ARTICLE
21 October 2025

This Company Almost Lost Everything Over Data Privacy: Here's How We Stopped It

CL
Charis Legal Practice

Contributor

Charis Legal Practice logo

At Charis Legal Practice, our mission is simple yet profound: to provide exceptional legal services that empower our clients and safeguard their interests.

With a focus on understanding your unique challenges and objectives, we strive to deliver practical solutions that exceed your expectations and contribute to your success.

Explore Firm Details
Getting robbed of your hard-earned money by armed robbers on a highway. That's exactly what I would liken a data breach to.
Nigeria Privacy
Salomi Toluwani
Charis Legal Practice are most popular:
  • within Corporate/Commercial Law topic(s)
  • with readers working within the Law Firm industries

Getting robbed of your hard-earned money by armed robbers on a highway.

That's exactly what I would liken a data breach to.

Only this time, it wasn't a gun on the road. It was something far worse: A hidden weak spot that could leak customer data.

And one thriving company I worked with almost walked straight into it.

A Conglomerate with Cracks

They weren't just any start-up. They were a conglomerate with operations across fintech, e-commerce, and digital services.

Their scale was impressive:

  • Thousands of customer records
  • Daily transactions.
  • Sensitive data flowing through their systems like water.

But behind the glossy dashboards and investor decks?

Their data privacy game was dangerously weak:

  • No clear privacy policy
  • No trained Data Protection Officer (DPO).
  • No Data Processing Agreements with vendors.
  • No Data Privacy Impact Assessments (DPIAs) for new rollouts.
  • Zero staff training on breach response.

The CEO's first words still ring in our ears:

"We've grown fast. We just didn't know we were this exposed until you pointed it out."

Their Wake-Up Call Came Too Close

One of their outsourced payment processors had a sloppy security hole.

One day, they noticed unusual data traffic.

Customer information was at risk of slipping out through a hidden backdoor.

If that had happened?

The Nigeria Data Protection Commission (NDPC) could have stormed in with an audit, hefty fines, and brand damage that no press release could fix.

That was when the CEO called us in.

As a business law firm in Lagos that works daily with tech companies, we knew exactly what this meant:

To seal every gap immediately.

Where We Started

We pulled apart their entire ecosystem:

  • Who had access to customer data?
  • Were consent notices clear?
  • Did they have a published privacy policy updated for the NDPA 2023?
  • Could they report a breach within 72 hours?
  • Did they have watertight Data Processing Agreements with vendors?
  • Was their DPO competent or just a figurehead?

The answers weren't pretty. But they were fixable.

What Data Privacy Actually Means

Let's pause for you:

Data is any piece of information that can identify someone such as name, phone number, bank details, biometrics.

Privacy is the shield that keeps that information from prying eyes or careless hands.

When your company collects this data, you're holding a vault of secrets.

The Nigeria Data Protection Act (NDPA 2023) says you must guard it. Not just with firewalls, but with:

  • Clear policies.
  • Human training.
  • Updated contracts.
  • Proper processes.

The Legal Bedrock

We explained to them the core principles every fast-growing company must follow

  • Process data lawfully, fairly, and transparently.
  • Collect only what you need (data minimisation).
  • Keep it accurate and up to date.
  • Protect it with strong security.
  • Delete it when no longer needed.

The hard truth is this: the NDPA isn't optional.

The NDPC has teeth:

  • They can audit you.
  • Fine you ₦10 million or 2% of annual gross revenue (whichever is higher)
  • Shut down your operations.
  • Publicly shame your brand.
  • And yes, customers can sue you.

Also Read: The Nigerian Data Protection Commission (NDPC)

How We Fixed It

So, we rolled up our sleeves:

  1. Drafted a tailored privacy policy across all digital touchpoints.
  2. Created a cookie policy and a consent framework.
  3. Conducted a Data Protection Impact Assessment (DPIA) (a risk check to spot privacy risks before new product or system rollouts)
  4. Appointed a certified, capable Data Protection Officer (DPO) who would be the watchdog ensuring compliance and liaising with regulators.
  5. Rewrote contracts into watertight Data Processing Agreements.
  6. Built a 72-hour breach response plan.
  7. Ran staff training right from C-suite to interns.

The CEO later admitted:

"We thought this was an IT problem. Now we see it's a business survival problem."

The Result

Today, they're not just compliant. They're investor-proof.

They pitch to global partners with confidence.

They expand cross-border without fear.

They've turned a near disaster into a selling point:

"Our house is secure, so your data is safe with us."

Your Takeaway

If you're scaling fast, whether as a conglomerate, unlimited liability company, or ambitious start-up in Nigeria, don't wait for a breach to wake you up.

Protect your vault now, so your next investor meeting doesn't end with awkward questions about missing policies or NDPC letters.

At Charis Legal Practice, we've done this for dozens of firms worth billions in data value.

Today, they operate breach-proof, avoiding penalties and business disruptions.

Want your own audit? You can Book a consultation here.

Need a privacy policy, DPO, or breach plan? Let's get it done.

Your secrets deserve a fortress not an open highway.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Salomi Toluwani
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More