Emmanuel Kwasi Gadasu
Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
January 19, 2025

Introduction

The recent ban on TikTok in the United States has sent ripples across the globe, raising critical questions about data protection, data sovereignty, and the role of international tech companies in safeguarding personal information. While this decision stems from concerns about national security and potential data misuse, it also serves as a powerful reminder of the need for robust data protection frameworks in the 21st century.

Why the ban?

The ban of TikTok in the US is rooted in concerns about the app’s data practices and its relationship with the Chinese government. TikTok collects extensive user data, raising fears that it could be accessed by the Chinese government, posing a national security risk. This is amplified by US-China tensions and the Chinese government’s ability to compel companies to cooperate with state intelligence agencies. The US government has taken several actions, including banning TikTok on government devices and demanding divestment from ByteDance(the owner of Tik Tok), to address these concerns. If TikTok data falls into the hands of a foreign government, it could be used for surveillance or influence campaigns, posing risks to US citizens’ privacy.

Data Protection in the 21st Century

In the digital age, data is often referred to as the “new oil.” Personal data fuels industries ranging from targeted advertising to artificial intelligence. However, this resource’s immense value also makes it a prime target for misuse and exploitation. The TikTok ban underscores the necessity for governments and organizations to prioritize data protection. With increasing reliance on digital platforms, nations must ensure that their citizens’ data is secure, used responsibly, and protected from unauthorized access.

The Importance of Data Sovereignty

At the core of the TikTok controversy lies the issue of data sovereignty—the principle that a nation should have control over the data generated within its borders. Concerns over TikTok’s data handling practices stem from its parent company’s ties to China. The fear that user data could be accessed by foreign governments highlights the risks associated with international data transfers and the lack of clarity in cross-border data sharing agreements.

Data sovereignty is essential for national security and individual privacy. By exercising greater control over domestic data, countries can better safeguard their citizens’ information from external threats.

Lessons for Other Nations

The TikTok ban provides a blueprint for how other nations can address data protection challenges:

Establish Comprehensive Data Protection Guidelines: Countries with data protection laws must set clear guidelines on how companies collect, store, and process personal data. The European Union’s General Data Protection Regulation (GDPR) serves as a benchmark, emphasizing transparency, accountability, and user rights.
Enhance Data Localization: Nations should consider requiring international tech companies to store data locally. This ensures that sensitive information remains under local jurisdiction and is subject to domestic laws. Data localization also reduces the risks associated with cross-border data transfers.
Strengthen Regulatory Oversight: Governments should establish, support and resource independent data protection authorities to monitor compliance, conduct audits, and enforce penalties for violations.
Encourage Public Awareness: Educating citizens about the importance of data protection empowers them to make informed decisions about their digital footprint.

International Tech Companies and Data Protection

Tech companies operating in multiple jurisdictions face unique challenges in complying with varying data protection laws. To lawfully use citizens’ data, these companies must:

Adopt Global Standards: Implement policies that align with international best practices, such as GDPR or equivalent frameworks.
Ensure Transparency: Clearly communicate how data is collected, stored, and used, allowing users to make informed choices.
Invest in Secure Infrastructure: Leverage state-of-the-art technology to protect data from breaches and unauthorized access.
Foster Collaboration: Work with governments and regulatory bodies to address data protection concerns and build trust.

The Case for National Data Centers

The establishment of national data centers is a critical step toward achieving data sovereignty. By requiring tech companies to use locally hosted data centers, nations can:

Enhance Security: Reduce the risk of data breaches and unauthorized access by keeping data within national borders.
Promote Economic Growth: Encourage investment in local infrastructure, creating jobs and fostering technological innovation.
Strengthen Regulatory Control: Simplify oversight and enforcement by ensuring that data is subject to local laws.

Countries like India have already implemented policies promoting data localization, serving as a model for others. By investing in data centers, nations can assert control over their citizens’ data while accommodating international tech companies.

Conclusion

The TikTok ban in the US serves as a wake-up call for nations worldwide. In an era where data drives economies and influences global power dynamics, robust data protection frameworks are no longer optional—they are imperative. By prioritizing data sovereignty, enacting comprehensive laws, and investing in local infrastructure, nations can protect their citizens and ensure that international tech companies operate responsibly. This collaborative approach is essential for balancing innovation with privacy in the digital age.

Author: Emmanuel K. Gadasu (CEH, CDPS, CIPM, CIPP/E, BSc IT, MSc IT and Law, LLB*)

The writer is a Member of IIPGH, Data Protection and Cybersecurity Consultant, Practitioner and Trainer!

