Enhancing Digital Resilience: Cybersecurity, Data Protection, and Online Safety

Summary

This panel discussion focused on enhancing digital resilience through cybersecurity, data protection, and online safety. Experts from government, private sector, and regulatory bodies explored the challenges and strategies for protecting personal data in an increasingly connected world.

Key points included the need for greater awareness about data privacy risks, especially among rural populations. Panelists emphasized the importance of trust in digital systems and services, arguing that without trust, adoption and proper use of technology would be limited. The discussion highlighted the role of government in creating and enforcing regulations to secure personal data, while also noting the challenges of keeping pace with rapidly evolving technologies.

Public-private partnerships were proposed as an effective model for enforcing data protection regimes. The Nigerian Data Protection Commission shared its approach, including licensing Data Protection Compliance Organizations to enhance compliance processes. Panelists stressed the importance of transparency in data collection and usage, advocating for clearer, more concise terms of service agreements.

The ethical use of data by private companies was discussed, with emphasis on long-term sustainability and integrity in business practices. The concept of “privacy by design” was highlighted as a crucial approach for developing new technologies and platforms. The discussion concluded by emphasizing that enhancing digital resilience is a collective responsibility, requiring cooperation among governments, businesses, and individuals to ensure a safe and trustworthy digital environment.

Keypoints

Major discussion points:

– The importance of digital awareness, cybersecurity, and data protection in an increasingly connected world

– The role of government policies and regulations in protecting citizens’ data and privacy

– Public-private partnerships for enforcing data protection and compliance

– Building trust and transparency around data collection and usage

– Reaching rural/underserved populations with digital literacy education

The overall purpose of the discussion was to explore ways to enhance digital resilience through improved cybersecurity practices, data protection policies, and online safety measures. The panelists aimed to raise awareness about digital risks and provide insights on how individuals, organizations, and governments can better protect data and privacy.

The tone of the discussion was generally informative and advisory. The panelists spoke with authority on the topics, offering expert perspectives and recommendations. There were moments of more casual, conversational exchanges, particularly when audience questions were addressed. Overall, the tone remained professional but accessible throughout, with an emphasis on practical takeaways for the audience.

Speakers

– Emmanuel Edet: Moderator

– Hakeem Ajijola: Chairman of the African Union Cyber Security Expert Group, former chair of Working Group B on Critical Incidents and Critical Infrastructure Management of the Global Forum on Cyber Expertise, commissioner on the Global Something for Stability in Cyberspace, chaired committee that drafted Nigerian National Cyber Security Policy and Strategy 2021, chaired committee for strategic roadmap and action plan for National Data Protection Commission

– Isola Olorunnisomo: From Nigeria Data Protection Commission, IT and cyber security department, certified data protection officer, lead cyber security manager

– Ayodeji Rex Abitogun: IT consultant at Management Edge Limited, focus on data privacy advocacy and cloud security

– Folaranmi Umoru: Lawyer, governance risk and compliance analyst, co-moderator for online session

Additional speakers:

– Musa Megiri: Online participant who asked a question

– Audience members: Asked questions but names not provided

Enhancing Digital Resilience: A Comprehensive Discussion on Cybersecurity, Data Protection, and Online Safety

Introduction

This panel discussion brought together experts from government, private sector, and regulatory bodies to explore the challenges and strategies for protecting personal data in an increasingly connected world. The conversation focused on enhancing digital resilience through improved cybersecurity practices, data protection policies, and online safety measures. The panelists aimed to raise awareness about digital risks and provide insights on how individuals, organisations, and governments can better protect data and privacy.

Key Challenges in Data Protection and Privacy

The discussion highlighted several critical challenges in the digital age. Emmanuel Edet, the moderator and Head of Legal Services at the National Information Technology Development Agency (NITDA), pointed out that data-hungry applications and artificial intelligence (AI) pose significant privacy risks. Hakeem Ajijola, Chairman of the African Union Cyber Security Expert Group, emphasised that personal data is often collected and used without explicit consent, asking, “How many of us consciously, overtly, gave permission for our data to be used to feed the AI of somebody else?”

Isola Olorunnisomo from the Nigeria Data Protection Commission stressed the need for “privacy by design” in new technologies. This approach involves incorporating privacy considerations from the outset when developing new platforms and services. An audience member noted that long terms of service agreements often hide important privacy information, highlighting the need for more transparent and user-friendly policies.

Government and Regulatory Approaches

The panel explored various governmental and regulatory approaches to data protection. Isola Olorunnisomo shared that Nigeria has adopted a public-private partnership model for enforcement, which includes licensing Data Protection Compliance Organisations to enhance compliance processes. He also highlighted the progressive nature of the Nigerian Data Protection Act, which aligns with international best practices.

Hakeem Ajijola emphasised the need for timely legislation and implementation by governments to keep pace with rapidly evolving technologies. He mentioned the AU Malabo Convention and its relevance to data protection in Africa, as well as the upcoming stakeholder sessions for the African cybersecurity strategy draft. Ajijola also raised the issue of data poverty in Africa, emphasizing the need for strategies to address this challenge.

Role of the Private Sector and Trust in Digital Technologies

The discussion delved into the crucial role of the private sector in data protection. Ayodeji Rex Abitogun, an IT consultant, stressed the importance of ethical application of technologies and responsible data stewardship. He advocated for co-creating products with privacy considerations in mind, balancing user-friendliness with robust data protection measures.

Hakeem Ajijola emphasized the critical role of trust in digital technology adoption, stating, “Without trust, people will not use a technology, regardless of its origin or sophistication.” He used the analogy of a “WII FM” radio station, asking “What’s In It For Me?”, to illustrate the importance of clear value propositions for users when it comes to data sharing and technology adoption.

Building Awareness and Individual Responsibility

The panelists agreed that enhancing digital resilience is a collective responsibility, requiring cooperation among governments, businesses, and individuals. Isola Olorunnisomo stressed that everyone has a role to play in digital resilience and emphasised the importance of individuals understanding their personal data rights. Emmanuel Edet echoed this sentiment, highlighting the need for digital literacy and awareness.

