Introduction
A data breach occurs when unauthorised entities gain entry to, disclose, or steal sensitive and confidential information. These breaches can take various forms, including cyber attacks, insider threats, or accidental data exposure. In essence, a data breach compromises the integrity and security of data, and the potential harm extends far beyond the stolen information itself. In today’s technology driven commercial environment, data is an essential tool for strategic growth and commercial leverage. However, this increased reliance on technology has occurred simultaneously with a rise in cyberattacks, which exposes sensitive information to unauthorised parties and poses significant risks to privacy, financial security and reputation of organisations.
Organisations are now faced with strict data protection obligations, including ensuring fair processing, appointment of a data protection officer where necessary, and taking the appropriate steps in the event of a breach. These obligations are all geared toward ensuring that the constitutional right to privacy and all other data subjects’ rights are safeguarded.
Responding To Data Breaches
When a data breach occurs, time becomes your adversary. Organisations have an obligation to act decisively to contain damage, protect data subjects, and align with statutory obligations under the Nigeria Data Protection Act 2023 (NDPA) and the Nigeria Data Protection Commission’s General Application and Implementation Directive 2025 (GAID). Following a data breach, data processors and controllers are guided by the following steps:
a. Initial Notifications: Upon detecting a data breach, the data controller or processor involved is expected to promptly notify the party that engaged it, describing the nature of the personal data breach, including, where possible, the categories and approximate numbers of data subjects and personal data records concerned. Furthermore, an additional notification must be made to the Nigeria Data Protection Commission (the Commission) within 72 hours of becoming aware of the breach if the breach is likely to pose a risk to the rights and freedoms of individuals.
b. Additional Notifications: In a situation where such a breach exacerbates to levels where it is likely to result in a high degree of risk to the rights and freedoms of data subjects, the data controller is required to notify the data subject without delay, including information on how the data subject can mitigate the risk of harm. Where direct notification is not feasible, the data controller can notify the public through widely used media.
c. Record Keeping: Data controllers or processors are mandated to maintain adequate records of all personal data breaches and the effects and remedial actions taken.
Preventive Measures To Safeguard Data
Data breaches often expose system-wide lapses and failures as they are no longer one-off technical events. Despite stringent measures under data protection laws, organisations are urged to think beyond mere reactions and prioritise prevention. The first experience of a data breach may shock an organisation’s system and expose the need for a strengthened data privacy policy and infrastructure, including:
a. Embedded security into data: Data is capable of restricting access to itself if ringfenced with encryption structures that ensure that any attempt to infiltrate an organisation’s data system is rendered useless because the data itself cannot be accessed. A good example of such a preventive measure is encryption which converts original data into complex text that can only be deciphered with the right key/ password. It provides data with the necessary confidentiality, integrity and availability it needs to guard against illegal cyber activity. Without encryption, sensitive data like customer records, employee information, or trade secrets becomes easy prey for cybercriminals. Malicious actors can steal, misuse, and exploit this data for their own nefarious purposes. A prime example is the Equifax data breach of 2017, where outdated encryption standards and unencrypted passwords allowed hackers to gain access to the personal data, credit card numbers, and addresses of over 150 million users. As a result, the company faced a staggering $400 million penalty.
b. Deployment of Artificial Intelligence (AI): AI is an integral part of the digital world today. Despite its disadvantages, it has numerous advantages, especially as it relates to data protection. AI can be highly effective at automatically scanning and identifying sensitive or personal data. AI is also valuable for activation of automated retention and deletion policies, risk assessment to data sanitisation and monitoring ever-changing and consumer privacy regulations while suggesting policies to ensure compliance.
c. Organisational culture shift: Prevention of data breaches cannot be achieved by technology alone. Organisational culture is one of the most important factors that influence success or failure in the security domain. Even the most advanced encryption methods can be compromised by insecure handling of credentials, use of weak passwords, and vulnerability to phishing attacks. Hence, it is important that organisational leadership is committed to security. In accordance with Article 39 of the GDPR, Data Protection Officers are required to provide training for employees involved in processing, to create awareness of their duties in relation to the protection of the data they process. Additionally, awareness and educational endeavours to adequately keep the workforce informed and enlightened on the importance of data privacy, as well as possible liabilities for negligible breach of same, are powerful tools that reduce the chances of data breach occurrences.
d. Data minimisation practices: Data minimisation ensures that only necessary data is collected so that the any breach may result in less harm. A survey by Ofori-Duodu (2019) revealed that organisations with effective policies in data minimisation recorded an average of 28% lower cost for data breaches compared to those without such policies. The research indicated that organisations with shorter retention periods within customer information (of less than six months) recorded 45% fewer data breaches of the information as compared to their counterparts with longer retention periods. This practice is equally consistent with the NDPA, GAID and GDPR, which provide that only data that is necessary and relevant to the purpose for which it is processed should be collected from data subjects.
e. Appointment of a Data Protection Officer (DPO): It is mandatory for data controllers of major importance to employ or appoint a DPO who will serve as a chief advisor and compliance monitor regarding data protection in the organisation. The data controller is expected to engage its DPO on all issues relating to data protection and ensure that the DPO does not perform their duties under duress or risk being penalised for doing so. Organisations are advised to take advantage of this legal requirement and rely on experts to guide them on best practices regarding prevention and response strategies for potential data breaches.
Conclusion
Data breaches are no longer extraordinary occurrences but rather an inevitable risk in the increasingly digital commercial space. As organisations continue to use data as a catalyst for innovation and efficiency, the legal and practical implications of data breaches have become more apparent. The NDPA and the GAID set forth specific and urgent requirements for data controllers and processors, especially in the first 72 hours after a breach, which highlights the importance of preparedness over improvisation.
Nonetheless, compliance cannot be accomplished by purely reactive means. A sound data protection system must be proactive, comprehensive, and ingrained in an organisation’s operational ethos. Technical measures such as encryption and AI-powered monitoring, when paired with data minimisation strategies, sound leadership, ongoing employee training, and the effective use of a Data Protection Officer, can greatly mitigate both the incidence and consequences of breaches.
Data protection is more than a legal obligation but rather a strategic imperative. Organisations that make proactive efforts to establish sound governance structures and breach prevention systems are ultimately better equipped to protect the rights of data subjects, maintain public trust, and advance their own interests in the ever-changing digital landscape.
Okechukwu Ekweanya, Partner, and Sonia Onyia and Okenna Onyelu, Associates, are Counsel at KENNA.
The Legal Insights column by KENNA provides thought leadership on the legal and business issues shaping today’s commercial landscape.
Join BusinessDay whatsapp Channel, to stay up to date
Open In Whatsapp