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
January 28, 2025

Today, January 28th, marks World Data Protection Day, an annual event dedicated to raising awareness about privacy and data protection. This day, also known as Data Privacy Day, serves as a global reminder of the importance of safeguarding personal information in an increasingly interconnected digital world. As a Data Protection Consultant, I find this occasion pivotal in educating data controllers, data processors, and individuals about their responsibilities and rights under data protection laws. It is a day for reflection, action, and commitment to building a safer digital future for everyone.

The Significance of World Data Protection Day

World Data Protection Day was initiated by the Council of Europe in 2006 to commemorate the signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Over the years, this day has grown into a global movement, championing the need to secure personal data against misuse, breaches, and unauthorized access.

In today’s world, personal data is often referred to as the “new oil” due to its immense value. From financial transactions to social media interactions and healthcare records, data fuels our modern economy. However, with this value comes the responsibility to ensure that data is collected, processed, and stored ethically and securely.

Creating Awareness: The Foundation of Data Protection

Awareness is a critical first step in addressing data protection challenges. Many organizations and individuals still underestimate the importance of protecting personal data, leaving themselves vulnerable to breaches and cyberattacks. On this day, stakeholders must recognize the significance of:

Understanding Data Privacy Risks Cyberattacks and data breaches are on the rise globally. These incidents expose sensitive information, leading to financial loss, reputational damage, and emotional distress. For example, major breaches such as those involving large corporations like Facebook or healthcare providers highlight the dire consequences of inadequate data protection measures.
Empowering Individuals Data subjects (individuals whose data is collected) need to understand their rights under data protection laws. Awareness campaigns should educate people on how to recognize privacy violations and take action when their rights are infringed.
Promoting Ethical Data Practices Organizations must be aware that ethical data processing goes beyond legal compliance. It builds trust, which is essential for sustaining customer relationships and business growth.

Obligations of Data Controllers and Processors

Under data protection laws such as the GDPR in Europe and Ghana’s Data Protection Act, 2012 (Act 843), data controllers and processors are required to adhere to specific obligations. World Data Protection Day is an excellent time to remind these entities of their responsibilities:

Accountability and Compliance Data controllers are responsible for ensuring compliance with data protection laws. This includes implementing appropriate technical and organizational measures to safeguard personal data. Maintaining records of processing activities and conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities are key aspects of accountability.
Transparency Organizations must be transparent about how they collect, use, and store personal data. This involves providing clear and concise privacy notices to data subjects. Transparency fosters trust and enables individuals to make informed decisions about sharing their information.
Consent Management Obtaining valid consent from data subjects is crucial. Consent must be freely given, specific, informed, and unambiguous. Organizations should implement mechanisms for individuals to withdraw consent easily if they choose to do so.
Security Measures Protecting personal data requires robust security measures, including encryption, access controls, and regular vulnerability assessments. Data processors must also ensure that they have adequate safeguards in place, as they are equally liable for data breaches.
Data Breach Notification In the event of a data breach, data controllers must notify the relevant data protection authority within the stipulated timeframe and inform affected individuals if the breach poses a high risk to their rights and freedoms.

Empowering Data Subjects: Know Your Rights

World Data Protection Day is also an opportunity to empower data subjects by educating them about their rights under data protection laws. These rights include:

The Right to Be Informed Individuals have the right to know how their data is being processed, the purpose of the processing, and the entities involved.
The Right to Access Data subjects can request access to their personal data held by an organization and obtain a copy of the information.
The Right to Rectification If personal data is inaccurate or incomplete, individuals have the right to request corrections.
The Right to Erasure (Right to Be Forgotten) Under certain circumstances, individuals can request the deletion of their personal data, such as when it is no longer necessary for the purpose for which it was collected.
The Right to Restrict Processing Individuals can request that an organization limit the processing of their data under specific conditions.
The Right to Data Portability Data subjects can request their data in a machine-readable format and transfer it to another controller.
The Right to Object Individuals can object to the processing of their data, particularly for direct marketing purposes or processing based on legitimate interests.
Rights Related to Automated Decision-Making Data subjects have the right to request human intervention in decisions made solely through automated processing.