An audience member raised the importance of creating awareness, especially for rural populations who may have limited understanding of digital risks. The panel discussed strategies for reaching and educating diverse populations about data protection and digital safety.

Practical Advice and Future Directions

The discussion provided practical advice for individuals to protect their data and enhance digital resilience. Suggestions included:

1. Regularly reviewing and updating privacy settings on digital platforms

2. Being cautious about sharing personal information online

3. Using strong, unique passwords for different accounts

4. Staying informed about data protection rights and regulations

Looking to the future, the panel identified several areas for continued focus:

1. Simplifying terms of service agreements while maintaining necessary detail

2. Balancing user-friendliness of platforms with robust data protection measures

3. Developing strategies to effectively reach and educate rural populations

4. Addressing data poverty in Africa through innovative solutions

5. Implementing data pseudonymisation techniques to enhance security during data exchange

Conclusion

The panel discussion provided a comprehensive exploration of the challenges and strategies for enhancing digital resilience through improved cybersecurity, data protection, and online safety measures. It emphasized the need for collaboration between governments, private sector entities, and individuals to create a safer and more trustworthy digital environment. As Hakeem Ajijola poignantly stated, quoting Mikko Hypponen: “We are no longer protecting computers, we are protecting society.” This encapsulates the broader societal implications of cybersecurity and data protection efforts, reframing the discussion from a technical focus to a more holistic view of the societal impact of digital security measures.

As digital technologies continue to evolve rapidly, ongoing dialogue, adaptive strategies, and a commitment to ethical data practices will be crucial to address emerging challenges and protect personal data in an increasingly connected world. The panelists called for continued efforts in education, awareness-building, and the development of user-centric technologies that prioritize privacy and security.

Emmanuel Edet: My name is Emmanuel Edet, as you have been informed, and it is our responsibility in this session to discuss issues of enhancing digital resilience. We are focusing on cyber security, data protection, and online safety. You will agree with me today that being non-digital is no longer an option. Everyday connectivity is improved. In fact, countries are rated based on their capacity to get their citizens online. And based on this rating, everybody strives to get connected. Public service is going online. Commercial services have already gone online. And gradually. We are seeing a position where digital is becoming the norm. In fact, some countries like Nigeria have developed what they call a digital literacy initiative, where citizens are being taught on how to use digital technologies. And that’s where we are today. On the backdrop of this is what I would call surveillance capitalism, where it is no longer the state that conducts surveillance, but private companies, individuals, private security firms who are not even state police also conduct surveillance. So the next question is, how do we manage the cyber threats that has become more sophisticated in the era of emerging technologies? Our panel is going to discuss these multifaceted aspects of enhancing digital resilience by focusing on three core pillars. Cyber security, data protection, and online safety. I don’t think I would do justice to all my panelists here by introducing them, so I would pass on that responsibility to themselves so they can introduce themselves so you know which area they are coming from. And so when they speak, you have the right questions for them. Thank you for joining us, and I hope you will enjoy your stay here. So I’ll start with my rights. That’s a brief introduction of yourself and what you do.

Ayodeji Rex Abitogun: Thank you very much. My name is Ayodeji Rex Abitogun. I’m an IT consultant. I work with Management Edge Limited. Basically, our focus is on data privacy advocacy as it relates to digital awareness as well as cloud security. Thank you.

Emmanuel Edet: Thank you very much, Ayodeji.

Hakeem Ajijola: Good evening or good afternoon. My name is Abdul Hakeem Ajijola. Despite the fact that I have a bald head, I actually wear quite a number of caps. One of them is I’m chairman of the African Union Cyber Security Expert Group. I also used to be chair of the Working Group B on Critical Incidents and Critical Infrastructure Management of the Global Forum on Cyber Expertise. I’m a commissioner on the Global Something for Stability in Cyberspace, sorry, old age. I also chaired the committee that drafted the Nigerian National Cyber Security Policy and Strategy 2021. I also chaired the committee that put together the strategic roadmap and action plan for the National Data Protection Commission. Like I said, there are quite a few others, but we can leave it at that. Thank you.

Isola Olorunnisomo: Thank you, sir. Good evening, everyone. My name is Ishola Olorunishama from the Nigeria Data Protection Commission. I’m from the IT and cyber security department. I’m a certified data protection officer as well as a lead cyber security manager. Thank you very much.

Folaranmi Umoru: Good evening, everyone. My name is Folaranmi Umoru. I’m a lawyer, but I’m also a governance risk and compliance analyst. Yes, thank you.

Emmanuel Edet: So you pardon me, I knew that this panel was not gender sensitive. So I had to get a co moderator to handle the online session. And that’s what Polar is here for. So we’ll kickstart by asking Mr. Abitogun, you are a private sector expert. And in this age and time, we are seeing situations where increasingly we have data hungry applications by form of artificial intelligence that are trying as much as possible to access data and use them for the purpose which they were created for. I would not like to ask you a direct question. But I would like to understand what are your opinion for privacy, data protection, vis-a-vis cybersecurity and emerging technologies? How do they fit together in one box?

