections by a second party. Several questions can be asked during pre-contractual due diligence, including whether the company is under investigation, the nature and frequency of data breaches, evidence of relevant policies and procedures, proof of an appreciation for data protection, evidence of appropriate technical and organisational measures, and a list of any third parties or sub-processors used. Time and effort should be spent on finding a reliable partner to ensure quality control and compliance throughout the arrangement, and the partnership should be formalised with a contract. Again, more than submitting an audit report will be needed to calm your nerves about vendor risk management. In managing third-party risk, if a consultant recommends that you place more weight on whether or not a company has conducted an audit than on a proper vendor risk assessment, you should demand a refund.
Rhythmic gymnastics or ski mountaineering?
To show the dangers of a “tick-box Olympics,” Some months back, I sent data subject access requests to four different companies: three commercial banks and a power distribution company that I use. Even after several months, none acknowledged my email, much less responded to my request, which may indicate the absence of a data subject rights management procedure. In a separate instance, my request to delete my data from a food delivery app was granted within minutes. I was excited for a moment. A few weeks later, I received a promotional email from the same service provider indicating that my email had not been removed. I still get the emails to date. In both cases, the companies can be found on the “list of organisations that have complied with the NDPR.” I have heard similar stories and also have more of my own.
In our recent report on the use of tracking technologies in Nigeria, we discovered that many of the websites and mobile applications we examined were owned or maintained by organisations listed as having filed the audit report. On the other hand, our report discovered inconsistencies between what they do on their website and apps and what they claim to do in their privacy notice.
Hear me out! This is not a criticism of what is being done or of those who encourage the practice; instead, it is a wake-up call to organisations to focus on what is more important than being aesthetically pleasing while racing nowhere. A well-conducted independent audit is an excellent way to monitor your privacy program. It can identify what you are doing correctly, what needs improvement, and what you are doing poorly. Again, alone, it is not a magic wand that can repair or replace a comprehensive privacy program. If you do not implement the recommendations from an audit, the problem persists, and it will persist if you repeat the process.
Closing ceremony: turning off the light
The risk of a compliance model based on checklists is that organisations become obsessed with ticking boxes while ignoring the development of a comprehensive privacy program. Organisations have always found ways to meet regulators’ checklists while failing to embed the process internally. Implementing a privacy program is much work, but it is essential. As demonstrated in my examples, making a whitelist is not the issue; instead, is there a process and procedure to react to and deal with situations when they arise?
Although the regulator’s initiatives may have been well-intended, their benefits and effectiveness have been mixed. If the goal is to bring more data controllers and processors under the regulator’s wing, then the time has come to rethink the approach and instead emphasise educating organisations on the benefits of a privacy program and empowering the data subjects so that they are in a position to ask questions and lodge complaints. I have written that “there is more work to be done in raising awareness of data subjects – aware enough to invoke their rights and make informed decisions.” Furthermore, if complaints are resolved timely, or the status of complaints is updated regularly, trust in the ecosystem may increase. An empowered data subject can give the regulator more insight into those they intend to regulate while also creating an incentive for controllers and processors to do the right thing.
Also, the regulator should put more resources and “effort” into “developing useful commentaries, guides, guidelines,” and self-assessment toolkits… to aid compliance, which will show organisations “how” to do what they are supposed to do. Finally, while they may not have the primary responsibility to do so, a clarifying statement from the regulator outlining the limitations of submitted audit reports and the proposed whitelist will benefit the ecosystem.