DATA PROTECTION LAWS: WHAT YOUR BUSINESS MUST COMPLY WITH

By Chantel Umar

Introduction

In today’s digital economy, businesses rely heavily on customer and employee data to drive growth, personalise services, and streamline operations. From online banking and e-commerce to health applications and digital marketing, data is central to modern business. However, this reliance comes with serious legal and ethical responsibilities. Organisations must protect personal information from misuse, unauthorised access, and abuse. Across the world, regulators have introduced comprehensive data protection laws to safeguard individuals’ privacy rights. Hence, understanding and complying with data protection laws is no longer optional. It is mandatory. This article explains fundamental data protection laws relevant to Nigerian businesses and outlines what your organisation must do to remain compliant.

What Are Data Protection Laws

Data protection laws are legal frameworks that regulate how organisations collect, store, process, share, and protect personal data. Personal data refers to any information relating to an identifiable individual. A person may be identified directly or indirectly by reference to details such as name, identification number, location data, online identifier, or factors specific to their physical, physiological, genetic, psychological, cultural, social, or economic identity.[1]

The Primary objectives of data protection laws are to protect individuals’ right to privacy, prevent misuse or unauthorised access to personal information, and hold organisations accountable for how they handle personal data. For businesses, this means data governance is now a core compliance issue, not merely an IT concern.

Why Protecting Personal Data Matters

Personal data includes names, phone numbers, home addresses, bank details, health records, and even online behaviour. Protecting this information is essential for several reasons:

1. Protection of the Right to Privacy

The right to privacy is constitutionally guaranteed in Nigeria. Without proper safeguards, private communications, financial records, and health information could be exposed without consent.

2. Prevention of Identity Theft and Fraud

Criminals can use stolen information such as BVN details, bank account numbers, or national identity numbers to commit fraud. Effective data protection reduces the risk of impersonation, scams, and financial loss.

3. Building Trust in Business and Government

Consumers are more likely to engage with online banking platforms, e-commerce websites, health services, and digital government services when they are confident their information is secure.

4. Protection from Harm

Data leaks can expose individuals to harassment, blackmail, discrimination, or even physical danger. For example, publishing someone’s residential address without consent may put them at serious risk.

5. Prevention of Unfair or Discriminatory Use of Information

Without regulation, organisations could sell personal data, target individuals unfairly, or use data in discriminatory ways. Data protection laws ensure that information is used only for lawful and specific purposes.

6. Legal Compliance

In Nigeria, the Nigeria Data Protection Act 2023 makes data protection a legal obligation. Failure to comply may result in investigations, sanctions, and financial penalties.

Key Data Protection Laws Relevant to Nigerian Businesses

1. Constitution of the Federal Republic of Nigeria 1999 (as amended)

Section 37 of the Constitution (as amended) guarantees “the privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications.” As the supreme law of the land, this constitutional protection forms the foundation of data privacy rights in Nigeria. All data protection regulations derive legitimacy from this constitutional guarantee.

Signed into law on 12 June 2023, the Nigeria Data Protection Act (NDPA) is the primary legislation governing data protection in Nigeria. The Act establishes the Nigeria Data Protection Commission as the principal regulator responsible for:

2. Nigeria Data Protection Act 2023

Signed into law on 12 June 2023, the Nigeria Data Protection Act (NDPA) is the primary legislation governing data protection in Nigeria. The Act establishes the Nigeria Data Protection Commission as the principal regulator responsible for:

1. Regulating the processing of personal data.
2. Promoting secure data processing practices.
3. Protecting the rights of data subjects.
4. Providing remedies in the event of data breaches.

The NDPA applies not only to companies incorporated in Nigeria, but also to organisations outside Nigeria that process the personal data of Nigerian citizens or residents in the course of business. The Act takes precedence over any other law relating to personal data processing. In the event of a conflict, its provisions prevail.