The Role of Governments and Regulatory Authorities

Governments and data protection authorities play a crucial role in advancing data protection. On this day, they are reminded of their responsibility to:

Enforce Compliance Regulatory authorities must ensure that organizations comply with data protection laws by conducting audits, investigating complaints, and imposing penalties where necessary.
Provide Guidance Data protection commissions should issue guidelines, templates, and tools to assist organizations in meeting their obligations.
Raise Public Awareness Governments can organize campaigns, workshops, and events to educate the public about data protection and privacy.

Looking to the Future

As we celebrate World Data Protection Day, it is crucial to look ahead and address emerging challenges in the data protection landscape. Rapid advancements in technology, such as artificial intelligence, blockchain, and the Internet of Things (IoT), present new risks to privacy and security. Governments, organizations, and individuals must collaborate to:

Adopt Privacy-Enhancing Technologies Invest in tools and solutions that prioritize data minimization, anonymization, and user control.
Develop Skills and Expertise Build capacity in data protection through training programs and professional certifications.
Promote International Cooperation Privacy is a global issue. Cross-border cooperation among countries is essential to address data protection challenges effectively.

Conclusion

World Data Protection Day is a reminder that protecting personal data is not just a legal obligation but a moral imperative. It requires a collective effort from data controllers, processors, governments, and individuals to create a culture of privacy and security. By taking proactive steps to safeguard personal information, we can build a more secure digital environment that respects the rights and freedoms of every individual. Let us commit to this cause not just today but every day, as we move into the future with data protection at the forefront of our priorities.

Emmanuel Kwasi Gadasu

CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||

February 15, 2025

In today’s digital age, privacy is more crucial than ever. As technology advances, so do the methods by which personal data can be collected, shared, and exploited. Treating privacy as an afterthought can lead to significant repercussions for individuals and organizations alike.

First, safeguarding personal data fosters trust between businesses and consumers. When companies prioritize privacy, they demonstrate respect for their customers’ information, enhancing brand loyalty and reputation. Conversely, data breaches can result in loss of trust and financial consequences that can take years to recover from.

Moreover, neglecting privacy can lead to legal ramifications. With regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), non-compliance can result in hefty fines and legal action. Organizations must integrate privacy measures from the outset, ensuring they are compliant and protecting their stakeholders.

Finally, personal privacy is a fundamental human right. Individuals deserve control over their information, which is essential for freedom of expression and autonomy. By embedding privacy into the design of systems and processes, we not only comply with regulations but also uphold ethical standards and promote a culture of respect and responsibility in the digital landscape.

Emmanuel Kwasi Gadasu

CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||

March 20, 2025

The legal maxim nemo judex in causa sua, meaning “no one should be a judge in their own case,” is fundamentally relevant to data protection compliance. This principle emphasizes the necessity of impartiality, the avoidance of conflicts of interest, and the maintenance of trust in compliance processes. In the context of data protection, this maxim translates to ensuring that those responsible for data processing and compliance oversight are not simultaneously involved in decision-making that could compromise their objectivity.

1. Independence of the Data Protection Officer (DPO)

The DPO’s role, as mandated by regulations like the GDPR and Ghana’s Data Protection Act, 2012 (Act 843), Nigeria Data Protection, Kenyan Data Protection, and the likes demands strict independence. A conflict arises when a DPO is also responsible for data processing decisions, effectively overseeing their own actions. To prevent this, the DPO should report directly to the highest management level, such as the Board of Directors, and avoid positions that involve direct data processing decisions. When internal independence is unattainable, organizations should consider appointing an external DPO.

2. Impartiality in Internal Data Protection Audits

Internal data protection audits are crucial for assessing compliance, but their integrity is compromised when the same department processing personal data conducts the audit. To ensure impartiality, audits should be performed by an independent compliance team or an external auditor. A whistleblower mechanism can further enhance oversight.

3. Regulatory Investigations and External Verification

Data protection regulators must maintain independence to uphold public trust. Organizations cannot self-certify compliance or conduct internal breach investigations without external verification. Engaging third-party auditors and ensuring transparent regulatory investigations are essential for maintaining integrity.

4. Conflict of Interest in Data Processing Decisions

Independent oversight is vital when a company both collects data and determines its legal processing basis. Internal personnel should not approve their own data processing policies. Independent legal reviews and external privacy consultants are necessary to mitigate bias.

5. Avoiding Bias in Data Subject Rights Requests

Individuals have rights to access, rectify, or erase their data. If the data collection department also decides on these requests, bias is likely. A separate Data Protection Office or third-party DPO should handle these requests.