Ayodeji Rex Abitogun: Thank you very much. Bringing privacy, cybersecurity, and sorry, what was I talking about? Online safety together in one box. It’s like having a whole encyclopedia in one phrase. The thing is, in terms of emerging technologies, we just have to take the bull by the horns. Thank you so much for joining us for this session. I want to start by saying that cyber security on its own is not something that we can do without, but what should we be doing in terms of ensuring that the emerging technologies or the cyberspace is secured for all of us to use? When you talk about cyber security, it starts with simple awareness. I know these things we’re talking about is about risk management, which means that at the lower level, everybody needs to be aware of what it means, what kind of risk can you take, and what are the impacts of this risk. At every point in time, you must be able to analyze it. When you now take it to the general space, you have to look at it from the government side. You look at it from the user, which is the end users. You look at it from the organizations that are equally offering the service. In terms of the government, there must be policy. There must be laws that guide the conduct of individuals as well as organizations in the cyberspace. On the side of the individuals, there must be adequate awareness, which we’ve been talking about in the last four days. It’s very, very important because that woman in the village, if he doesn’t have knowledge of his risk exposure in terms of a transacting business via mobile phone or via mobile platform, then he stands the risk of being defrauded. On the side of private organizations that are equally rendering the services, there are clear rules. There are clear guidelines. There are codes of conduct that they are expected to play by. When they fail to play by it, we sanction them. So what are the policies that are in place at the organizational level? What are the laws that are in place at the national level? in terms of practice or in the industry. And as individuals, what are your own personal beliefs or your personal, yeah, your personal beliefs in terms of transacting business? The last session, one of the foundation or one of the key point or the key takeaway from that point, from that session was trust. Trust, when there’s no trust, then definitely it’s going to be difficult for you to transact business with anyone. So at individual level, trust must be built. The issue of integrity is very, very important at individual level before you even talk about, before you talk about the cyberspace. Thank you.

Emmanuel Edet: Thank you very much, Mr. Abitogun. And it’s very interesting because in your conversation, you’ve mentioned about awareness, about the responsibility of government, developing policies and laws, and these policies and laws must be stuck to by the private sector. I’ll now move over to Mr. Hakeem Ajijola. I know you’ve done a lot of things around policies, laws, and all the legal instruments that is required for a state to have a leash on people’s rights in the digital environment. I know you’re a very unconventional person, but I need you in your exposé or what you’re going to explain to us to try and describe to us how countries, governments can cope with the evolving threats as a result of not only the increase in the use of technology, but also the diversity and the challenges posed by emerging technologies. Wow, okay.

Hakeem Ajijola: I took permission to stand, so I will stand so that I can talk to you. How many people here use an iPhone 16? Anybody? 16? The new iPhone? I guess all the parliamentarians have gone, so they are probably the ones who use it. How many of us here use a Mac notebook? Anybody? Yes, sir. Good. I hope you’ve upgraded it to Mac OS 18. Oh, very good. How many of us here use Windows 11 with Copilot? Anybody? Okay. Interesting. So, with due respect, may I ask each and every one of us to please stand up for just a moment. Please just stand. Very quickly, greet the person next to you in your own language. I’m going somewhere with this. Okay. Now, don’t sit down yet. Don’t sit down yet. I want us to test something. Are we ready? If you… No, I just… Please keep standing. Please keep standing. Please keep standing. Please keep standing. If you use Facebook, please sit down. If you use Instagram, please sit down. If you use Twitter or X, please sit down. If you use LinkedIn, please sit down. If you use Microsoft Word or Office, please sit down. So, is there any last… I mean, I don’t count you people. You are standing anyway over there, and I don’t want you to sit on the carpet. But the point is, colleagues, ladies and gentlemen, there’s no last person standing. And one of the things that ties all these apps and software that I’ve spoken about together is that all of them, every single one of them, Each single one of them uses your data to feed their AI. And I would like to know how many of us consciously, overtly, gave permission for our data to be used to feed the AI of somebody else. Anybody? You gave. Okay. And you too gave. But the rest of you, unconsciously. So there’s a data privacy issue here. Good. Now, let me ask another couple of questions. How many of us have used either Google or Apple Maps? Excellent. When you use it, and maybe you are coming here or something, the line is blue. What does it mean? No traffic or easy going. When it gets orange, some traffic. When it gets red, it means you are in Lagos or Accra. But the point is, colleagues, ladies and gentlemen, how does Google Maps know? Think about it. To tell you, yes, it’s an algorithm, but how does the algorithm know? It knows because the data of the person, the phone of the person ahead of you, is leaking. And Google takes that data. Now, one of the challenges we have in Africa is that we experience data poverty. Just as we experience economic poverty. But yet we have resources. Yet we have data. So that data is leaking ahead of you. That gives you to know whether it is blue, orange, sorry, I’m coming, blue, orange, or red. Please understand this. What makes you think that your data is not leaking for the guy behind you? And finally, on Google, which agency of government in your country not just Nigeria gave Google permission to map your country think about it but it is mapped anyway they know your streets they probably even know your house number seven whatever whatever or number two so we use it we enjoy it but who gave permission but that is one of the reasons why government agencies and I’m happy at least two are here you see in Africa they say when you point to three are pointing back at you when you are faffing around as government agency wasting time other people are getting on with it so it’s not just about passing the legislation it is making sure we do so in a timely manner and I hope that will answer the question in a timely manner sir thank you

Emmanuel Edet: I told you he was unconventional it was an understatement so Mr. Hakeem has just explained to us the consequences of sharing your data how your data leaks and the need for you to understand why you need to have a leash on your data or at least know what is being done for your data now I’ll move on to Ishola Shoma and the whole idea is Ishola Shoma works with the personal data regulator the privacy enforcer in Nigeria and I’d like him to explain to us measures that have been taken by the commission to ensure that whoever is using the data of Nigerians actually complies with the law over to you all right

