Next-best-action is a consent problem before it is a model problem.
Everything a recommendation engine needs sits in the call records, the location log, and the recharge history. The regulators now reading the sector are not asking whether the model is good. They are asking whether the operator had a lawful basis to reason over that data at all.
Next-best-action is the commercial heart of operator AI. The model reads a subscriber's usage, location, recharge pattern, and device, and decides — in the moment — which bundle to surface, which retention offer to push, which upsell to time. It works because the operator holds extraordinarily rich behavioural data on every customer. That richness is exactly what has put it in the regulator's sights.
Kenya's Office of the Data Protection Commissioner has issued a guidance note specific to the communications sector, addressing the processing of subscriber data, network traffic, and location or geographical data. Location and traffic data are precisely the inputs that make next-best-action precise. In South Africa, POPIA governs automated decision-making and profiling; in Nigeria, the NDPA 2023 sits over the same ground. Consent is the primary lawful basis for the most sensitive processing, and the regulators have shown they will act where it is absent.
They have shown it concretely. The ODPC suspended a high-profile biometric data project for failing to register as a data controller, conduct a data protection impact assessment, and obtain valid consent. The signal to every operator was unambiguous: scale and sophistication are not a defence; lawful basis is. A next-best-action programme that cannot answer why a given customer's data was processed for a given offer is a finding waiting to happen.
The operational friction this creates is familiar. The marketing function wants to feed everything into the recommendation engine — the more signal, the better the offer. The data protection officer has to be able to state what data left the building, on what basis, and how the customer could object. In most operators that negotiation happens deal by deal, slowly, and the marketing team experiences governance as the thing that says no. The data protection officer experiences it as personal exposure if the answer is ever wrong.
The reframing that resolves it is to treat next-best-action as a consent and data-handling problem first, and a modelling problem second. The model does not need to know that subscriber 254-xxx is Jane Mwangi in Nyeri to decide that a customer with her pattern should see a particular data bundle. It needs the pattern, not the person. Once that distinction is built into the pipe rather than promised in a policy, the governance question stops being adversarial.
There is a subtler trap in treating consent as a one-time checkbox. A subscriber who agreed to marketing at onboarding has not necessarily agreed to having their location history mined to time an offer, and the regimes increasingly distinguish between the purpose consented to and the purpose actually pursued. An operator that processes the same data for a new purpose without revisiting the basis is exposed even though a consent record exists. The granularity the regulators are moving toward — basis per purpose, not basis per customer — is precisely the granularity an ungoverned model erases the moment it ingests everything it can reach and reasons over all of it at once.
The exposure is not confined to Kenya. In Nigeria the Data Protection Act of 2023 stands over the same processing, and the regulator's strengthened enforcement framework now allows compulsory inspections — a particular concern for operators running customer data through foreign-owned subsidiaries. In South Africa the Information Regulator has already issued enforcement notices to direct marketers under POPIA. And the recommendation model itself often runs offshore, on infrastructure outside the jurisdiction, which turns next-best-action into a cross-border transfer question: the customer's behavioural data leaving the country to be reasoned over abroad is exactly the processing these regimes scrutinise most closely, and the one a generic offshore deployment is least able to justify.
None of this means the operator should collect less. The behavioural data is a genuine asset and the commercial case for acting on it is sound. The point is narrower and entirely practical: the value lives in the pattern and the risk lives in the identity, so the two should be separated in the architecture rather than bundled together and governed by a promise in a privacy notice. An operator that holds that line keeps the upside and sheds the exposure.
The model does not need the person. It needs the pattern. The operator's exposure lives entirely in the gap between the two.
Where each sits.
Akki governs which data fields enter the model and logs the basis on which each is processed. Where consent is the lawful basis, the consent state travels with the record; where a customer has objected, the platform holds back the data rather than relying on a downstream filter that may or may not fire. The data protection officer can see, per processing activity, what entered and why.
Solva records the reasoning behind each recommendation, so the operator can answer the question a regulator or a customer may ask: why this customer, this offer, now. A next-best-action decision that can be explained — and, where the basis is thin, declined rather than forced — is the difference between a defensible programme and one that runs on hope.
This is the workflow SyniSense is built for. Subscriber identity, MSISDN, and location history are anonymised at the perimeter before the recommendation model reasons over the behavioural pattern, and re-identified inside the perimeter only to action the chosen offer. The model that ranks offers never sees an identifiable customer. The boundary is enforced by architecture, not by a clause in a data-sharing agreement, which is what the impact assessment needs to be able to assert.
For the marketing function, the boundary stops being a negotiation. Because anonymisation and consent state are enforced in the pipe, the team can ship campaigns at the speed the business wants without each one becoming a fresh argument with legal. Governance becomes infrastructure rather than a gate.
For the data protection officer, the impact assessment has a real answer. The question of what data the model sees has a clear response — the pattern, not the person — and the question of basis is logged per activity. Signing the assessment is no longer an act of faith.
For the customer, the protection is structural. Their identifiable data does not leave the perimeter to be reasoned over by a model, which is the assurance the ODPC's communications-sector guidance is reaching for. Trust, in a market where half of subscribers report fraud attempts, is not a soft benefit.
For the supervisor and the board, the programme stops being a latent liability. The commercial upside of personalisation is realised without carrying the unbounded regulatory risk that comes from feeding identifiable customer data into models nobody can fully account for.
For the cross-border question specifically, the perimeter resolves what a contract cannot. Because identifiable data is anonymised before it leaves the jurisdiction and re-identified only inside it, the transfer that would otherwise demand an adequacy finding or explicit consent becomes a transfer of patterns rather than of people — a materially smaller regulatory surface to defend, and one that does not depend on the destination country's data-protection regime.