If your business collects names, phone numbers, emails, bank details, or any personal information about Nigerians — and almost every business does — you have data protection obligations. Many owners assume this only applies to big tech companies. It does not. Nigeria's data protection regime now has real teeth, and the businesses most exposed are the ones that have never thought about it.
The framework: NDPR, the NDPA, and the NDPC
Nigeria's data protection landscape rests on two pillars: the Nigeria Data Protection Regulation (NDPR), which set the original standards, and the Nigeria Data Protection Act (NDPA), which elevated data protection into primary law and established the Nigeria Data Protection Commission (NDPC) as the regulator. Together they define how organisations must collect, store, use, and protect personal data.
Who must comply?
In practice, any organisation that processes the personal data of people in Nigeria is a data controller or processor with obligations. The intensity of those obligations scales with how much data you handle and how sensitive it is — a fintech or hospital carries heavier duties than a small retailer, but neither is exempt.
Core obligations to get right
- Lawful basis and consent: collect personal data for clear, legitimate purposes and obtain valid consent where required.
- Transparency: tell people what data you collect and why, usually through a privacy notice.
- Security: protect personal data with appropriate technical and organisational measures.
- Data protection roles: larger or higher-risk processors are expected to designate responsibility for compliance internally.
- Breach response: have a plan to detect, contain, and report personal data breaches.
- Regulatory filings: certain categories of data controllers have periodic compliance obligations to the NDPC.
Why it matters now
Beyond potential penalties for non-compliance, data protection has become a commercial requirement. Enterprise clients and international partners increasingly demand evidence of a data protection programme before they will work with you. Getting this right is no longer just risk management — it is a condition for doing business with serious counterparties.
Not sure where your business stands?
Book a free consultation and we'll map your specific obligations, tell you what's urgent, and give you a clear plan.
