Data Protection And Digital Retail Lending In Nigeria

Data Protection And Digital Retail Lending In Nigeria

With the advent of the Nigerian Data Protection Regulation 2019, personal data and data privacy have become key issues in the digital economy. Though the regulation has been extant for over 2 years, there is a lack of knowledge on the part of most data subjects as to the extent of their data protection and what constitutes breach of data. While the NDPR has played a huge role in stimulating the digital economy, this has restricted the impact of the regulation.

In espousing its objective, the Nigerian Data Protection Regulation provides that it was made in recognition of the fact that many private and public bodies have migrated their respective businesses and other information systems online, and these information systems have thus become critical information infrastructure which must be safeguarded, regulated and protected against atrocious breaches.[1] The principle guiding the NDPR also stipulates that personal data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject.

In recent times there has been a proliferation of digital retail lenders within the lending space in Nigeria, and this has helped to bridge the financial inclusion gap, as report from the Financial Inclusion Secretariat shows that formal sector credit penetration as a ratio of the adult population in Nigeria was below 5.3% in 2017[2].  The rise in digital lending can be linked to the widespread use of mobile phones, high demand for credit and a fragmented regulatory landscape for industry players. Traditionally banks have been averse to retail lending, because the risk appetite of banks do not extend to retail loans and also, the process of applying for a bank loan is rather complex, often involving lengthy paperwork and delays.

On the contrary, it is abstruse why banks/financial institutions that have held and processed data of customers for more than ‘10 years’ are unable to offer loan/overdraft facilities to such customers, based on the data they have alone, yet digital lending companies employ simpler processes and no paperwork to make this possible.

These companies are able to leverage payment data to determine lending risk more easily and utilize smartphones as a distribution channel. Some have gone ahead to leverage alternative credit-scoring algorithms to provide instant, unsecured, short-term loans to individuals. This sort of lending is attractive not only to existing customers, but also to first time borrowers who would otherwise be shut out due to lack of a credit history.

Consequently, the transfer of personal data and financial information through digital channels raises concerns of data privacy and there is strict responsibility on the part of digital lenders to process these data lawfully, as a result of the digital business model which they have adopted. It has become customary practice for some digital lending companies to use non financial data and mined phone data to engage in debt shaming of debtors/loanees by informing their family, friends and employers of the existing debt.

In a recent development, Sokoloan, a digital lending company was fined N10million by NITDA for alleged privacy invasion. Aside processing data of data subjects without their consent, NITDA further determined that the company embeds trackers that share data with third parties inside its mobile application without providing users information about it or using the appropriate lawful basis. The company was said to be in violation of the following: Use of non-conforming privacy notice, contrary to Article 2.5 and 3.1(7) of the NDPR; Insufficient lawful basis for processing personal data, contrary to Articles 2.2 and 2.3 of the NDPR; Illegal data sharing without appropriate lawful basis, contrary to Article 2.2 of the NDPR and Non-filing of NDPR Audit reports through a licensed Data Protection Compliance Organisation (DPCO), contrary to Article 4.1(7) of the NDPR amongst others.[3]

In processing the personal data of a data subject, and by requesting access to the contacts of the loan customer, digital lenders also have access to the personal data of the ‘contacts’ of the customer. It is worthy of note that consent to process personal data of the customer cannot include consent to process personal data of another data subject which forms part of the data that was collected from the customer.

According to the NDPR, prior to collecting personal data from a data subject, the Controller shall provide the data subject – through a privacy policy – with the following information;

  • Purpose of the processing for which the personal data are intended as well as the legal basis for processing
  • Period for which personal data will be stored
  • Existence of right of data subject to withdraw consent anytime
  • Existence of the right to request access to, rectification or erasure of the personal data
  • How the data will be processed
  • Type of data collected etc

Therefore digital lenders are not at liberty to process data from a customer’s phone, unless they have informed the customer. Also lenders ought to specify all the data that they intend to collect and how they want to use it. The use should be in line with what is reasonably expected by the data subject. For instance, it is reasonable expected that a lender would obtain the customer’s name and phone number for purposes of records, and possibly collect data relating to call records, browsing history, phone model, GPS data and communication pattern for purpose of credit scoring. However it is unreasonable for a lender to obtain contacts of ‘data subjects’ from a customer’s phone for the purpose of calling them and engaging them to recover outstanding debts.

The NDPR defines personal data as any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or tone or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It can be anything from a name, address, a photo, email address, bank details, posts on social networking sites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others.[4]

For data controllers/digital lenders, one way of complying with NDPR means sending an email to every single person in a customer’s contact list to either get consent for you to hold and process their data, and to explain how they exercise their rights under NDPR.

Furthermore, if a digital lender were found to be processing “personal data” belonging to a data subject on a loanee’s contact list (or any other person whose information is uploaded to their server through the action of another person) they would find it difficult to contend that the processing was lawful, because the activity doesn’t prima facie satisfy any of the criteria for lawfulness in Article 2.2 (a – e) of the NDPR.

It is interesting to note that the ‘loanee’s’ contact has not given consent for the lending app to process her personal data for any purpose. She has merely given the loanee consent to process her personal data to the extent that the loanee has stored it in his phone, but that consent presumably does not extend to the lending app uploading that data to its server and calling or texting such person when the loanee is in default.

In Kenya, the Data Protection Act is set to revolutionize digital lending privacy and put an end to debtor shaming and collection of data from undisclosed sources[5]. In essence, digital lending companies need to be aware of the far reaching implications of the provisions of the Nigerian Data Protection Regulation, while we await a substantive legislation for data protection. As data protection becomes more rooted in the fabric of the digital economy, there is bound to be a rise in reports and fines/awards against erring data controllers. Therefore digital lenders need to fully grasp compliance obligations under the NDPR including conducting regular data audits and appointing a DPCO, and come up with an appropriate compliance policy framework.

Sample such letters


  • [1] Preamble to Nigerian Data Protection Regulation 2019
  • [2]
  • [3]
  • [4] Article 1.3 (xiv) Nigerian Data Protection Regulations 2019
  • [5]

Share this post

Post Comment