Motunrayo Adebayo started out as a lawyer, but her experience working with IT firms birthed an interest in privacy and cybersecurity.
After securing a Master’s degree in Information Security, she now works closely with technology companies to help them avoid fines from privacy regulators.
In this edition of After Hours, Adebayo shares why startups need to understand the importance of privacy and how they can protect their information.
The importance of startup privacy
My work is to help organisations and startups ensure they are compliant with privacy regulations and laws by setting up their privacy programme from beginning to end.
Privacy requirements vary across industries. For instance, human resources is a very sensitive department because it deals with a lot of personal information. If there’s a data breach, the consequences are serious, especially for that startup.
We see companies all over the world getting fined huge amounts of money for privacy failures. Facebook, now Meta, has been fined billions of dollars. This is where I come in, making sure companies don’t go bankrupt due to these fines by ensuring compliance with laws and standards.
The first step is always with senior management. If they understand how important privacy is to their daily operations, the mindset flows to the rest of the organisation. Different departments may have different regulations that apply to them.
For example, in healthcare, the Nigerian Data Protection Act applies, while in finance, standards such as SOC 2 and ISO 27001 are relevant. Privacy is not one-size-fits-all. Something as simple as a visitor’s logbook at the front desk, where people write their names, addresses, and signatures in plain sight, is a privacy risk.
I also look at information security processes. That includes data mapping, which means knowing exactly where all information is stored. If there’s a breach, they can trace its origin. It also means checking vendors.
Many businesses share information with others, so vendor assessment is critical. Before you work with another business, you need to know how secure they are.
Another key part is risk assessment, how data is stored, secured, and protected from unauthorised access.
Sometimes, convincing people isn’t easy. I remember walking into an office where people’s personal data was left scattered on desks. Management understood the importance of privacy, but one senior figure did not. It took me more than an hour to explain why this was a risk.
Another example is job applications. People submit paper CVs, and later, their resumes are used for things like wrapping items by roadside sellers. That’s someone’s personal information out in the open. Companies can shred documents like these or move everything online to avoid such risks.
From law to cybersecurity
My background is in law, but I’ve always preferred compliance. I like fields that evolve because they challenge me. Privacy does that. It changes every day, with new developments in the news.
I started out working as a lawyer in an IT consulting firm, and over time, I began working closely with IT teams. That’s how I got drawn deeper into privacy.
There wasn’t a single turning point; I just got absorbed into it. Initially, I considered pursuing a master’s degree in law, but I ultimately chose information security to gain a deeper understanding of technology.
The transition has been interesting. I’ve met people across various industries, continued to develop myself, and gained a wealth of knowledge.
While I’m not the one coding or building firewalls, I assess whether the right systems are in place, including firewalls, encryption, and processes, to protect information.
One area that really interests me is artificial intelligence and its impact on privacy. For example, there was a case where a boy told a chatbot that he was having suicidal thoughts. The chatbot gave him advice, and he eventually committed suicide. This went to court, and it has raised questions about regulation.
My role is not to build the technology but to work with those who do, ensuring controls are in place so that people are not harmed.
In Nigeria, regulators are getting stronger, and that’s a good thing. Many Nigerians are unaware of how their personal information is being used, but regulators are aware and are putting checks in place.
When companies are fined, it’s not just about the money; it’s about forcing improvements. Big tech companies handle huge amounts of personal information globally, so they will always face these challenges. They can reduce the likelihood of a breach, but cannot eliminate it.
The important thing is to keep evolving. Privacy is not just about individuals; it is also tied to national security. If information falls into the wrong hands, it can affect an entire country.
The transition from law to privacy and now cybersecurity has been smooth but also full of learning. Privacy touches every industry and every person. It is not just a legal matter; sometimes it’s a technology issue, a business issue, and a human issue.
One of the experiences I truly cherished was working with recent graduates who had just come out of school. I worked with them to start their own journey, and that was something I really enjoyed.
Moving to the US for work
Now, living and working in the US, I’ve seen the differences between working in Nigeria and here.
In Nigeria, you have bosses who really want to boss you around. They want to micromanage you. I’m not saying everywhere, but it happens a lot.
For instance, I had a boss I worked with in Nigeria, where I was supposed to have a 30-minute break. One day, I went out to have lunch and came back exactly 30 minutes later, but he was offended. I also remember that I didn’t have a contract when I started that job. I was never given one, so I didn’t know the rules and regulations. I didn’t know how anything was going. I didn’t even understand what was expected of me.
But here in America, they want everything documented so they don’t have issues with you.
Time here is a cultural thing. If they give you eight hours and you work beyond that, they want to pay you for the extra time you work. But in Nigeria, there’s a lot of overworking. If you’re not careful, you’ll find yourself working beyond hours without getting anything extra.
The system here is more relaxed. It’s the kind of system where you come, you get your job done, and then you go home. In Nigeria, you may end up doing more than you’re supposed to do.
What happens here most of the time is that there’s a lot of regulation in place. If they mistreat you, they know you can report them to the right person and get them in trouble. So they want to do everything according to regulation. They document everything. Even if they want you out of the job, it is well-documented.
There are things we sweep under the carpet in Nigeria that you can’t sweep here. Organisations are cautious because they can always face a lawsuit, which can be costly.