3. Nigeria Data Protection Act General Application and Implementation Directive

The General Application and Implementation Directive (GAID) came into force on 19 September 2025. It was issued by the Nigeria Data Protection Commission to strengthen the practical application of the Nigeria Data Protection Act and to clarify compliance expectations for organisations. The Directive provides detailed operational guidance and introduces several important compliance requirements:

1. Enhanced Compliance Obligations for Data Controllers and Processors

The GAID outlines twenty-three (23) core compliance measures that data controllers and data processors must implement in order to meet their statutory obligations under the NDPA. These include mandatory registration for organisations classified as Data Controllers and Processors of Major Importance. It also requires certain high-risk entities, particularly those engaged in Ultra High Level and Extra High Level processing activities, to conduct annual compliance audits before 31 March of each year. In addition, such entities must maintain periodic internal data protection reports. These reports must analyse data processing activities within a six-month period and demonstrate adherence to applicable regulatory standards.

b. Revised Audit Templates and Increased Filing Fees

The Directive introduces a new format for annual compliance audit filings. It also revises applicable filing fees. For example, organisations categorised as Ultra High Level processors handling the personal data of more than 50,000 (fifty thousand) data subjects may now be required to pay audit filing fees of up to ₦1,000,000 (one million naira). These changes reflect the regulator’s intention to strengthen oversight and ensure that larger-scale data processors maintain robust compliance systems.

c. Clarification of Lawful Bases for Processing

The GAID provides further guidance on the lawful grounds for processing personal data. It explains the circumstances under which organisations may rely on consent, contractual necessity, vital interest, public interest, or legitimate interest. Importantly, where an organisation relies on legitimate interest as its legal basis, the Directive requires it to conduct a documented Legitimate Interest Assessment. This assessment must demonstrate that the organisation’s interest does not override the fundamental rights and freedoms of the data subject.

d. Introduction of the Data Subject Notice to Address Grievance

The Directive introduces a new mechanism, the Data Subject Notice to Address Grievance (SNAG). This mechanism enables individuals to formally notify a data controller or processor of a complaint and demand corrective action before escalating the matter to the Nigeria Data Protection Commission. The aim is to promote faster resolution of disputes and encourage accountability at the organisational level.

In summary,Articles 1 to 14 of GAID lay the structural foundation of Nigeria’s modern data protection framework. These provisions reaffirm the NDPA’s supremacy in the event of conflicting regulatory instruments, formally designate the Nigeria Data Protection Commission (NDPC) as the central supervisory authority, and impose minimum compliance obligations on all data controllers and processors. This includes government institutions, private organisations, and even individuals engaged in regulated processing activities.

4. Consumer Code of Practice Regulations 2007

In addition to the NDPA framework, sector-specific regulations also play an important role in data protection. The Nigerian Communications Commission issued the Consumer Code of Practice Regulations in 2007. These Regulations impose obligations on licensed telecommunications operators to safeguard customer information. Licensees are required to take reasonable measures to prevent improper or accidental disclosure of customer data. They must ensure that customer information is securely stored and retained only for as long as necessary for legitimate business or regulatory purposes.

The Regulations also restrict the transfer of customer information to third parties. Disclosure is permitted only where the customer has consented or where it is required or authorised by the Commission or by applicable law. For businesses operating within regulated sectors such as telecommunications, compliance with these sector-specific obligations must be considered alongside the broader requirements of the NDPA and GAID.

5. General Data Protection Regulation (GDPR)

The GDPR is a European Union regulation that came into effect on 25 May 2018. It governs data protection within the European Union and the European Economic Area and regulates the transfer of personal data outside those regions. The GDPR applies to businesses outside the EU if they process the personal data of individuals located in the EU or offer goods and services to them. Key GDPR requirements include:

1. Clear notification to website visitors about data collection.
2. Explicit consent through affirmative action.
3. Prompt notification of data breaches.[2]
4. Mandatory data security assessments.[3]
5. Appointment of a Data Protection Officer where required.[4]

Businesses must audit and document their data processing activities, update privacy notices, and correct database inaccuracies to remain compliant. For Nigerian businesses dealing with EU residents, GDPR compliance is essential.

6. California Consumer Privacy Act (CCPA)

The CCPA regulates the data privacy rights of California residents. It applies to businesses that collect, share, or sell the personal information of California consumers and meet certain thresholds, including:^[5]

1. Annual revenue exceeding $25,000,000 (twenty-five million United States Dollars).
2. Processing the personal data of 50,000 (fifty thousand) or more consumers, households, or devices.
3. Earning at least 50% (fifty per cent) of annual revenue from selling consumer data.