6. Transparency in Data Protection Impact Assessments (DPIAs)

DPIAs, crucial for assessing high-risk data processing, must be validated by an independent team or external consultant. High-risk DPIAs should be submitted to the relevant Data Protection Authority for approval.

Key Takeaway for Data Protection

To apply nemo judex in causa sua in data protection, organizations must ensure DPO independence, use external auditors, separate decision-making from oversight, and handle data subject requests fairly.

Application of Foundational Principles in Data Protection Assessments and Audits

The core principle that prohibits an individual from simultaneously originating and approving decisions, fundamental to auditing, is equally vital in data protection assessments and audits. This principle ensures impartiality and integrity, drawing from established foundational theories:

• Segregation of Duties (SoD) in Data Processing: Within data processing operations, SoD prevents single individuals from controlling multiple critical stages of data handling, such as collection, processing, access control, and deletion. This minimizes the risk of unauthorized data use, breaches, and errors. For example, the individual responsible for data collection should not also be responsible for authorizing data access.
• Objectivity and Independence in Data Protection Audits: Data protection auditors, whether internal or external, must maintain objectivity and independence. This ensures unbiased assessments of data processing activities, adherence to legal requirements, and the effectiveness of data protection measures. Auditors should not assess processes they have directly influenced or managed.
• The Four Eyes Principle (Dual Control) in Data Processing Approvals: Critical data processing decisions, such as implementing new data processing systems or approving data sharing agreements, should require review and approval by at least two individuals. This ensures checks and balances, reducing the risk of unauthorized or non-compliant data handling.
• Agency Theory and Data Protection Oversight: Recognizing the potential conflict of interest between those responsible for data processing (agents) and the organization’s data protection obligations (principals), independent oversight is crucial. This necessitates clear reporting lines and independent reviews of data processing activities to ensure compliance.
• Due Professional Care in Data Protection Assessments: Similar to Generally Accepted Auditing Standards (GAAS), data protection assessments require due professional care. Assessors must exercise diligence, maintain skepticism, and thoroughly evaluate data protection practices. Self-assessments by those directly involved in data processing are inherently biased and should be avoided.
• Internal Control Frameworks (COSO (Committee of Sponsoring Organizations of the Treadway Commission), – COBIT (Control Objectives for Information and Related Technology)) in Data Protection Management: Internal control frameworks, such as COSO and COBIT, advocate for clear separation of roles and responsibilities within data protection management. This ensures accountability, reduces risks, and promotes effective data governance. For example, access control management should be separate from user account creation.
• Conflict of Interest Doctrine in Data Protection Compliance: Individuals involved in data protection compliance, such as DPOs or compliance officers, must avoid conflicts of interest. They should not be involved in decision-making that directly affects their oversight responsibilities. For example, a DPO should not approve a data processing activity they are also responsible for auditing.

These principles, when applied to data protection, reinforce the need for independent oversight, impartial assessments, and transparent processes. Organizations that adhere to these principles build trust, ensure compliance, and mitigate risks, ultimately safeguarding the rights and freedoms of data subjects.

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
April 4, 2025

Why Organizations Must Rethink Their Compliance Approach Before It’s Too Late

In recent years, data protection has become a hot topic—and rightly so. Laws like Ghana’s Data Protection Act, the EU’s GDPR, and others have placed the responsibility of safeguarding personal data squarely on the shoulders of organizations.

Yet, there’s a growing problem I’ve observed across industries and sectors: many organizations treat data protection like a checklist.

They tick the boxes:

• Appoint a Data Protection Officer?

• Draft a privacy policy?

• Conduct a one-time audit?

And that’s where it stops.

This “checklist mentality” is dangerous. It undermines the purpose of data protection and exposes organizations to significant legal, reputational, and financial risks.

Why the Checklist Mentality is a Problem

1. Compliance Without Understanding

When organizations treat data protection as a checkbox, they rarely understand why each step matters. For example, they may appoint a DPO without empowering them or include privacy language on their website without any real practices behind it.

2. One-Time Efforts Instead of Ongoing Commitment

Data protection is not a project—it’s a process. Personal data is constantly being collected, used, stored, and shared. That means risks evolve, and controls must evolve too.

3. False Sense of Security

A completed checklist may give management the impression that the organization is secure and compliant. Meanwhile, data breaches, employee negligence, and regulatory violations could be happening under the radar.

What Needs to Change?

1. Build a Data Protection Culture

Organizations must embed privacy into the DNA of their operations.

This includes:

• Regular staff training across all departments—not just IT or legal.