Isola Olorunnisomo: Good evening everyone once again, regarding what Nigeria Data Protection Commission does in ensuring the compliance of what we call the data controllers and data processors in this regard, is to ensure that at every point in time, data subjects which process their data are given adequate and transparent manner in which you gain their consent before you process their data. You know, prior to the passage of the NDP Act 2023, we are very much aware that we’ve had cases whereby some data subjects in this country, especially when it comes to going to Instagram, maybe you’re just thinking or having a conversation around a product which you intend to buy or purchase and all of a sudden you are seeing those ads coming up or popping up without even you giving your consent. And you know, series of things and reports, especially when it comes to the loan sharks, I’m very sure we’re familiar with the loan sharks during the COVID era and after the COVID era, especially when it comes to giving loans out to maybe a particular person and you that you are not even aware that this particular person took a loan, you get a message asking you that one this particular person that is actually owing you a particular amount. So we’ve had a series of cases when it comes to breaching people’s rights when it comes to privacy. So at the commission, we’ve ensured that we roll out adequate awareness program and enforcement program. And you know, one of the challenge we In the global data protection ecosystem, there is a challenge around enforcement as well as monitoring when it comes to the data protection framework. The AU Molabu Convention back then in 2014, it speaks to the framework around cyber security, data protection and e-commerce in Africa. The major challenge which was actually identified was that of the monitoring and enforcement mechanism. When we were drafting the Nigerian Data Protection Act law, those are the things we were able to write on to identify the lapses, especially in the EU GDPR as well. We were able to identify the lapses when it comes to implementation, monitoring and enforcement. Back in Nigeria, what the Nigerian Data Protection Act was able to achieve, which actually makes the Nigerian Data Protection Act a progressive law globally as of today, is to adopt a means which is quite different, which is a public-private partnership, PPP model, by licensing DPCOs to also enhance the compliance process, especially conducting this service to data controllers and processors in Nigeria. To be fair enough, we have actually gone beyond the Nigerian space right now. Recently, just two weeks ago, we had the network of African data protection authorities in Nigeria for a conference and annual general meeting. The key thing that was being clamored on is the harmonization of the framework governing data processing in Africa. And having it so good, the model which we use in Nigeria is what most of these Africa countries are ready to adopt and to actually implement in their own various countries. So, one of the things we’ve ensured in the Nigerian Data Protection Commission is to ensure that we are able to penetrate every sector and every area to ensure that the gospel of data privacy, and especially seeking the consent of data subjects before processing their data at every point in time, is actually adhered to. And so, we’ve continued to advocate that and we’ll ensure that the data of Nigerian citizens are not in any way manipulated or breached at any point in time. And, you know, wherever we have the cases of data breach or when it occurs, it is mandated for data controllers to actually report any such incident to the commission and also notify the data subject within the space of 72 hours. And, you know, another thing we ensure they do on an annual basis is to carry out audit filing. You know, you might conduct an audit of how you process your data in an organization this year, but it is also necessary for you to check mates and to ensure that the previous year, that the lapses identified is also rectified at the same time in the next coming year. So, that’s why we’ve continued to ensure that those controllers and processors comply with the Nigerian Data Protection Act. Thank you very much.

Emmanuel Edet: Thank you very much, Mr. Ishola. And that’s it. Public-Private Partnership in Enforcement and Compliance I would like to call on my co-moderator. Do we call them moderators? All right. Fola, do you have anybody with a question online? You can pick the mic closest to you, please.

Folaranmi Umoru: Well, unfortunately, there are no questions online. There are no questions online, unfortunately, for now.

Emmanuel Edet: All right. So to make this very interesting, instead of us just burying our head in our thoughts, we would like to know your thoughts. We have a few issues that have been thrown up. Issues of awareness, issues of integrity, issues of government creating and enforcing regulations that will secure our personnel data, issues around permissions for international companies to carry out data-driven activities within jurisdiction, and of course, issues around public-private partnership in terms of enforcement of data protection regime. Do we have any questions? We have two hands here, but please just give us a second. Let’s deal with the online questions, please. Thank you.

Folaranmi Umoru: Musa Megiri is asking, what forms of support and collaboration will the Internet Governance Forum and the West African Internet Governance Forum continue to provide in advancing digital health transformation in West Africa?

Emmanuel Edet: I don’t think that is for this session. The questions have been noted. So, can you give us a shot at that?

Ayodeji Rex Abitogun: I think what that person possibly will be interested in would be an issue of collaboration as well as interoperability, then cross-border transfer, because this forum is all about creating awareness in terms of the safety on the Internet as well as proper Internet governance. But what that translates to is that if, I mean, Shomo talked about the issue of the NARPA that was concluded two weeks ago, and one of the key issues is the issue of cross-border transfer, which means that if I am a data controller and I have a data processor from Ghana, for example, how do we ensure that we obey the laws from both countries, and how do we have these laws being enforced when there’s a breach? So, what the Internet Society or ICANN can do would be to create more awareness in this regard. Thank you very much for that. We do have three hands up, but I’ll go with the social etiquette. Ladies first, even though they raised their hands last.

Emmanuel Edet: And someone please help us with microphone.

Audience: Thank you very much. I think my question actually goes to both the data protection young man from NDPC as well as to bold but fully capped Haji Hakeem. I think for the rest of eternity we’ll still be talking about data protection. Essentially, because systems will change, realities will alter, and we’ll still need to make ways to advance the way we communicate. Today we’re talking AI, tomorrow we don’t know what we’ll be talking, it could be green pea, it could be whatever, we don’t know. So data protection and data security will continue to be relevant to all that we do. However, I ask these of the two of you. Can we have data protection or data security without trust? We live in a very dynamic world, and very few of our population actually understand most of the things we’re talking about here. And they constitute the majority, and they’re not in the cities, they’re in the villages. And we’ve bought them cheap smartphones. for them to be able to talk to their relatives in the cities, you know, be able to call a doctor when they have an emergency and all that. But they don’t understand all this grammar we’re blowing here. So how do we actually push this intel, this very valuable information? How do we push it to the rural people, the rural populace? People say the media, the media. Let’s remember, the media, just a few media houses are owned privately. The ones that are owned publicly are the ones that have stations all over. And the funding for those media houses is less than you prefer. All right, so given those realities, and the fact that we know we don’t have the technology, we have to import that technology, we have to import the device. Can we have a safe, data-protected internet without trust? That’s for the children. Thank you.

