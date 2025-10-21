For 15 years, Mr. Adetokunbo Jacobs chased one dream: to catch up with Dangote's Cement. But every effort was like fetching water into a basket. No matter how hard he tried, he kept failing.

Until one day, he discovered a hidden truth that changed everything.

A mistake he had been making all along.

But here's the twist. This mistake had nothing to do with cement.

It wasn't his factory.

It wasn't his workers.

It wasn't even his competitors.

So what was it?

We'll get to that in a moment. First, you need to understand what data privacy and data breach means really means.

You see, getting robbed of your hard-earned money on the highway after years upon years of hard work is exactly what a data breach feels like.

Yet many CEOs don't realize they're leaving their company's doors wide open until it's too late.

As a business lawyer in Lagos, I see it all the time: global companies scaling fast, but ignoring the hidden cracks in their data privacy foundations.

In this blog post, I'll break down what you need to know about data privacy, the mistakes Mr. Jacobs kept making and the overlooked fix that finally turned things around.

Let's dive right into it.

What is data privacy? How does it work?

Of course, you might be wondering: how do data and privacy fit into the same phrase? Let me break it down quickly.

As a reader, any information that can identify you: name, phone, email, address,

Biometrics, health info – anything is your data.

And privacy? It's the right to be left alone without intrusion.

Combine them, and it means: any time you collect, store, use, or share people's personal data, you must handle it properly, keep it secure, and respect their right to control it.

If you get careless with the data and then the data gets leaked to the public, you will be guilty of data breach.

So while you can collect and keep customer's data, there are some key principles guiding it which you cannot afford to overlook.

Miss any of these, and you're already setting yourself up for trouble. The data you're collecting must be lawful, fair & transparent

You must only collect what you need You must keep data accurate & current You must protect it with security measures You must delete it when it's no longer needed

Sounds simple enough, right? But it's where most CEOs including Jacobs stumble badly.

Now that you understand what data privacy is, you need to also understand the laws and the people in charge of data privacy in Nigeria.

The Law & The Regulator

Now, there's a law you can't afford to ignore. It is the Nigeria's Data Protection Act (NDPA 2023) and it is the law sets the rules every company handling personal data must follow.

And the Nigeria Data Protection Commission (NDPC)? It is the regulatory body that makes sure you abide by the rules with the power to audit, fine, suspend, and even publicise offenders.

Also Read: The Nigeria Data Protection Commission (NDPC)

Rights Every Citizen Has

So as a CEO, aside from basic customer rights like refund policies, getting the service they paid for, they also have data privacy rights. Now this is not limited to your customers only, but includes your clients, staff, investors or contractors. Every one of them have the following rights:

To know what you hold

To correct or delete wrong data

To block or restrict how you use their dat

To stop you from marketing to them

To complain directly to the NDPC

Now, you'd think Mr. Jacobs would have known all this, right? The laws, the regulator, the principles. All these were no secret. Yet somehow, he kept missing it. Again and again.

So what exactly was he doing wrong? Let's find out.

No Updated Privacy Policies

For 15 years, Mr. Adetokunbo Jacobs kept using the same outdated privacy policy.

It sat in his drawer, never updated, never on his company's website even after he launched online.

He was getting clients and collecting their data, yes.

But without a clear, up-to-date privacy policy, customers had no assurance that their personal information was safe. The result? No trust. No repeat customers.

A proper, tailored privacy policy does more than tick a box. It tells your customers, staff, and regulators:

You know what you're doing.

You respect people's rights.

You're transparent about how you handle data.

No policy? Or worse, a copy-paste one from the internet? That's a lawsuit (or regulator fine) waiting to happen.

And if your business tracks people online? Don't forget a cookie policy.

Many companies overlook this until they're hit with penalties or, worse, lose customers to competitors who take privacy seriously.

Also Read:

No Data Protection Impact Assessments (DPIAs)

"DPIA? What's that?" with a confused yet inquisitive outward look. That was Mr. Adetokunbo Jacobs' reaction when I asked him about it.

Beyond cement, he had tried launching a website where developers could submit details about their projects including location, budget, even ownership information. Sensitive data everywhere.

But he never stopped to ask: Do I really need to collect all this?