• Privacy-by-design in new systems and services.

• Leadership that prioritizes data ethics and accountability.

2. Treat the DPO as a Strategic Role

Your Data Protection Officer shouldn’t be buried in bureaucracy.

They should:

• Report to top management.

• Have visibility into all data-driven processes.

• Be part of decision-making from the start—not consulted after the fact.

3. Go Beyond Minimum Compliance

Instead of asking, “What’s the least we can do to comply?”, organizations should ask, “How can we use data responsibly to build trust?”

This mindset shift leads to better customer relationships and competitive advantage.

4. Use Technology for Continuous Monitoring

Invest in tools that support real-time risk management, breach detection, and data mapping. A dynamic system will always outdo a static checklist.

The Way Forward

Let’s be clear: Compliance checklists have their place. They help organize efforts and ensure no steps are missed. But they must not become the goal.

As professionals, leaders, and regulators, we must advocate for a shift in mindset: from checkbox compliance to culture-based accountability.

Because at the end of the day, data protection is not just about avoiding penalties—it’s about protecting people.

Final Thought

If your organization checks all the boxes but still doesn’t understand its data flows, risks, or responsibilities—then you’re not compliant. You’re just lucky. And luck runs out.

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
April 10, 2025

In our increasingly digitized world, the concepts of compliance and privacy are often conflated, leading to a dangerous illusion of security. We are told that regulations like GDPR, CCPA, Ghana’s Act 843 and others safeguard our personal data, fostering trust in the systems that manage it. However, a closer examination reveals a crucial distinction: compliance, while necessary, does not guarantee true privacy. It’s a distinction that demands our attention, as the implications for individual autonomy and societal well-being are profound.

Compliance, at its core, is about adhering to legal and regulatory frameworks. It sets out rules regarding data collection, storage, processing, and deletion. Companies that are compliant have implemented procedures to meet these requirements, often involving detailed privacy policies, consent mechanisms, and data access protocols. This is undoubtedly a step forward from the unregulated Wild West of early internet days. It provides a baseline of accountability, forcing organizations to acknowledge and address the potential harms associated with data handling.

However, compliance is inherently reactive. It responds to existing laws, which often lag behind technological advancements and evolving data practices. Moreover, it focuses on procedural adherence rather than the fundamental principles of individual autonomy and informational self-determination. A company can be fully compliant while still collecting vast amounts of data, profiling users, and employing opaque algorithms to manipulate behavior. The focus is on the how of data handling, not the why or the what.

True privacy, on the other hand, is a more holistic and proactive concept. It is about empowering individuals to control their personal information and maintain their dignity. It encompasses not just legal obligations but also ethical considerations, technological safeguards, and a culture of respect for individual autonomy. True privacy demands a shift from a data-centric to a person-centric approach.

One key difference lies in the concept of consent. Compliance often relies on informed consent, which, in practice, can be a mere checkbox exercise. Users are bombarded with lengthy privacy policies filled with legalese, often without truly understanding the implications of their consent. True privacy, however, requires meaningful consent, where individuals are genuinely informed and empowered to make choices about their data.10 It involves transparent communication, clear explanations, and the ability to easily withdraw consent.

Another crucial aspect is data minimization. Compliance may allow for the collection of vast amounts of data as long as it is done within legal parameters. True privacy, however, advocates for collecting only the data that is absolutely necessary for a specific purpose. It recognizes that less data means less risk. This principle challenges the prevailing data-driven business models that prioritize data accumulation over user well-being.

Furthermore, true privacy emphasizes data security and protection against unauthorized access. Compliance may require certain security measures, but it doesnt guarantee robust protection against sophisticated cyberattacks and data breaches. True privacy demands a proactive and layered approach to security, including encryption, anonymization, and robust access controls.It also requires a commitment to continuous improvement and adaptation to evolving threats.

Beyond technological safeguards, true privacy necessitates a cultural shift. It requires a fundamental respect for individual autonomy and a recognition that personal data is not a commodity to be exploited. It demands transparency, accountability, and a commitment to ethical data practices. This cultural shift requires education, awareness, and a critical examination of the power dynamics inherent in data-driven systems.

The illusion of privacy created by compliance can have detrimental consequences. It can lull individuals into a false sense of security, leading them to share more data than they would otherwise. It can also create a sense of resignation, where individuals feel powerless to protect their privacy in the face of powerful corporations and government agencies.