Isola Olorunnisomo: Thank you very much. In addressing the question, I think it’s in two parts. The first one is regarding the evolving digital space, whereby we keep having different emerging technologies. And how do we intend to address those technologies when they keep coming up? All right, so one of the things we’ve also been advocating on is when these new technologies are being developed, we ensure that they are actually developed with privacy by design in mind, ensuring that it is not going contrary to the concept or the approval of whoever the solution is going to be addressing or whoever is going to make use of it. So when we mean privacy by design, it means whatever solution, especially this era of AI, whatever solution you are trying to achieve or create, as long as it’s going to process the information of a data subject, wherein it’s identified as a personal identifiable information, you need to ensure that it’s designed with privacy by design. And one other thing is to ensure that you carry out a DPI, that’s a Data Privacy Impact Assessment. What the essence of that particular method is to ensure that every risk involved in the processing of personal identifiable information by that particular solution which you intend to use, maybe AI solution or whatever, does not go contrary to the compliance of the Act or whatever regulation or framework that is in place in any region. So those are the things we’ve ensured that we advocate for, that privacy by design in any solution that has been developed is actually implemented in whatever solution. Then coming to the rural area, how do we get to penetrate the awareness? Well, one of the key media which we’ve definitely explored is the media. We can’t do away with the media. And for us at the Commission, we’ve continued to do, to carry out, to partner with relevant organisations, agencies. For instance, the NOA, the National Orientation Agency and series of media firms. And we’ve also ensured that we try as much as possible to capture the grassroots by ensuring that every sector, sorry, every state The legislation is to ensure that the state, especially the local governments, are also aware and also implement a level of privacy regulation or law in place to ensure that those in their environment or in their region actually understand what the data privacy ecosystem is about and the level of rights they have as a data subject. So, as it is in the act, the section, the part six talks about the data subject rights. So, every data subject is expected to know their rights. And it is when you know your rights, that is when you’ll be able to know that, okay, if my data is being processed in a manner that doesn’t suit me, I also have the right to raise a concern or objection to it. And probably report to a data protection authority, which can actually set the case for you. So, for the grassroots, we’ve continued to try as much as to create the awareness as much as possible. We’ve done a series of sensitization across the geopolitical zones, and we’ve also worked with state actors to ensure that we get across to the grassroots as much as possible. Then talking about trust and data security, as it is in the act, we have it in part six when it comes to data security. And it speaks to the technical and organization measures, which data controllers and processors are expected to have in place. And, you know, one thing about policies, regulation, is when it comes to the implementation and standards, you need to ensure that you meet up to that standard. If a data controller or processor goes contrary to the standard, the expected standard, definitely if a breach should occur, those are the loopholes. and the Literary Agency we look out for to ensure that, okay, for instance, oh, there was a breach that occurred in the TELCO organization and you want to probably carry out an audit on them and you start looking out for those standards and they don’t have that in place. So there’s no way there will be data security and there won’t be trust. So definitely with data security, there will be level of trust. Thank you very much.

Hakeem Ajijola: Let me also follow up. I think trust is the critical anchor. Frankly, it doesn’t matter whether it is my great-grandfather’s donkey, whether it is an aircraft to take me to Lagos, whether it is a data pipe. If I don’t trust it, I will not use it. I’m sure if I ask a question today, how many of us, if I told you that I have half a million Naira in Kaduna, if you can go to Kaduna and pick it, it’s yours. But the condition is that you will leave Abuja and drive by yourself. It won’t work. It won’t happen. Okay? So I think, you know, and it also doesn’t matter where the technology is made. If you say the technology is made in China and there’s a product or service that is not trusted, the Chinese will not use it. So for me, trust is an overarching issue. Then in terms of reaching, let me not say rural, but let’s just say underserved or unserved communities, you, my brother here, those ones with green cap, the gentleman in red, the guys managing the sound system, we all, and even our cousins in the village, we all listen to the same radio station. You know what it is? The radio station, you know the name? It’s called WII FM. What is in it for me? And the whole idea here is that we have to give them a value proposition. So, for example, if you say, this phone that your relative in the city gave you, if you don’t look after it well, you drop it in water, or you don’t practice good cyber hygiene, you cannot call your brother anymore, sister in the city, maybe to do some alerts to you. They will look after it. So you have to have a value proposition. Thank you.

Emmanuel Edet: Thank you very much for those response. What we are going to do now in order for us to speed up this because we already 15 minutes past the hour is we’ll take the questions together. And our panelists will note them, and we’ll answer them accordingly. Okay. So the gentleman to my left.

Audience: Okay, thank you very much. So I’m going to wear multiple hats today. I’m going to talk from the platform perspective. I’m going to talk from the policy perspective. And I’m also going to talk from the user perspective. I may also talk from something called marketing, or personalization perspective. Right. And most of my questions are directed towards Alaji Hakeem. Yeah, so I am coming from Ghana, right. And let’s say, in my travel, I give my passport details to a travel agency. And then they give those details to a flight person, airline, and then the airline now carries me and then brings me and then, you know, those details also have to go to immigration, right? Right now, my one data has passed through multiple hands. how do how if the data leaks who is responsible and how do we find who is responsible and also what do um how do i let’s say a travel agency make sure that maybe me giving my that passengers information to the flight they are also taking care of it how can i make sure that it’s happening and if they don’t am i liable right because i’ve done my part transferred it to to them now i’m not we have something called terms of service terms of use or major platforms hype right and in those terms of use they’ll tell you how they use their data unfortunately those documents are very long so we all take and then we’ll say yes i agree take my life take my card right but at the end of the day they hide very pertinent information in those documents now is there something that we could do to probably um shorten or make them summarize those documents to ensure that okay it’s one or two paragraphs where users can actually read and understand or are they going to continuously hide behind those things because there’s this instance for example in those who play sports better right they sign up with one platform by the time they realize another platform is saying you know come in come and play your odds here or they are on one platform and then they go on youtube they see an ad from another platform similar one and then so somebody will be like how did these people know that i went to play two odds or sporty bit right so then um so that is um what um accent of maybe data use transparency and the other is the transparency. Is there a policy to show that the platforms we give our data to, and who else they give their data to, there’s a transparency and we can actually track where the data goes to? Even though I’m playing devil’s advocate on the platform side, I myself have been building platforms, so I know that sometimes we want to favor user-friendliness, and all these guardrails sometimes inhibit the user’s ability to freely use your platform. So who should policy favor more? Should it be the platform builders? Should it be the service providers they rely on? Or should it be the users that they are trying to serve? Because at the end of the day, the user is coming to you, not to maybe the end person they are going to interact with. But you also have that responsibility to protect their data.

