The Nigeria Data Protection Commission (NDPC) has initiated an investigation into TikTok and Truecaller regarding potential data breaches connected to compliance failures under the Nigeria Data Protection Act. This announcement was made by Dr. Vincent Olatunji, the National Commissioner and Chief Executive Officer of the NDPC, during a press conference held in Abuja.
Dr. Olatunji elucidated that the NDPC’s inquiry will focus on assessing these companies’ adherence to existing data protection regulations. The commission aims to determine appropriate regulatory responses based on its findings. “We are currently investigating multinationals like TikTok and Truecaller specifically in the realm of data privacy,” he stated, emphasizing the seriousness of the inquiry.
Upon initiating regular compliance monitoring, the NDPC discovered that only 4% of organizations were following data protection laws. However, with intensified efforts, that figure has now surged to over 55%. The NDPC’s approach is centered on remediation rather than immediate penalties. The severity of data breaches, the number of affected individuals, and potential economic implications are taken into account before regulatory actions are decided.
Once a company is identified as non-compliant, it is required to document its data processing activities meticulously and rectify any issues. Organizations undergoing scrutiny face a monitoring period that lasts from six months to a year to ensure thorough compliance. Furthermore, while the NDPC favors a constructive remediation process, Dr. Olatunji signaled that stronger punitive actions could be on the table if the need arises.
At the press conference, the NDPC also revealed the introduction of the Nigeria Data Protection Act – General Application and Implementation Directive. This directive aims to provide clearer guidelines for data controllers and processors to ensure compliance with Nigerian laws. Olatunji highlighted a gap in understanding among many organizations regarding data protection regulations, which often results in unintentional breaches.
The new directive will be accessible via the NDPC’s online platform and underscores the critical role of Data Protection Officers in maintaining compliance. Dr. Olatunji reiterated the commission’s dedication to defending the privacy rights of Nigerian citizens and described the directive as a significant advancement for data privacy in the country, particularly in light of rapid technological progress that influences digital interactions.
Following the presidential assent to the Nigeria Data Protection Bill by President Bola Tinubu on June 12, 2023, the NDPC has developed a comprehensive implementation framework that aligns with the constitutional guarantee of privacy articulated in Section 37 of the 1999 Constitution. To achieve this goal, the commission has engaged extensively with key stakeholders, including data subjects, government bodies, corporate entities, civil society organizations, international agencies, and media representatives. The thorough stakeholder engagement aims to ensure that the directive appropriately reflects the current expectations and realities of data protection.
The directive covers numerous critical aspects, including data protection principles, lawful bases for data processing, data subject rights, cross-border data transfers, and compliance audits. Additionally, it contains guidelines for data privacy impact assessments, the training and certification of Data Protection Officers, and mechanisms for alternative dispute resolution tailored to align with global best practices.
One significant feature introduced is the Standard Notice to Address Grievance, empowering individuals to request remedial actions directly from data controllers and processors, circumventing the need for initial commission intervention. The NDPC plans to fully implement the directive by September 2025, granting organizations a transition period of six months, with fee-related provisions effective from January 2026.
Dr. Olatunji assured that the NDPC would continue to issue guidance notices and advisories to clarify legal obligations while promoting a culture of data privacy and protection throughout Nigeria. In preparation for ongoing regulatory refinement, capacity-building programs are set to be implemented, inviting feedback through NDPC platforms to support future adjustments to the directive and the creation of new regulatory frameworks.
In this context of heightened scrutiny and regulatory evolution, understanding the tactics utilized in potential breaches becomes vital for organizations. Possible MITRE ATT&CK tactics that relevant adversaries might employ include initial access techniques for compromising entities, persistence to maintain access over time, and privilege escalation to gain elevated permissions within systems. As such, vigilance in compliance and proactive cybersecurity measures must be prioritized to safeguard against these emerging threats.