In addition, the CCPA applies not only to businesses that directly meet the stated thresholds, but also to entities that control or are controlled by such businesses. This means that parent companies, subsidiaries, and affiliated entities within the same corporate structure may fall within the scope of the Act if the qualifying criteria are satisfied. ^[6]

The CCPA grants consumers the right to know how their data is collected and used, and the right to opt out of the sale of their personal information. Nigerian businesses that serve customers in California may be subject to the CCPA, even if they have no physical presence in the United States.

What Your Business Must Do to Stay Compliant

Compliance requires deliberate action and ongoing monitoring. At a minimum, your organisation should:

1. Identify Applicable Laws

Determine which data protection laws apply to your business based on where your customers are located, not just where your company operates.

2. Develop a Clear Privacy Policy

Your privacy policy should clearly state:

1. What data you collect.
2. Why you collect it.
3. How it is used.
4. How long it is retained.
5. How individuals can exercise their rights.

Only collect data for lawful and specific purposes and do not retain it longer than necessary.

3. Obtain Valid Consent

Ensure that consent is informed, specific, and freely given. Avoid pre-selected boxes or vague consent mechanisms.

4. Implement Strong Security Measures

Use encryption, secure servers, firewalls, access controls, and regular system updates. Limit access to personal data to authorised personnel only.

5. Train Employees

Data protection is not solely the responsibility of the IT department. All staff members must understand their obligations and the consequences of non-compliance.

6. Conduct Regular Audits

Regularly review your data processing practices. Under the previous regulatory regime, annual audit filings were required. Under the NDPA framework, organisations must comply with reporting and accountability requirements prescribed by the Commission.

7. Prepare for Data Breaches

Develop a clear incident response plan to detect, investigate, and report data breaches within legally required timelines.

Why Compliance Matters

Data protection compliance is more than a regulatory requirement. It is a business imperative. Non-compliance may lead to regulatory fines, investigations, reputational damage, and loss of customer trust. By contrast, compliance helps your organisation to:

1. Avoid legal penalties.
2. Build consumer trust.
3. Strengthen brand reputation.
4. Attract investors.
5. Enable cross-border partnerships.

Strong data governance signals that your organisation is responsible, reliable, and future-focused.

Conclusion

Data protection in Nigeria is not merely about meeting statutory requirements. It is about safeguarding the integrity of your business and the future of the digital economy. With the Nigeria Data Protection Act (NDPA) and the General Application and Implementation Directive (GAID), Nigeria has a comprehensive legal framework governing personal data.

Businesses that prioritise transparency, obtain valid consent, and implement robust security measures position themselves not only for compliance but for long-term success. If your organisation processes personal data, and most do, this is the time to review your data protection practices and ensure they meet both Nigerian and international standards. Professional legal guidance can help you identify gaps, mitigate risks, and build a compliant and resilient data governance structure.   

Lehi Attorneys is a full-service intermediary law firm with a strong focus on helping clients deliver on their tasks by providing legal services across various jurisdictions. We have carved out a niche by providing expert advice in the commercial sector, including Intellectual Property, Real Estate, Trade Law and Policy, Corporate Law, Health and Pharmaceuticals, as well as Media and Entertainment. Further information about the firm is available at www.lehiattorneys.com

DISCLAIMER

This is a publication of Lehi Attorneys solely for educational and information purposes and is not meant to serve as legal advice. For more information, contact Lehi Attorneys at:

www.lehiattorneys.com

info@lehiattorneys.com

---

[1] DLA Piper, ‘Data Protection Laws of the World: Nigeria’ (Last Modified 18 January 2025)  <https://www.dlapiperdataprotection.com/?c=NG&t=data-protection-officers> accessed 15 October 2025

[2] Regulation (EU) 2016/679 (General Data Protection Regulation) <https://gdpr.eu/Recital-32-Conditions-for-consent> accessed 15 October 2025

[3] Regulation (EU) 2016/679 (General Data Protection Regulation) <https://gdpr.eu/article-34-communication-of-a-personal-data-breach/> accessed 15 October 2025

[4] Regulation (EU) 2016/679 (General Data Protection Regulation) <https://gdpr.eu/article-37-designation-of-the-data-protection-officer/> accessed 15 October 2025

[5] Proofpoint, ‘What is CCPA Compliance?’ <https://www.proofpoint.com/us/threat-reference/ccpa-compliance> accessed 16 October 2025

[6] Ironclad, ‘How to Comply with the CCPA,’ (updated 10 February 2026) <https://ironcladapp.com/journal/contract-management/what-is-ccpa> accessed 16 October 2025