This is not to say that compliance is meaningless. It plays a vital role in establishing a baseline of accountability and preventing egregious abuses of personal data. However, it is crucial to recognize its limitations and to advocate for a more robust and holistic approach to privacy.

Moving forward, we need to foster a deeper understanding of the distinction between compliance and true privacy. We need to demand greater transparency from organizations regarding their data practices. We need to support the development of privacy-enhancing technologies. And we need to cultivate a culture that prioritizes individual autonomy and informational self-determination.We must move beyond a mere checklist approach to privacy and embrace a more fundamental commitment to protecting individual dignity.

We must recognize that true privacy is not just a legal obligation but a fundamental human right. Only then can we ensure that our digital future is one where technology serves humanity, rather than the other way around. The current regulatory framework, while a step in the right direction, must be augmented by a societal shift toward a genuine respect for individual privacy, one that transcends the mere boxes that are ticked.

Emmanuel Kwasi Gadasu

CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||

April 21, 2025

Every Easter, billions of people around the world pause to commemorate the ultimate sacrifice—Jesus Christ’s death and resurrection. It is a season soaked in themes of love, redemption, and spiritual freedom. But as we reflect on this powerful story of deliverance from sin, perhaps it’s time to ask: in today’s world, what are we really enslaved to? Could it be… data?

Yes, data—the modern-day currency of power and control. While Christ offered himself to redeem mankind, many of us now unknowingly offer ourselves daily to Big Tech, data brokers, and surveillance systems, trading our privacy for convenience, connectivity, and likes.

So this Easter, let’s take a different kind of journey. One that begins at Calvary but leads us straight into the heart of data protection.

The Resurrection of Privacy: Why It Matters Now More Than Ever

The Easter story is one of awakening—from darkness to light, death to life. In the same way, the digital age demands a new awakening to the reality of data exploitation. While we were busy uploading our family Easter photos, registering for online church services, or streaming sermons, our data footprints—names, locations, preferences, even faces—were being quietly harvested.

We need a resurrection of privacy consciousness. Not just as a legal obligation, but as a moral and spiritual imperative. Because if we are made in the image of God, then our digital identities deserve the same dignity as our physical selves.

Faith, Freedom, and Data: What Would Jesus Say?

The message of Easter is centered on freedom. Jesus died to give us freedom from sin, from condemnation, from death. But true freedom must extend to all areas of life—including how we live and express ourselves in a digital world.

Would Jesus approve of a world where people’s personal data is sold like silver coins, often without their knowledge or consent?

Would He turn over the data brokers’ tables in a modern-day temple of algorithms?

What if the “good news” we preached included the idea that respecting someone’s data is part of loving them?

Protecting Our Flock: Churches, Easter Events, and Data Responsibility

Easter is a time when churches experience a surge in attendance. New members sign up, children are enrolled in programs, donations spike, and thousands of personal data points are collected. But many churches—driven by good intentions—lack the frameworks to protect this data.

Here’s the uncomfortable truth: The church is not exempt from data protection obligations. From mailing lists to digital tithing platforms, Sunday school forms to online counseling sessions, the body of Christ is swimming in data.

This Easter, it’s time for churches to rise as ethical data stewards, ensuring that they treat personal data with holiness, confidentiality, and care.

The Easter Challenge: Die to Data Ignorance, Rise in Digital Integrity

Easter is not just about tradition—it’s about transformation. If Jesus conquered the grave, perhaps we can conquer the habits that enslave us to digital manipulation.

So here’s a challenge for you this season:

• Read the privacy policy before you hit “Accept.”
• Teach your kids about online consent and safety.
• Advocate for data protection laws in your community.
• If you’re a pastor or church leader, invest in privacy awareness and cybersecurity training.

Let’s be people of resurrection integrity—those who rise above apathy and shine light in the shadowy corners of surveillance capitalism.

Final Thoughts: From Cross to Code

Easter invites us into a story where love wins, truth is resurrected, and freedom is possible. In that same spirit, data protection is not just a technical issue—it’s a human rights issue. One that touches every email sent, every app downloaded, every piece of information we share.

So this Easter, remember: He died for your sins—not your data. That part… is up to you to protect.

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
April 23, 2025

In an age where data is the new currency and personal information is exchanged faster than we can blink, the debate between privacy and security has never been more relevant. The assertion that “the right to privacy is not absolute and must be balanced against the right to security of person” is not just a legal standpoint—it’s a mirror held up to modern society.

But how much privacy are we willing to give up for the promise of safety?