Emmanuel Edet: Thank you very, very much. Can you find a way to transfer the microphone to the gentleman on my right? Thank you, please. We’ve just added another hat to you.

Audience: Thank you very much. My name is Osei from Ghana. I’m curious to know from my mom from NBPC, who are they benchmarking in terms of policy formulation or say, designing? Who are they benchmarking? And also, I’m also curious, you know, the rise demands of people keep changing and evolving. How are they continue to also improve or say, meet the demands of reader users? Thank you.

Emmanuel Edet: Are there any other questions? Okay, none for now. Shoma, you want to take a shot at that? So we have, just to summarize in case there was just a bit too much. So the questions that were asked was, if data leaks in a chain, how can you find who is responsible and deal with that? The second one was, can we shorten the terms of use of those long things that scare people away from reading? And then the third one was, is there a policy framework, right, to show where data leaks from, something like that? And then finally, the fourth question was, who are you benchmarking your policy against? And due to the evolving changes in rights, how are you managing that? Thank you.

Isola Olorunnisomo: All right. Thank you very much. In addressing the first question regarding the data leakage, we’ve actually continued to advocate to ensure that every data controllers and processor in this regard, when it comes to the issue of issuing, giving out your passports, maybe at the point of immigration clearance at the airport, that one of the things we’ve embarked on at the commission, immediately the acts came to play, was to write those agencies, for instance, like immigration. I don’t know, when it comes to the Nigerian passport, your name, your private information is clearly written there. Anybody that has access to your passport has everything. So, you know, we’ve advocated whereby you can use data security measures, the pseudonymization, the encryption method, and all that. And, you know, instead of writing the full name number or the full passport number, why don’t we just have in place one of the measures when it comes to data security? Like just asterisk some of the digits, and when you put it in the computer system to scan, it will only bring it up. So if any chance the threat actors have access to your passport, then they won’t even have access to the full digits because they don’t even know how to get it in the first place. They don’t have the device. So that is one of the things we are currently advocating for regarding the Nigeria immigration passport issuing. And when it comes to data leakage, there’s no doubt there will be a data breach or leak whereby you won’t be able to trail. You know, everything about digital space, there will always be a trail to it. That’s why most of the cybercriminals, even if it’s 10, 20 years, one way or the other, they will still get caught either. So when it comes to data leakage, the data controller or processor is expected that at every point in time that this occurs, they are able to notify the data protection authority depending on the region or the country. For us in Nigeria, it is expected for a data controller to report to the authority within the space of 72 hours and also notify the affected data subjects. And in the case whereby there is a possible remediation before the arm goes out of arm, it is expected for the data controller to implement such remediation because definitely the data subjects right. This panel asks to be protected adequately. For the data subject to have given you the concept and the full access to ease our personal data, your responsibility as a data controller or processor is to ensure that it is well secured at every point in time. Not everyone having access to it and using it for frivolous activity.

Emmanuel Edet: Sorry, Shoma, I’m very, very sorry to interrupt you. Please forgive me, I’m moderating the panel, I’m not moderating you. So I couldn’t stop the gentleman for his long question, but I definitely can stop my panelists for the long answers. So please, we would like you to just summarize as quickly as possible, so that we can move on to other discussion. Thank you very much. For the second question, sorry, can I get it again? Yes. Is there any policy that will enable you to track your data so you know when it leaks? And then the last one is, when you’re making your policy, who do you benchmark it against?

Isola Olorunnisomo: So I think I’ve addressed the first one. I think I just recalled the second one is regarding all those lengthy policy that you are required to read or accept. So for us in Nigeria, the Nigeria Data Protection Act has actually stipulated and mandated that every policy, when it’s been displayed, should be as transparent as much as possible and to be straightforward without being lengthy. There should be a summary policy, which an average user can actually read and understand and either give ease or consent to. Then you can also give a further review or further reading to it. But the very first and major one has to be as short as possible and straightforward for an ordinary person to understand and give consent to. Then for the benchmarking question, well, for us, the Commission, we definitely are more of the pro-citizen. level playing ground for both parties. Thank you very much.

Emmanuel Edet: Thank you, Hakeem.

Hakeem Ajijola: Very quickly, there are techniques to try and minimize interception of data during exchange. Of course, we know about encryption, but one of the big areas is data pseudomization. And I think that’s something that we need to explore. Certainly, I know in Nigeria, NIMC, our identity management agency has been looking at that, where instead of giving your, you know, it’s like an OTP. So you have a data string that says who you are, because you put it on your phone and sent it to somebody, but it expires after maybe an hour or so. Secondly, in terms of these long agreements, you know, we human beings, we are funny. If you don’t have a long, detailed agreement, you say, ah, they didn’t say everything. But maybe at an individual level, a sophisticated person like yourself, maybe you could ask chat GPT to give you a summary and indicate where the risks in the agreement are. And then I would disagree a little bit with my colleague Folaranmi Umoru. At the end of the day, forget platform, forget, it’s all about people, human being. That is the number one. In fact, it’s one, two, three to 10. Then you worry about software, platform, people first. And one of my favorite quotes by. And finally, a gentleman I have a great deal of respect for, Mikko Haiponen. He famously said, we are no longer protecting computers, we are protecting society. Thank you.

Emmanuel Edet: Thank you very much. We know that most of the questions have been targeted at the experts and the government, but we need the private sector to make some contributions, because whether we like it or not. He coined the term, surveillance capitalism. It was from a book I read, which explained that the private sector has taken over the surveillance, which the citizens are afraid of government for. But the citizens don’t know that government don’t even have the kind of capacity the private sector has to know where you are, what you do, and even teleguide your mind on what you read, what you don’t have access to. So, I’d like you to explain to us a few things around how the private sector can ethically apply, not only emerging technologies, but also make fits without damaging the society or breaking laws that have to do with privacy. And please, that will be your final contribution. So in case you have any other thing to add to that, you go ahead. Thank you, sir.

