Data protection compliance: when it’s a “tick-box Olympics”​ and a race to nowhere

“The most important thing in the Olympic Games is not winning but taking part; the essential thing in life is not conquering but fighting well.” Baron Pierre de Coubertin.

The Olympic Games have provided numerous memorable and iconic moments as athletes prepare and compete intensely. As with the Olympics, developing an effective privacy program requires a substantial investment of time, resources, and effort, but the payoff is immense.

This article examines Nigeria’s data protection compliance landscape and serves as a cautionary tale and wake-up call for a different approach that prioritises “fighting well” over passive involvement.

The introduction of the Nigeria Data Protection Regulation (NDPR) and its Implementation Framework increased organisations’ interest in and efforts to implement compliance measures. Previously, multinational or international organisations with compliance obligations in other countries would typically extend their global privacy programs to local entities.  While this renewed and stepped-up effort is commendable, there are concerns that the push for compliance will lead to a tick-box Olympics and, ultimately, a race to nowhere. 

Tick-box culture’ is when an organisation monitors its processes and policy using checklists to show both the internal organisation (employees, management, board, etc.) and the outside world (customers, industry regulators) that processes are in tip-top condition and fully compliant with legislation and regulations.”

The NDPR and its Implementation Framework impose a few compliance obligations on entities subject to them. Developing a privacy program entails incorporating these measures and other best practices. A tick-box approach to data protection compliance may imply a race to demonstrate compliance through vanity metrics.

“Vanity metrics are metrics that make you look good to others but do not help you understand your own performance in a way that informs future strategies.”

The race to nowhere

One of the measures that have emerged or been adopted in the Nigerian industry to demonstrate data protection compliance is the demand for evidence of the filing of the audit report. Data controllers who exceed a certain threshold based on the number of data subjects whose information they process are required by the NDPR to conduct an annual audit and file a report with the regulator. Too often, the request is a part of due diligence, a contracting requirement, a request for proposal, or a regulatory requirement. There are reports of regulators requesting this document during audits or visits and commercial banks requiring it for onboarding. Some businesses also request it as proof of compliance or evidence of the other party’s implementation of data protection measures. As a result, we are elevating this document to a comprehensive proof of regulatory compliance.  The request for audit evidence is sometimes phrased as a “certificate or evidence of compliance.”

“You cannot improve what you cannot measure.” Peter Drucker

An audit and the accompanying report are merely health checks. And, as with health checks, if the gaps are not closed, how can that be considered evidence of optimal wellness? Some privacy program frameworks include an audit under the “monitoring” or “data processing ecosystem risk management” pillar to ensure the program is periodically assessed and measured. Examples are the NIST Privacy Framework, and the Secure Control Framework, among others. Audit’s elevated status in Nigeria is largely attributable to its statutory nature.

As part of my job, I frequently receive requests for NDPR “compliance certificates or evidence of compliance.” And each time, I have had to explain that the NDPR does not have a certification mechanism and is not a standard to be certified against. Still, there is a common misconception that conducting and filing the statutory audit equates to all of the rules in the NDPR being followed.

The prevalence of this misconception is exemplified by the large number of organisations that use labels such as “NDPR-compliant” and other similarly prestigious phrases as part of their public relations efforts to indicate that they have complied with the regulation sufficiently.  If one digs deep enough, justifications for the successful completion of the audit filing process can be found for these statements, which are otherwise mere puffery.  This may not be a bad thing, especially in terms of public relations, but it is false and suggests a false sense of adherence. In contrast, filing an audit report demonstrates compliance with just one of the many obligations outlined under the NDPR and its Implementation Framework and does not replace compliance with the entire regulation. 

The fear is that this misconception and misrepresentation by organisations is not merely deceptive to the outside world but also creates a false sense of adherence for entities about the true extent of their data protection obligations. What has also exacerbated the misrepresentation and false narrative is the framing by the regulator, press, and advisers, who continue to sustain the narrative, and the pressure to demonstrate evidence of compliance, which is deeply rooted in the tick-box approach to compliance. For example, on the regulator’s website, the list of organisations that filed audit reports is framed as

While the regulator’s intention is not to fuel misinformation, the list is frequently shared in the context of the evidence of data protection measures being implemented. Similarly, headlines and framing of stories like thisthisthisthisthisthisthis, and this, among many others, are not only misleading but also give organisations a false sense of adherence. 

While the seal given to organisations that have filed the report is carefully worded to imply that it is simply an audit, which is commendable, the market paints a different picture. Financial institutions, regulators, and prospective business partners now request it, believing it to be a magic wand demonstrating compliance with all NDPR’s obligations. As a result, organisations that did not meet the numerical threshold for filing an audit report now do so or are under pressure to do so to demonstrate compliance with prospective business partners.