Around the world, governments are tightening surveillance measures in the name of national security. From CCTV cameras on every corner to digital surveillance through metadata collection, the narrative is clear: if you have nothing to hide, you have nothing to fear. Yet, this oversimplified mantra ignores a complex truth—privacy is not about hiding wrongdoing; it’s about maintaining agency over our own lives.

At its core, the right to privacy safeguards human dignity. It allows us to think, speak, and act without undue scrutiny. It’s the right that underpins freedoms of expression, association, and thought. However, with the rise of global threats—terrorism, cybercrime, pandemics—the scales have begun to tip. Authorities argue that more surveillance equals more protection. In their eyes, data is not just information; it’s intelligence.

The challenge, then, is finding a delicate balance between protecting individual privacy and ensuring public security.

Is this even possible?

The truth is, privacy and security are not enemies. They are complementary values that should reinforce, not undermine, one another. Robust legal frameworks, transparent oversight, and ethical use of technology can create a space where both coexist. For example, data anonymization, proportional surveillance, and strict accountability measures are all tools that ensure security efforts do not become blanket invasions.

Unfortunately, in many regions, including parts of Africa and the Middle East, laws are still catching up. The public is often unaware of how much of their personal data is collected or how it’s used. In such environments, the risk isn’t just overreach—it’s unchecked power.

This is why conversations about the limits of privacy and the extent of security matter. They are not just theoretical debates for policymakers and lawyers; they affect every digital footprint, every medical record, every online search, and every biometric scan.

As citizens, we must ask ourselves:

Who decides how much privacy we give up?
What mechanisms exist to prevent abuse?
Can we demand both safety and freedom?

In the end, the goal is not to elevate privacy above security, or vice versa. It is to create a society where technology serves humanity, not the other way around.

Because when privacy dies in the name of security, we don’t just lose our secrets—we lose ourselves.

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
April 24, 2025

In an increasingly interconnected world, the flow of personal data across borders is both inevitable and essential. From multinational companies coordinating operations to cloud services hosting user data globally, international data transfers are central to modern business. However, under the General Data Protection Regulation (GDPR) – and many other Data Protection Laws across the world, such transfers require robust legal safeguards to ensure that individuals’ data protection rights are upheld—even outside their respective jurisdictions.

NOTE: I have used GDPR to represent Data Protection Laws obviously because the GDPR has become the defacto World Data Protection Law!

Among the mechanisms established to facilitate lawful cross-border data flows are Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), and Transfer Impact Assessments (TIAs). While each plays a different role, together they form the backbone of GDPR-compliant international data transfers.

1. Binding Corporate Rules (BCRs)

What Are They? BCRs are internal policies adopted by multinational companies to allow intra-group transfers of personal data across borders, particularly from the EU to non-EU affiliates.

Why Are They Important? They demonstrate that the company has established legally binding safeguards and accountability measures that meet GDPR standards—even when operating in countries without adequate data protection laws.

Challenges:

Approval Process: BCRs must be reviewed and approved by national Data Protection Authorities (DPAs) through the European Data Protection Board (EDPB) cooperation mechanism.
This process can be lengthy, bureaucratic, and resource-intensive, often taking 12–18 months to complete.
For this reason, while BCRs offer long-term benefits, they are typically adopted by large corporations with mature compliance programs.

2. Standard Contractual Clauses (SCCs)

What Are They? SCCs are pre-approved contractual templates issued by the European Commission that can be used between data exporters in the EU and data importers in third countries.

Why Are They Preferred?

Legally binding and enforceable
No need for prior DPA approval, making them faster and more accessible than BCRs
Widely used by businesses of all sizes to transfer data to the U.S., Asia, Africa, and beyond

Updates to SCCs: In response to the Schrems II ruling, the European Commission released modernized SCCs in 2021, requiring additional due diligence measures, including Transfer Impact Assessments (TIAs).

3. Transfer Impact Assessments (TIAs)

What Are They? TIAs are risk assessments conducted by organizations prior to using SCCs or other mechanisms to ensure that data subjects’ rights remain protected in the destination country.

Why Are They Critical? The Schrems II judgment invalidated the EU-U.S. Privacy Shield and emphasized that organizations must assess whether the recipient country provides an “essentially equivalent” level of protection as the EU.

TIAs typically evaluate:

The local laws governing surveillance and government access to data
The enforceability of SCCs or BCRs in that country
The nature and sensitivity of the data being transferred
Supplementary measures (technical, contractual, organizational) that can mitigate risks

So, Which Approach Is Best?

