This project draws on real work, with all company details anonymised.
Our client, GETCO SOLUTIONS LIMITED, operates a digital lending and Buy-Now-Pay-Later platform (GETMONI) in Nigeria. They process highly sensitive personal data for credit assessment. Our objective was to conduct an NDP Act-compliant DPIA to identify and mitigate privacy risks, protecting both users and the business from regulatory harm.
We used a structured, collaborative method.
-
We applied the official NDP Act GAID Schedule 4 DPIA Checklist, adapted to GETMONI's workflow, which the client populated.
-
We verified lawful bases and mapped data flows, then focused on high-risk areas like cross-border transfers and third-party vendors.
-
We synthesised all findings, evidence, and recommendations into a final report for leadership, complete with risk ratings and a remediation plan.
-
Undocumented Cross-Border Transfers: Data flows to the US, EU, and South Africa were high risk. Recommendation: Conduct immediate Cross-border-focused DPIA and document lawful bases.
-
No Record of Processing Activities (ROPA): Lack of a central ROPA created an accountability gap. Recommendation: Prioritise creating a simple, living ROPA as the foundational governance document.
-
Weak Consent Management: Consent lacked audit trails, undermining lawful basis claims. Recommendation: Implement system-logged consent records.
This project confirmed that strong technical controls are not enough without solid governance. The highest risks came from procedural gaps, not system failures.