Screenshot of seal issued to organisations that have filed an audit report

Concerns about the tick-box approach to compliance extend far beyond the audit reports. The recent compliance notice issued by the regulator, requiring organisations to take specific actions before inclusion on the “National Data Protection Adequacy Programme (NaDPAP) Whitelist,” will have a similar effect. Organisations will only submit the requested checklist of evidence, and there is no monitoring system in place for verification. Are individuals who identify themselves as data controllers expected to comply?  Is there any oversight or independent verification for the information provided? There are more questions than there are answers.

The new obsession will be to appear on the “adequacy whitelist” and the list of organisations that have submitted an annual audit report. Finally, these reservations extend to the new data protection bill’s mandatory registration requirement. In my analysis of the bill, I have expressed my reservations. Putting it, here again, there is no evidence from real-world comparisons to show that countries with registration requirements have a higher compliance rate than countries without registration requirements. 

Swimming against the tide

No alt text provided for this image

Although it is excellent for statutory compliance and regulatory risk management, rather than rushing to brag about being “NDPR compliant,” which is not more than just filing an audit report and a press release, businesses should focus on developing a solid privacy program, which will be far more promising. Organisations should focus on meeting their accountability obligations to demonstrate compliance with the regulations rather than being distracted. A privacy program is a marathon. It also entails assessing the maturity of their privacy program and looking for ways to continuously improve their current posture.

Businesses serious about managing third-party risk and understanding the changing risk landscape will not put a premium on having evidence that they filed an audit report alone. However, addressing third-party risk entails establishing a more efficient due diligence process to control exposure, which should be a top priority. For instance, pre-contractual due diligence may consist of questions with supporting documentation, while in-contract due diligence may include provisions for audits and inspections by a second party. Several questions can be asked during pre-contractual due diligence, including whether the company is under investigation, the nature and frequency of data breaches, evidence of relevant policies and procedures, proof of an appreciation for data protection, evidence of appropriate technical and organisational measures, and a list of any third parties or sub-processors used. Time and effort should be spent on finding a reliable partner to ensure quality control and compliance throughout the arrangement, and the partnership should be formalised with a contract. Again, more than submitting an audit report will be needed to calm your nerves about vendor risk management. In managing third-party risk, if a consultant recommends that you place more weight on whether or not a company has conducted an audit than on a proper vendor risk assessment, you should demand a refund.

Rhythmic gymnastics or ski mountaineering?

To show the dangers of a “tick-box Olympics,” Some months back, I sent data subject access requests to four different companies: three commercial banks and a power distribution company that I use. Even after several months, none acknowledged my email, much less responded to my request, which may indicate the absence of a data subject rights management procedure. In a separate instance, my request to delete my data from a food delivery app was granted within minutes. I was excited for a moment. A few weeks later, I received a promotional email from the same service provider indicating that my email had not been removed. I still get the emails to date. In both cases, the companies can be found on the “list of organisations that have complied with the NDPR.” I have heard similar stories and also have more of my own. 

In our recent report on the use of tracking technologies in Nigeria, we discovered that many of the websites and mobile applications we examined were owned or maintained by organisations listed as having filed the audit report. On the other hand, our report discovered inconsistencies between what they do on their website and apps and what they claim to do in their privacy notice.

Hear me out! This is not a criticism of what is being done or of those who encourage the practice; instead, it is a wake-up call to organisations to focus on what is more important than being aesthetically pleasing while racing nowhere. A well-conducted independent audit is an excellent way to monitor your privacy program. It can identify what you are doing correctly, what needs improvement, and what you are doing poorly. Again, alone, it is not a magic wand that can repair or replace a comprehensive privacy program. If you do not implement the recommendations from an audit, the problem persists, and it will persist if you repeat the process. 

Closing ceremony: turning off the light

No alt text provided for this image

The risk of a compliance model based on checklists is that organisations become obsessed with ticking boxes while ignoring the development of a comprehensive privacy program. Organisations have always found ways to meet regulators’ checklists while failing to embed the process internally. Implementing a privacy program is much work, but it is essential. As demonstrated in my examples, making a whitelist is not the issue; instead, is there a process and procedure to react to and deal with situations when they arise?

Although the regulator’s initiatives may have been well-intended, their benefits and effectiveness have been mixed. If the goal is to bring more data controllers and processors under the regulator’s wing, then the time has come to rethink the approach and instead emphasise educating organisations on the benefits of a privacy program and empowering the data subjects so that they are in a position to ask questions and lodge complaints. I have written that  “there is more work to be done in raising awareness of data subjects – aware enough to invoke their rights and make informed decisions.” Furthermore, if complaints are resolved timely, or the status of complaints is updated regularly, trust in the ecosystem may increase.  An empowered data subject can give the regulator more insight into those they intend to regulate while also creating an incentive for controllers and processors to do the right thing.

Also, the regulator should put more resources and “effort” into “developing useful commentaries, guides, guidelines,” and self-assessment toolkits… to aid compliance, which will show organisations “how” to do what they are supposed to do. Finally, while they may not have the primary responsibility to do so, a clarifying statement from the regulator outlining the limitations of submitted audit reports and the proposed whitelist will benefit the ecosystem.