BCRs are ideal for large multinational groups with frequent internal data flows, but they require significant investment and time.
SCCs, accompanied by TIAs, offer a practical and legally robust solution for most companies and are the current default mechanism for international data transfers.
Organizations must also regularly monitor the legal landscape and be ready to adopt supplementary measures when risks are identified.

Conclusion

Navigating the complexities of international data transfers under the GDPR requires a deep understanding of the available legal tools and a proactive approach to compliance. While BCRs offer long-term stability, SCCs coupled with TIAs provide the most flexible and scalable solution in today’s regulatory climate. Businesses must balance practicality with legal rigor to protect data and build trust across borders.

Emmanuel Kwasi Gadasu
CEH || CDPS || CIPM || CIPP-E || MSc IT and Law || Data Privacy Consultant || Information Security Trainer || Programmer || IT Trainer ||
April 29, 2025

In a world increasingly driven by data, a breach is more than a technical mishap — it is a violation of trust, security, and the fundamental right to privacy.

Recently, MTN Ghana confirmed a data breach affecting 5,700 customers. While the company has issued statements regarding mitigation, this incident demands deeper scrutiny. It brings into sharp focus the questions: Are organizations genuinely protecting our data? Are regulators ready to enforce real accountability?

What is a Data Breach?

A data breach occurs when sensitive, confidential, or protected information is accessed, disclosed, or used by an unauthorized party. In the context of MTN Ghana, it could involve exposure of personally identifiable information (PII) such as names, phone numbers, account details, and potentially even sensitive financial or biometric information.

But beyond the mere loss of data, it is the erosion of trust that inflicts the deepest wound. 

The Implications: Why This Breach Matters

The exposure of personal data can lead to:

Identity theft and financial fraud: Attackers may impersonate customers to steal money, commit crimes, or manipulate services.
Social engineering attacks: Phishing, smishing, and fraud attempts can dramatically increase.
Emotional distress: Victims suffer anxiety, loss of control, and potential reputational harm.
Loss of consumer confidence: If customers feel unprotected, they may abandon services or demand stronger legislative action.

This breach is not just about 5,700 individuals; it shakes the foundations of public trust in digital services. 

Regulatory Expectations: The Role of the Data Protection Commission (DPC) Ghana

Under the Data Protection Act, 2012 (Act 843), the Data Protection Commission (DPC) is empowered to:

Investigate the breach through formal inquiries.
Order mandatory notifications to affected individuals (data subjects) in clear, accessible language.
Impose administrative fines or sanctions if MTN Ghana is found negligent or non-compliant.
Audit MTN Ghana's security measures to ensure future robustness.
Require remedial action plans, including improvements to cybersecurity and staff training.

This is not optional. Under Act 843, Section 32 obliges data controllers to implement adequate security measures to protect personal data — failure to do so attracts serious consequences.

If regulatory action is weak, it sets a dangerous precedent: the normalization of negligence. 

What Can MTN Customers Do Now?

In the face of uncertainty, customers must act swiftly to protect themselves:

Be vigilant: Scrutinize SMS, emails, and calls for signs of phishing or fraud.
Change passwords and PINs: Especially for linked services (e.g., MoMo accounts, customer portals).
Monitor financial transactions: Report any suspicious activity immediately.
Exercise data rights: Customers can formally request information from MTN on what data was breached and seek assurances on corrective actions.
File complaints: Victims have the right to petition the DPC if they feel their rights are being ignored.

The Broader Questions: Who Will Be Held Accountable? 

As an industry practitioner, I pose the critical questions:

Are corporate executives facing real consequences for failures in data protection?
Is the Data Protection Commission adequately resourced and independent to enforce the law?
Are Ghanaian consumers being empowered with real digital rights education?
When will data protection stop being "an IT issue" and start being a "boardroom issue"?

Until regulatory enforcement becomes visible, predictable, and strong, breaches will continue to rise — and ordinary citizens will continue to pay the price. 

Final Thoughts: Privacy Is a Right, Not a Privilege

The MTN Ghana data breach must be treated as a national wake-up call — not just for telcos but for every organization entrusted with personal data.

Data controllers must embed privacy by design, data processors must be vigilant custodians, and regulatory bodies must wield their powers boldly and transparently.

Above all, data subjects — the people — must know that their dignity is not for sale.

Because in the end, safeguarding personal data is not just a technical requirement; it is a moral obligation to every human being behind the data.