December 12, 2018

GDPR: How the law could affect Nigerian companies

GDPR: How the law could affect Nigerian companies


•Hitachi on rescue mission with sensitization programme in Lagos
•Shows how data governance aids compliance

By Prince Osuagwu (Hi-Tech Editor)

On May 25, 2018, the General Data Protection Regulation  was enforced as the strictest and most encompassing data protection law ever to be passed. Its scope reaches far beyond the borders of the EU, in so far as it applies to all organisations and all websites globally, that process data of EU citizens.


That means that Nigerian companies that receive communications from either European companies or citizens, are not excluded from the regulation.

Furthermore, the GDPR has set a high standard for data protection that is being followed as an example for other data protection authorities in the world, as they update their legislations to correspond to the demands of a digital and data-driven society.

GDPR is very much to be reckoned with, and has been adopted by national authorities, privacy activists and offended parties alike as a potent instrument to improve transparency and ensure the enforcement and respect of privacy rights.

Six months later, various national data protection authorities and supervisory authorities as well as privacy activists and offended parties have taken action.

Incidentally, cases are only made public if one of the parties for some reasons chooses to do so or if convicted companies wish to gather momentum to dispute the conviction.

However, there are reports that the the French supervisory authority, Commission Nationale de l’informatique et des Libertés, CNIL, has given warnings to several companies while some others, like a Portuguese hospital, have been fined.

Meanwhile, an estimated 30 to 60 cases are being investigated by the data protection authorities of the different EU member-states.

These developments should give every reasonable country and data managing company some concerns. Data permeates corporations as much as it does personal lives. Companies today build their digital transformation on data. Their control, access and use of data enable them to gain insights on new markets and achieve greater efficiencies.

Deploy digital competencies to solve socioeconomic problems-Sterling Bank boss charges CeBIH

Data analysts have also said that the quality and veracity of data within a corporation is essential to maximize digital potential.

However, for digital citizens to maintain trust in organisations they may choose to engage with, proper governance of data must be a priority. Also proper data governance is very essential for corporations to fully leverage their digital assets.

Hitachi’s rescue mission

Considering the strategic position these practices occupy in any country’s  economic development, technology company, Hitachi Vantara said it would gather a number of Nigerian companies in the ICT ecosystem to a sensitization programme in Lagos.

The event which holds tomorrow at the Federal Palace Hotels, is meant to help participating companies comply with the European Union’s  General Data Protection Regulation, GDPR. It is themed: General Data Protection Regulation,GDPR: Impact and compliance – the Hitach Vantara solutions.

Hitachi said the event will expose participants to its local solution that can help them understand, analyse and control their data pipelines so as to comply with the GDPR guidelines

The company prides itself as having  local expertise and the solutions to perfectly train organisations to instantly become GDPR-compliant.

Explaining the rationale for the programme, the company’s Territory Accounts Manager,  West Africa, Mrs Adenike Omojokun said it will be unwise for Hitachi being a global company that understands the laws around EU regulations, to allow Nigerian companies fall victims of non-compliance when it has all it takes to equip them.

Omojokun said some of the modules of the programme will help organisations strongly face the 21st Century tech environment.

Meanwhile, the company’s Director, Data Intelligence, Manfred Gramlich, who is one of the event’s facilitators, predicts that data growth will continue for the foreseeable future,  as will the sensitive nature of the information it contains.

For him, “the need to intelligently govern data will only increase. This event will provide the necessary insights to move beyond simply storing data into creating a framework under which data can be intelligently governed for the length of time it has value to your business or regulations require it to be kept.”

Smartphones will consume more than 21GB data per month by 2024 — Ericsson

He added: “With emerging regulations applying to the personal information of the digital citizen, data governance is a fiscal imperative.”

Also Solutions Consultant, Hitach Vantara, Mr Kunle Ogunfolabi said Hitachi is properly equipped both technically and managerially to pull off the programme and bring Nigerian organisations to the level where global laws become commonly understandable to them.

Ogunfolabi said participants will learn how Hitachi Vantara’s solutions accelerate compliance to regulations and similar acts in the financial industry.

He said: “The solution teaches a new way to manage and control data to support regulatory compliance, innovation business decisions and productivity.”

Hitachi would provide answers to such questions as how does GDPR affect companies across the globe? How does the regulation affect companies in the African territory;? How can a company know that it is affected and how does the regulation help protect personal data? among others.


The Hitachi programme appears pertinent considering that on June 25, 2018, just a month into the enforcement of the GDPR, CNIL    issued a formal warning  to the two French mobile app companies –  Fidzup  and  Teemo –  for lack of consent and inadequate information about the duration of the data storage, and for lack of free choice on its geodata advertising services.

Geodata-targeted advertising is advertising based on the person’s specific geographical location, often discovered by means of apps installed on their smartphone.

The two companies specialise in geo-targeted advertising. They make use of a technology called SDK, integrated into the mobile app codes of their partners, usually advertisers and shops. SDK enables the localisation of the device and therefore track personal geodata.

Geodata can be transmitted even when the app is not in use,  in the case of Teemo, every 5 minutes – and constitutes precious information for advertisers, especially when coupled with other user profiling data, enabling  very precisely targeted ad campaigns based on the user’s profile and location.

For instance, if a user profile suggests she is a woman in mid 20s and in a strong relationship, she might be targeted with ads for wedding gowns, engagement rings on her mobile phone while she is in the proximity of a fashion or jewelry stores.

Shareholders laud NAICOM’s cancellation of insurance recapitalisation

Interestingly, these are the innovations making waves in Nigeria at the moment and the likelihood that the GDPR law is flouted while celebrating these innovations may be quite high.

In the case of the two French companies, the CNIL issued its warnings due to faulty consent In the case of Teemo, CNIL found that the user was not informed  about the geodata collecting SDK when downloading the apps. During their controls, CNIL revealed that when Fidzup’s partners’ apps were downloaded, the user was not informed about  the purpose of the tracking or about the identity of the tracker.

Furthermore, the general terms and conditions were  provided after the download of the app was completed, meaning after the initial data collection had taken place. Therefore, the regulation’s prior consent requirement was violated. Again CNIL noted that the data was kept for too long, infringing the GDPR requirement that data that is no longer needed for the original and declared purpose should be deleted.

In fact, in the case of both companies, the CNIL issued a formal warning based on the following infractions of the GDPR:

¨Transmission of data without prior consent.

¨Inadequate information about the purpose of the tracking, identity of the tracker and the destination of the data.

¨Excess data collection and data kept for too long.

¨Consent bundled and therefore not freely given.