The CEO of Glemad, David Idris, reckons that Nigeria’s business landscape faces significant cybersecurity vulnerabilities, particularly with SMEs neglecting proactive security measures. He advocated for stronger data protection enforcement, better education on data privacy rights, and a balance between data localisation and international flexibility to secure Nigeria’s digital future in this interview with SAMI TUNJI
How is Glemad ensuring that its AI-driven technology solutions align with Nigeria’s data protection regulations, particularly the Nigeria Data Protection Act of 2023?
At Glemad, we have long understood that data protection is not just about compliance; it’s about trust. We take a proactive approach by embedding privacy-first principles into our technology, ensuring that data security and regulatory alignment are built into our processes from the ground up. This means continuously auditing our frameworks, adapting to emerging regulatory updates, and working alongside industry stakeholders to strengthen Nigeria’s digital ecosystem.
For us, data protection isn’t a check mark in the boxes; it is the principle upon which we make every move. Being a CEO, I can speak to the fact that a lot of companies, most especially small and medium enterprises, are taken aback by the ever-changing landscape of the data protection regulation. Coming into effect in 2023, the NDPA was a move in the right direction, but at the rate at which digital technologies change, the law had to keep up. It is thus not very hard to see why businesses often struggle to keep up with compliance, especially when regulations are complicated and sometimes appear to change overnight.
I have been a firsthand witness to large and small business reactions to such regulations, not because they want to, but frankly, out of necessity. It is usual for companies, at times, to feel they are playing catch-up when regulations get increasingly stringent. Therein lies the challenge: aside from knowing and keeping up with the existing set of laws, businesses equally need to speculate what the future of the law might be. At Glemad, we have built our systems in such a way that we meet the demands of today but are also agile enough to pivot when new laws and regulations come into play.
Compliance shouldn’t be a burden but rather an opportunity. If you look at data protection from a compliance-first point of view, it’s really easy to see it as purely transactional in nature. The minute that mindset starts to shift, as it has at Glemad, data protection becomes an opportunity to build trust with your customers, and the value of compliance is crystal clear.
Of the many important things I have learnt in my years of professional practice, one of the most enduring is that the only compliance that works is that which is actively policed. Even today, far too many Nigerian businesses adopt a reactive approach to data protection, doing no more than is necessary to avoid punitive measures rather than embracing proactive security. All this brings a very real question: Should Nigeria’s regulatory approach be weighted more toward more stringent enforcement or more toward education and incentives that encourage voluntary compliance?
Nigeria has seen an increase in cyberattacks and data breaches. What are the most significant vulnerabilities facing Nigerian businesses and government institutions in data security?
One of the biggest challenges is that many businesses, especially smaller ones, still see cybersecurity as an afterthought rather than a fundamental aspect of operations. Outdated systems, weak access controls, and inadequate security monitoring leave organisations exposed to ransomware attacks, insider threats, and social engineering schemes.
Another pressing issue is the lack of structured response mechanisms; many businesses only realise they have vulnerabilities after an attack has occurred. Addressing this requires a shift towards proactive security management, where companies implement continuous monitoring, structured incident response protocols, and regulatory compliance measures as part of their operational foundation. As cyber threats become more sophisticated, businesses that lack in-house expertise are increasingly relying on specialised security and infrastructure management services to ensure they can detect and mitigate threats before they cause damage.
I have been fortunate to see how businesses that embrace proactive data security thrive in today’s complex digital ecosystem. Such was the case with a financial institution in Cameroon, which we worked with back in September 2024. The company was facing a potential disaster when a cyberattack targeted its financial systems. The situation, which could have been a big loss in revenue and probably the collapse of its digital banking system, was prevented because of Glemad’s ManageEdge platform and SmartCombat AI technology. Needless to say, AI plays a very important role in preventing such calamities. We built SmartCombat not only to detect threats but also to analyse patterns, predict future risks, and automate response measures in real time. This proactive approach is going to be a game-changer for businesses, especially those dealing with sensitive financial information.
Many Nigerians are unaware of their data privacy rights. What steps should be taken to improve public awareness and digital literacy on data protection in Nigeria?
A significant portion of citizens remain oblivious to the fact, a concern that the country needs to vigorously address as digitisation continues to take root. However, this kind of education should not be an affair of the government only; the private sector can play an imperative role here, too. I believe that if companies don’t make an effort to explain how they handle personal data, they are not only failing to comply with regulations, but they are also undermining the trust that customers place in them.
The situation is compounded by the complexity of many terms of service agreements. I’ve seen these documents that are meant to inform, but in reality, they confuse users more than anything else. The greatest challenges include ensuring clarity in how the business explains in simple terms its use of any customer data; most often, very important information is hidden under thick legal phrases that are utterly incomprehensible to the person to whom that data pertains. At Glemad, we believe access to data protection practices should and must be clearly accessible to any user. We are of the view that businesses must be made to provide summaries of their data policies in a manner that allows users to understand how their personal information will be treated.
Public awareness is as critical as technical safeguards. Strengthening digital literacy should start at the policy level, with nationwide education programmes that simplify data protection laws for businesses and individuals alike. At an operational level, businesses must take more responsibility for educating their customers on how their data is used and protected.
However, awareness alone is not enough; organisations must build security into their culture. This means integrating security best practices into workplace training programmes and ensuring that employees and customers alike understand how to protect sensitive data. Without this, even the most advanced cybersecurity measures can be undermined by simple human error.
With the NDPA in place, do you think Nigeria’s regulatory framework is strong enough to protect citizens’ data, or are there still major gaps that need to be addressed?