Ayodeji Rex Abitogun: Thank you very much. Yeah, in terms of ethical conduct. If we’ll take from the gentleman that asked question that cut across platform as well as individuals. For example, as private sector. One of the things that you want to do, or that you want to have at the back of your mind is the long term sustainability of your business. So when you put that first, then integrity becomes your watchword. If you are going to process any data, you must think of data ethics as well as a stewardship. Then beyond that also, like the case he presented in terms of if you give your data to a traveling agent and the traveling agent was to purchase a ticket on your behalf and they pass it on to travel to airline company and the airline company equally pass your information to the immigration. The thing here is that what really are you looking for? Is there a data breach in that whole process? It’s all about the service that you want to get at that point in time. So as a private sector individual, and what private sector people do also is that some of the things, the products that is being developed, it is based on feedback from the users. So if imagine a situation whereby you pass your information to a traveling agent and he needed to buy that ticket, he call you to his office to come and fill the form yourself, there’s tendency that you possibly would see it as a waste of time. Why did I engage you? So the thing here is based on co-creation of value, co-creation of products, you invite end users in terms of developing a platform. And one of the things that will guide you in that process is the privacy by design, which Shomal talked about earlier on. But we need to understand that those T and Cs, they are very, very important in the sense that as individuals who are in a hurry, we don’t even want to read what is put in the document. If a service provider is telling you that if I collect your data, I will submit this data to security agencies if they need it, or I will equally give it to other partners. And you accept to that. And he went ahead to give it to the airline operator. You can hold him for passing your data to an airline operator, since he was acting as a… and Aminatou Nkrumah. I’m going to pass the data to my service, to my other partners. And you agree to it, you sign to it. That’s giving consent to it. So the thing here is that we need to understand clearly what and what is put in the paper. But from the side of the service providers or private sector individuals, when you think about the environment that you operate and the need to safeguard the individual lives, then you would think about putting privacy into your product and also ensure that whatever you do, it has a long way of affecting the society and it can come back to you. That would be my contribution for that. Thank you.

Emmanuel Edet: Thank you very much for that. Mr. Ajijola, any last words?

Hakeem Ajijola: Yes, I like my African proverbs. He who does not cultivate his farm will have no harvest. Neglecting cybersecurity, data protection and online safety is like abandoning your farm and then you expect to eat. Quick announcement. Starting from about the 27th of this month, we are going to start having stakeholder sessions for the we’ve drafted a continental African cybersecurity strategy. And so those who would like to attend maybe the civil society or the private sector session, you can get me at info at consultancyss.com. Ask somebody who was listening. Finally, cybersecurity is a team sport. No country, no person, no organization can do it alone. And here I will end with one of my favorite African proverbs, because it’s about cooperation, working together. You cannot clap with one hand. Thank you.

Isola Olorunnisomo: All right, thank you very much. Just a parting word, like the session actually says, enhancing digital resilience. You know, for everyone to enhance the digital resilience and the digital space, we all have a role to play. So I will actually encourage everyone of us to ensure that in as much as cybersecurity, data protection and the ecosystem as it is, it is our duty to ensure that everything we do online or wherever at every point in time is based on the knowledge we have. Like giving your consent at the right time, to the right place and to also ensure that those around us are adequately aware and knowledgeable. So it’s all based on awareness and driving literacy, digital literacy in the ecosystem. So my take home and as well as my recommendation for every one of us is to ensure that we are invited as much as possible to ensure we are there to the privacy by design at every point in time.

Emmanuel Edet: All right, thank you very much for that. So, ladies and gentlemen, there it is. Enhancing digital resilience, cybersecurity, data protection and online safety. We have come to the end of this session and I will advise, be cybersecurity conscious, ensure your data is well protected and stay safe online. Thank you very much.

Agreement points

Importance of digital literacy and awareness

Speakers

– Emmanuel Edet
– Isola Olorunnisomo
– Hakeem Ajijola

Arguments

Need for digital literacy and awareness

Importance of understanding personal data rights

Trust is critical for adoption of digital technologies

Summary

The speakers agree that educating individuals about digital technologies, their rights, and potential risks is crucial for enhancing digital resilience.

Need for transparency in data practices

Speakers

– Isola Olorunnisomo
– Ayodeji Rex Abitogun
– Audience

Arguments

Importance of understanding personal data rights

Need to consider long-term sustainability and integrity in data practices

Need for transparency in data sharing between organizations

Summary

The speakers emphasize the importance of transparent data practices, both for individuals to understand their rights and for organizations to maintain trust and integrity.

Similar viewpoints

Both speakers emphasize the importance of trust and integrity in digital practices for long-term success and adoption of technologies.

Speakers

– Hakeem Ajijola
– Ayodeji Rex Abitogun

Arguments

Trust is critical for adoption of digital technologies

Need to consider long-term sustainability and integrity in data practices

Unexpected consensus

Simplification of terms of service

Speakers

– Audience
– Isola Olorunnisomo

Arguments

Long terms of service hide important privacy information

Importance of understanding personal data rights

Explanation

While not explicitly stated by the NDPC representative, there was an unexpected agreement on the need for more transparent and simplified terms of service, aligning with the audience concern and the NDPC’s focus on user rights awareness.

Overall assessment

Summary

The main areas of agreement centered around the importance of digital literacy, transparency in data practices, and the need for trust in digital technologies.

Consensus level

There was a moderate level of consensus among the speakers, particularly on the importance of awareness and education. This consensus suggests a shared understanding of the challenges in digital resilience and potential directions for addressing them. However, there were some differences in emphasis and approach, particularly between regulatory and private sector perspectives.