Soon, NDPC officials came knocking. NDPC are the regulatory agencies in charge of the data protection in Nigeria.

He started getting fined over and over. Whatever profits his website generated, he spent offsetting these penalties.

But here's the truth: As a CEO, you may want to roll out a product, app, or service fast. But if you skip a DPIA, you're setting yourself up for failure.

A Data Protection Impact Assessment (DPIA) is like a test drive for privacy.

It checks your system for risks, helps you identify what data is really necessary, and shows you where leaks could happen.

Without it? You're driving blind. And regulators will make you pay for it.

No DPO

In 2025, global scaling companies are already hiring Data Protection Officers. It's a requirement for any company handling sensitive information.

But Mr. Adetokunbo? He relied on his loyal secretary and PA who had no idea what data privacy even meant to handle all the compliance tasks the NDPC asked of him.

Cutting costs in data privacy may feel smart in the moment, but it's being penny wise, pound foolish.

The bitter truth? When a breach happens, the NDPC won't care about excuses. They'll fine you heavily.

And who bears that financial strain at the end of the day? You guessed right; You.

No Breach Response Plan

What happens if there's a leak?

Do you know you have just 72 hours to report a breach to the NDPC?

Mr. Adetokunbo Jacobs had no idea. When it happened to his company not once, but three times, he and his staff did what most unprepared teams do: they panicked.

But panic is the worst response. If your team would freeze, cover it up, or hide the problem, you're already in dangerous waters.

The NDPA clearly outlines how breaches should be handled, especially when you have a Data Protection Officer in place.

No plan? No DPO? Then you're not just risking leaks, you're risking fines from the NDPC, lawsuits from past customers, and a permanent dent to your reputation. And that, might take you years to recover from.

No Staff Training

Your staff are your biggest risk.

If they don't know how to handle data, spot phishing, or use secure systems, even the fanciest policies won't save you.

Take Mr. Adetokunbo Jacobs for instance. His staff were careless with customer information, left office systems open to anyone, reused weak passwords, and had zero training on spotting fraudsters.

What was the end result? Hackers had a field day, year after year. Customers stopped trusting the company.

In addition to that, he wasted money chasing new customers when repeat sales and referrals could have grown his business for free.

Let me tell the real truth. Untrained staff will cost you more than any training program ever will.

But here's the twist:

These 5 signs are only the surface of data privacy.

To truly protect your business from the kind of robbery that ruins reputations and burns trust forever, you need to know exactly what every company must do.

If any of these 5 signs feel uncomfortably familiar, don't panic. Here's the exact fix list I gave Mr. Jacobs. The same one that turned his story around:

✓ Draft clear privacy policies, cookie policies, consents.

✓ Run DPIAs for new risky systems.

✓ Appoint a qualified DPO.

✓ Sign Data Processing Agreements (DPAs) with any third parties.

✓ Have a breach response plan. Report within 72 hours if there's a leak.

✓ Follow the rules on moving data abroad.

✓ Train company staff regularly!

Consequences If You Don't

If you ignore all these checklists, you're likely going to be on the highway to disaster just like Mr. Adetokunbo Jacobs and they could be any of the following:

NDPC audits

₦10 million fines or 2% annual revenue

Public name-and-shame

Suspension of your processing rights

And customers can sue you

These aren't scare tactics. They're the very consequencesthat almost buried Mr. Jacobs' company until he got it right.

Conclusion

The difference between a company that has NDPC officials knocking on its door every other month and one they only check once a year is simple: compliance.

Doing the right thing, taking the right steps after discovering the truth is what keeps you from losing money, your name, and your peace of mind.

So if you have discovered that you're doing the same thing Mr. Adetokunbo Jacobs was doing before he realised the truth, it's time to follow his steps in getting the turn around he experienced.

Don't wait until it is too late. Act fast now!

Every delay increases your risk of fines, disruptions, and NDPC scrutiny.

At Charis Legal Practice, we help companies with share capital above 10 million tighten their compliance so you don't suffer unnecessary penalties or disruptions in business operations or unwanted visits from the regulatory authorities.

Ready to scale without fear? Click here to get started and let's discuss your regulatory audit to keep regulators off your back while you grow massively. If you have any questions, you can drop them in the comments section. We'll be glad to answer them.

Happy reading!

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.