While the Nigeria Data Protection Act is a good initiative, I do not feel it does enough regarding the enforcement aspect. It is not the laws that are at fault but rather the fact that they are never proactively enforced. How many organisations in Nigeria truly understand what these new regulations demand of them? How many take the necessary measures to ensure the law is adhered to? Unfortunately, so many are making it up on the fly. This leads, even if unintended, to an awful lot of non-compliance.
One thing I think was not given ample attention is that of cross-border data transfers. We are part of the global digital economy, and our businesses exchange data with their international partners day in and day out. But the country is yet to put in place an all-encompassing strategy that will regulate cross-border data flows. That again creates a huge chasm in the regulatory framework and brings into question a very key and important concern: should Nigeria enforce stricter policies to guarantee full control over her sovereign data or expose herself to modern global frameworks that allow easy, free flows of information and ideas?
The NDPA is an important step forward, but implementation remains a challenge. For data protection laws to be truly effective, enforcement mechanisms must be strengthened, and companies need clearer guidance on compliance expectations. Many organisations still struggle to align their systems with regulatory standards, particularly when it comes to cross-border data transfers, third-party risk management, and real-time security monitoring.
There’s also a need for more structured compliance support, especially for SMEs that lack the technical expertise to navigate complex regulations on their own. In response, we are seeing a rise in compliance-as-a-service models, where businesses can integrate security management solutions that help them stay compliant while focusing on their core operations. This shift is helping bridge the gap for companies that don’t have in-house compliance teams but still need to adhere to national and international regulations.
How can Nigerian businesses, especially SMEs, balance the adoption of AI-driven solutions with the need to comply with strict data privacy regulations?
SMEs face a unique challenge; they must embrace AI and automation to remain competitive, yet many lack the resources to implement full-scale compliance infrastructures. The key is integrating security and compliance from the outset rather than treating them as afterthoughts. What I always say to business leaders is that the success or failure of AI implementation depends on embracing AI governance frameworks right from the start. This ensures that AI technologies are used in ways that are ethical and, from the very beginning, comply with relevant laws.
Businesses should adopt centralised IT governance models, where security, compliance, and AI-driven automation work in tandem rather than in silos. For SMEs that lack the capacity to manage these internally, outsourcing security and compliance functions is becoming a viable option. This allows businesses to leverage enterprise-grade security infrastructure without the burden of building it themselves, ensuring they remain compliant while focusing on their growth.
Data localisation is a growing concern in many countries, with governments pushing for sensitive data to be stored within national borders. Should Nigeria adopt stricter data localisation policies, and what impact would that have on businesses?
Data localisation is a double-edged sword. On the one hand, keeping sensitive data within national borders enhances sovereignty and security. On the other hand, it presents logistical and financial challenges, particularly for businesses that rely on cloud-based infrastructures that operate across multiple jurisdictions.
I believe in a pragmatic Nigerian approach to data localisation, one that will truly balance security without ignoring the transboundary nature of the modern digital economy. Businesses should, therefore, be afforded the option to store data overseas, provided stringent requirements for security could be met, and a careful balance would ensure national security on one hand, while on the other hand, allow businesses to use flexibility to stay efficient.
Nigeria should prioritise localisation for critical industries while also allowing regulated frameworks for international data flows. Businesses that operate across borders need secure infrastructure management solutions that comply with national data residency laws while maintaining efficiency in global operations.
The rise of AI in decision-making processes comes with concerns about bias, discrimination, and lack of transparency. How should Nigerian regulators approach AI governance to ensure fairness and accountability?
AI governance must go beyond technical compliance and focus on ethical responsibility. This means establishing clear guidelines for transparency in AI-driven decision-making, implementing independent audits to identify biases, and ensuring that AI systems are explainable rather than black-box models that users don’t understand.
At the regulatory level, there’s a growing need for cross-sector collaboration, where businesses, policymakers, and civil society work together to create adaptable governance frameworks that keep up with the rapid evolution of AI technologies. Independent compliance frameworks and AI governance models can also help businesses ensure they are meeting ethical AI standards while maintaining compliance with regulations.
What emerging data protection and AI-related challenges do you foresee for Nigeria in the next five years, and how should stakeholders like the government, the private sector, and civil society collaborate to address them?
Looking ahead, I see great opportunities and significant challenges. In the next five years, I envision a radical rise in the adoption of AI in industries, along with a whole new dimension of risks. A domain that really bothers me is ethics related to the use of biometric data. Facial recognition technologies, among others, are rapidly improving, and with these improved security measures, great concerns are raised about privacy. In application, such technologies must be ethically considered to ensure appropriate security while maintaining the privacy of individuals.
Equally, there is an increasing interest in misusing AI to generate misinformation. In the same way that AI can be applied to problem-solving, distinguishing real and fake information can be improved with AI. Should Nigeria invest in AI-driven fact-checking systems? If so, should they be regulated or left to the private sector?
These are difficult questions, but they must be considered if Nigeria wants to become a leader in the field of digital technology and data protection. The future is not about just reacting to today’s challenges at Glemad; rather, it is about thinking of tomorrow’s challenges and ways we can meet them. Whether through AI-driven security solutions or proactive education, we’re committed to helping Nigerian businesses stay ahead of the ever-changing landscape of data protection.
As Nigeria continues its digital transformation, stronger collaboration between the government, private sector, and civil society will be essential in creating adaptive regulatory frameworks to keep up with technological advancements. There’s also an urgent need for scalable cybersecurity infrastructures to protect businesses and individuals from emerging threats, particularly in critical industries like finance, healthcare, and telecommunications. As cyber threats evolve, companies must adopt continuous monitoring, automated threat detection, and managed security operations to ensure they can quickly identify and respond to risks in real time.