Different viewpoints

Approach to data protection policies

Speakers

– Isola Olorunnisomo
– Audience

Arguments

Isola Olorunnisomo stresses the importance of individuals understanding their rights as data subjects. He argues that knowing these rights enables people to recognize when their data is being misused and to take appropriate action.

An audience member inquires about the benchmarks used for policy formulation in Nigeria. This question highlights the importance of aligning national policies with international best practices in data protection.

Summary

While Olorunnisomo focuses on educating individuals about their rights, the audience member suggests benchmarking policies against international standards, implying a more top-down approach.

Unexpected differences

Overall assessment

Summary

The main areas of disagreement were subtle and centered around the approach to implementing data protection and building digital resilience. Speakers generally agreed on the importance of trust, awareness, and responsible data practices, but had different emphases on how to achieve these goals.

Disagreement level

The level of disagreement among the speakers was relatively low. Most differences were in emphasis rather than fundamental disagreements. This suggests a general consensus on the importance of digital resilience, cybersecurity, and data protection, with variations in how to best implement and promote these concepts. The implications are that a multi-faceted approach, incorporating elements from each speaker’s perspective, may be necessary to comprehensively address digital resilience challenges.

Partial agreements

Similar viewpoints

Both speakers emphasize the importance of trust and integrity in digital practices for long-term success and adoption of technologies.

Speakers

– Hakeem Ajijola
– Ayodeji Rex Abitogun

Arguments

Trust is critical for adoption of digital technologies

Need to consider long-term sustainability and integrity in data practices

Key takeaways

Data protection and privacy are major challenges in the digital age, with personal data often collected and used without explicit consent

Government regulations and public-private partnerships are important for enforcing data protection

The private sector plays a crucial role in data protection and needs to consider ethics and long-term sustainability

Building trust and transparency in data practices is critical for adoption of digital technologies

Individual awareness and responsibility are essential for digital resilience

Resolutions and action items

Nigeria Data Protection Commission to continue advocacy for privacy by design in new technologies

Stakeholder sessions for drafting a continental African cybersecurity strategy to begin on the 27th of the month

Unresolved issues

How to effectively shorten and simplify terms of service agreements while maintaining necessary detail

How to balance user-friendliness of platforms with robust data protection measures

How to effectively reach and educate rural populations about data protection and digital safety

Suggested compromises

Using data pseudonymization techniques to minimize interception during data exchange

Creating summarized versions of privacy policies that are easily understandable, with options for more detailed information

Involving end-users in the co-creation of products to balance usability with privacy considerations

So, colleagues, ladies and gentlemen, there’s no last person standing. And one of the things that ties all these apps and software that I’ve spoken about together is that all of them, every single one of them, Each single one of them uses your data to feed their AI. And I would like to know how many of us consciously, overtly, gave permission for our data to be used to feed the AI of somebody else.

Speaker

Hakeem Ajijola

Reason

This comment highlighted the pervasiveness of data collection and AI training in everyday technology use, challenging participants to consider their own awareness and consent.

Impact

It shifted the discussion towards the ethics of data collection and use, prompting deeper consideration of user consent and awareness.

Can we have data protection or data security without trust? We live in a very dynamic world, and very few of our population actually understand most of the things we’re talking about here. And they constitute the majority, and they’re not in the cities, they’re in the villages.

Speaker

Audience member

Reason

This question raised important points about the role of trust in data protection and the challenge of educating rural populations about complex technological issues.

Impact

It broadened the conversation to include considerations of trust, digital literacy, and the digital divide between urban and rural areas.

We are no longer protecting computers, we are protecting society.

Speaker

Hakeem Ajijola (quoting Mikko Hypponen)

Reason

This quote succinctly captured the broader societal implications of cybersecurity and data protection efforts.

Impact

It reframed the discussion from a technical focus to a more holistic view of the societal impact of digital security measures.

Cybersecurity is a team sport. No country, no person, no organization can do it alone.

Speaker

Hakeem Ajijola

Reason

This comment emphasized the collaborative nature of cybersecurity efforts, highlighting the need for cooperation across sectors and borders.

Impact

It encouraged participants to think about cybersecurity as a shared responsibility, potentially leading to discussions about international cooperation and public-private partnerships.

Overall assessment

These key comments shaped the discussion by broadening its scope from technical aspects of cybersecurity and data protection to include ethical considerations, societal impacts, and the need for collaboration. They challenged participants to think more critically about consent, trust, and the responsibilities of various stakeholders in the digital ecosystem. The comments also highlighted the importance of addressing the digital divide and ensuring that cybersecurity efforts protect not just systems, but society as a whole.

How can we push valuable information about data protection and security to rural populations who may not understand the technical aspects?

Speaker

Audience member

Explanation

This is important because a large portion of the population may not understand the complexities of data protection, yet they are still vulnerable to data breaches and misuse.

Can we have data protection or data security without trust?

Speaker

Audience member

Explanation

This question highlights the fundamental role of trust in data protection and security measures, which is crucial for user adoption and compliance.

How can we shorten or summarize terms of service documents to ensure users can actually read and understand them?

Speaker

Audience member

Explanation

This is important because long, complex terms of service often hide crucial information about data usage, and users typically agree without reading them.

Is there a policy to show transparency in data sharing between platforms and track where data goes?

Speaker

Audience member

Explanation

This question addresses the need for transparency in data sharing practices, which is crucial for user trust and informed consent.

Who should policy favor more: platform builders, service providers, or users?

Speaker

Audience member

Explanation

This question highlights the challenge of balancing the interests of different stakeholders in data protection policies.

Who is the Nigerian Data Protection Commission benchmarking against in terms of policy formulation?

Speaker

Osei from Ghana

Explanation

Understanding the benchmarks used for policy formulation can provide insight into the standards and best practices being adopted.

How does the Nigerian Data Protection Commission continue to improve and meet the evolving demands of users?

Speaker

Osei from Ghana

Explanation

This question addresses the need for regulatory bodies to adapt to rapidly changing technology and user expectations.